Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://bazaar.abuse.ch/download/c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07/

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bazaar.abuse.ch/download/c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07/
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cc2246f8,0x7ff8cc224708,0x7ff8cc224718
      2⤵
        PID:4860
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        2⤵
          PID:224
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:220
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
          2⤵
            PID:1488
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
            2⤵
              PID:3324
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
              2⤵
                PID:4584
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
                2⤵
                  PID:2484
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
                  2⤵
                    PID:3424
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
                    2⤵
                      PID:1112
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3532
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
                      2⤵
                        PID:3460
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
                        2⤵
                          PID:432
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1269284710957878385,4483789333469342137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3720
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2728
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1496
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:4476
                            • C:\Program Files\7-Zip\7zG.exe
                              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07\" -ad -an -ai#7zMap18798:190:7zEvent20928
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:3680
                            • C:\Users\Admin\Downloads\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe
                              "C:\Users\Admin\Downloads\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe"
                              1⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4484
                              • C:\Users\Admin\AppData\Roaming\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                2⤵
                                • Checks computer location settings
                                • Drops startup file
                                • Executes dropped EXE
                                • Drops desktop.ini file(s)
                                • Modifies registry class
                                • Suspicious behavior: AddClipboardFormatListener
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4392
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                  3⤵
                                    PID:448
                                    • C:\Windows\system32\vssadmin.exe
                                      vssadmin delete shadows /all /quiet
                                      4⤵
                                      • Interacts with shadow copies
                                      PID:1644
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic shadowcopy delete
                                      4⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3176
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                    3⤵
                                      PID:2620
                                      • C:\Windows\system32\bcdedit.exe
                                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:2440
                                      • C:\Windows\system32\bcdedit.exe
                                        bcdedit /set {default} recoveryenabled no
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:2816
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                      3⤵
                                        PID:1152
                                        • C:\Windows\system32\wbadmin.exe
                                          wbadmin delete catalog -quiet
                                          4⤵
                                          • Deletes backup catalog
                                          PID:2520
                                      • C:\Windows\system32\NOTEPAD.EXE
                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
                                        3⤵
                                        • Opens file in notepad (likely ransom note)
                                        PID:3216
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4872
                                  • C:\Windows\system32\wbengine.exe
                                    "C:\Windows\system32\wbengine.exe"
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4120
                                  • C:\Windows\System32\vdsldr.exe
                                    C:\Windows\System32\vdsldr.exe -Embedding
                                    1⤵
                                      PID:1880
                                    • C:\Windows\System32\vds.exe
                                      C:\Windows\System32\vds.exe
                                      1⤵
                                      • Checks SCSI registry key(s)
                                      PID:4796

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      0a9dc42e4013fc47438e96d24beb8eff

                                      SHA1

                                      806ab26d7eae031a58484188a7eb1adab06457fc

                                      SHA256

                                      58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                      SHA512

                                      868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      61cef8e38cd95bf003f5fdd1dc37dae1

                                      SHA1

                                      11f2f79ecb349344c143eea9a0fed41891a3467f

                                      SHA256

                                      ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                      SHA512

                                      6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      240B

                                      MD5

                                      67859552e2307bfcf543971036817bb4

                                      SHA1

                                      a73627493bb212a9934c329a3c74b4f1fd62b80b

                                      SHA256

                                      a9fba0a4bdfe7f9b435547b00edd31a34a6c8204b1f7e4cdd1988251a0e330f3

                                      SHA512

                                      844d4e09ad85e441ee93901c6d38037bee19b9cf876a3ae1a046eecbfd1165019f0b8512571a553b20da52814bdd3f3a6a1dd34c0751e0ee0aa099fc1cf3f30b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                      Filesize

                                      533B

                                      MD5

                                      f7489e0d8ef97b7adcb4094f507b2cb5

                                      SHA1

                                      6bd7c0e5e2c822df1cc004a6273cec71290d9ea4

                                      SHA256

                                      8b2ea60986b0966e5bb7cd4d2de5b9e863417017e45d405a431530503f0f2824

                                      SHA512

                                      70ab0cbc38a2c884ac1098ec3cd9d7e23090b03a658f03a43a6fcc69147b1af1f55fceffb20c93b5d2c9d246bf7d0f52405229c97a39207015e1f27bd99cbc09

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      08f1b305ad2a54affb6cb21cb10886eb

                                      SHA1

                                      3ed4990966e790bd496c473ea7fed7c07f4f365b

                                      SHA256

                                      f44d82e3620c7375a0df522873a930b5d9c9ba516697010bb36a7fdbe2718cf2

                                      SHA512

                                      16461a8a3e3c30d8b5a5f87c16a708c272f39187dde43a2f219770fe7a0f219cb2367ee142f6fc6d94752778130289c2c05b77962ff92be689c0eb40edfa5905

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      1162b69e968f08acc42e54777331d046

                                      SHA1

                                      80e801090b856d30eb85f271d352b668f0a2f9e0

                                      SHA256

                                      982dbd1fcda23849e9b4cc7e62301f1a84aafec121a3dd199ef1ab2e140e5f1a

                                      SHA512

                                      1bd8f5289f0002854a5b71cb2ea0da69a0e16e1ba1984e347fbe02f5fbe676592df42554c01a2f3f6a2ee17ebb28e0af853e1aa16c26b24e515688c37f19a879

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      2ddee21c023d2176d4c5ef46c666afd5

                                      SHA1

                                      2f672222354fb5caf524141d32552ca9e20eb731

                                      SHA256

                                      5c3700741251e680238ae71df1ef67fcf030c05dc0a8c48b20659d89fb4ce57f

                                      SHA512

                                      5e2cd0f0d104552d3838623df81d93405ba864302fb283e1c98e90ea972b2578e55a104ac75556e296e0f6a2362f82a5590c7dacc3781f0a5b7d2cc897227657

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      44f6d896ea6d7c40cd6b2ecb46499623

                                      SHA1

                                      1b5bd4f9c0026bd10f7bfad11eeb44af52a479f4

                                      SHA256

                                      6f91e31a89d6e77b1aee72a123055039c8b9b9208837abfc76c9dc219213acde

                                      SHA512

                                      c1ad504ee6ecdbb58f626c9af3fe9af43d0348c5256b280d0b6e6df79e02e6fafb37bafe68c9f1a4a6b25692683a272fc5ce19e044bc0a7141371f79e9c92e1a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                      Filesize

                                      1KB

                                      MD5

                                      049cbd522506206a12508ba9a16cdb99

                                      SHA1

                                      7eca2b685bed3e432594bbd6c34b153b7bfdee6e

                                      SHA256

                                      1e783289c8f0c358b3256b13e8fae655660942e5e7d1221855e34ef95ad20528

                                      SHA512

                                      7d16555d17703b17f80b4e0355c20df4f8f44b1798c8b58345280efff9373f9c4fb203829dc3da6e2f72e14e113e2386721dd49e68c307690194c06f4ce8f425

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d91a.TMP
                                      Filesize

                                      1KB

                                      MD5

                                      7eb150f6a22110c01976d9a2ec566970

                                      SHA1

                                      c04ea1d1d608c332699513930eea5ab7380719b2

                                      SHA256

                                      244f8074f6d1c3c54e9464ac062924be845e67e022e8d87f52553641168659b6

                                      SHA512

                                      786b87c7f6144a0902546cae57de39130ffa3f85a997bd430046e53be7f564f78641c18580be80b869497670f565b7b6fcbd41445b296e16e40c937b09af9229

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      1afb1095e586a3fbcaf79952b17bcc6c

                                      SHA1

                                      2117094ff4547dc5bcd0470d371fab874854d04b

                                      SHA256

                                      38129d69012f182f1c67a250c8f8297819de18e3fb49aacddf25b40d23677df0

                                      SHA512

                                      63042d89f94248f731626a5ab041fdaa79d677300a3bfa19e809e32d38d50ea6a70221cae847047c3c45ba24c4a19a113833417fc266a9e92d39721d8a2902ad

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      b8d67ebe81b3a5f40895dde72302802f

                                      SHA1

                                      524d54d35c7dd7fb749dc545fec3c704b285195e

                                      SHA256

                                      8685561ff493c30de3ed44026bf29e6599c9b871cd3985c8dc2245a92bdf198b

                                      SHA512

                                      53c9f0b88738457f6368b96e366af309578f1858e5b8a3a03c4c00f842bb821b05cb6e5fabc18e02a73f44062951cc778849a265a81c18a81f6d217c7f1d1f5d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c2542137-4514-4667-9505-8c10dd0eb75e.tmp
                                      Filesize

                                      10KB

                                      MD5

                                      b8153221f841c10f3dd1a50f6ec24875

                                      SHA1

                                      7ff3d78286e81b25566e1f40d52d0aa96e9a6632

                                      SHA256

                                      6a1c26d6865256f81fa905dca69b15173b23045fa9296aab5df9f005c83f9592

                                      SHA512

                                      c6525aeb19d916ea0a5f332bbb151e1efeaa4fa3bf81c08abdb2480e6f4c6b684cd847a9bcfd941e95b5221d5b68ce2cbca43ddb6bdb53c44689ea89b39fcb3d

                                      Download Submit

                                    • C:\Users\Admin\Documents\read_it.txt
                                      Filesize

                                      964B

                                      MD5

                                      4217b8b83ce3c3f70029a056546f8fd0

                                      SHA1

                                      487cdb5733d073a0427418888e8f7070fe782a03

                                      SHA256

                                      7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

                                      SHA512

                                      2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

                                      Download Submit

                                    • C:\Users\Admin\Downloads\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.zip
                                      Filesize

                                      15KB

                                      MD5

                                      496a4873cd17b9e09a81100f6d24107f

                                      SHA1

                                      1d714a3a0b3e2919b1dc6048cda5a898208b2db1

                                      SHA256

                                      33165bb4146d93ce9c188dc5af7ab75d8d321f3a312663ed20b9b20867caf84a

                                      SHA512

                                      20857d61f4af2ba3e7212d5339952ed3fd11f807bd704373820ae636266049402d4900c0333178ee20209983b0d4fea148938036c3a0151939e54834e96bf292

                                      Download Submit

                                    • C:\Users\Admin\Downloads\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07\c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe
                                      Filesize

                                      89KB

                                      MD5

                                      77bd76f4e4b9481432022ab3b10c89c0

                                      SHA1

                                      8213a974f617ee9b191e605856e776ab96ff4382

                                      SHA256

                                      c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07

                                      SHA512

                                      ad30bb25260f959f2d3db823b2ca65b06cdfa6dc5d27527b053e4b5526ed6363519e6fd137c33f53371d8d4df2bcd6ac49aeab2631b106c891db41d0478e70ce

                                      Download Submit

                                    • memory/4484-247-0x0000000000290000-0x00000000002AC000-memory.dmp

                                      Filesize

                                      112KB

                                      Download