9150e5f78269d03dc63ddb2dbfa8d53151f56b3a96b26531ad7d07d5728b77f8

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe
Size

293KB
MD5

688ada96ae2ead4fbdbf24faade64e3b
SHA1

8a6a3d65186161690c71b31e8d203c8370d33094
SHA256

9150e5f78269d03dc63ddb2dbfa8d53151f56b3a96b26531ad7d07d5728b77f8
SHA512

e7e77b3ac355a27f783b2985ed446def6886959c7e5b04ca35ce027ac567572ef742ba9a78c9dacf3bcf6ad4cdef7c04c9f4c027ccde62b44ef7ca56b6c827f4
SSDEEP

6144:mmKdxjPFcMw0Tv4zBucQI4Px/WIxqwiD7atzaVNl5qTkHxqq:3KjA24zBuc54JO+iD2FabekHxqq

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\restore_files_grakl.txt

Ransom Note

______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________ What happened to your files ? All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1.http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2 2.http://aoei243548ld.keedo93i1lo.com/604455AF7EF2ECC2 3. https://zpr5huq4bgmutfnf.onion.to/604455AF7EF2ECC2 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/604455AF7EF2ECC2 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal page: http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2 Your personal page (using TOR): zpr5huq4bgmutfnf.onion/604455AF7EF2ECC2 Your personal identification number (if you open the site (or TOR 's) directly): 604455AF7EF2ECC2

URLs

https://zpr5huq4bgmutfnf.onion.to/604455AF7EF2ECC2

http://zpr5huq4bgmutfnf.onion/604455AF7EF2ECC2

http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2

Extracted

Path

C:\PerfLogs\restore_files_grakl.html

Ransom Note

<html><title>CryptoWall 3.0</title><style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center><div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;">What happened to your files? All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0. More information about the encryption RSA-2048 can be found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a> What does this mean? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!. What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. <div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr>1.<a href="http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2" target="_blank">http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2</a> 2.<a href="http://aoei243548ld.keedo93i1lo.com/604455AF7EF2ECC2" target="_blank">http://aoei243548ld.keedo93i1lo.com/604455AF7EF2ECC2</a> 3.<a href="https://zpr5huq4bgmutfnf.onion.to/604455AF7EF2ECC2" target="_blank">https://zpr5huq4bgmutfnf.onion.to/604455AF7EF2ECC2</a> </div> <div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a> 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/604455AF7EF2ECC2 4. Follow the instructions on the site.</div> IMPORTANT INFORMATION: <div class="tb" style="width:790px;">Your Personal PAGE: <a href="http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2" target="_blank">http://aep554w4fm8j.fflroe598qu.com/604455AF7EF2ECC2</a> Your Personal PAGE (using TOR): zpr5huq4bgmutfnf.onion/604455AF7EF2ECC2 Your personal code (if you open the site (or TOR 's) directly): 604455AF7EF2ECC2 </div></div></center></body></html>

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (1206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	svcjxc.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_grakl.txt	svcjxc.exe

Executes dropped EXE 2 IoCs

pid	Process
720	svcjxc.exe
3468	svcjxc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\604455AF7EF2ECC2 = "C:\\Users\\Admin\\AppData\\Roaming\\svcjxc.exe"	svcjxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\604455AF7EF2ECC2 = "C:\\Users\\Admin\\AppData\\Roaming\\svcjxc.exe"	svcjxc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 720 set thread context of 3468	720	svcjxc.exe	88

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_40x40x32.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-white.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-150_contrast-black.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d4.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-200.png	svcjxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-125_contrast-white.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-100.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-150.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-150.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-400.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-high.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\LargeTile.scale-200.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-lightunplated.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-256_altform-unplated.png	svcjxc.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_he.json	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-100.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-48.png	svcjxc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125_contrast-black.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-unplated.png	svcjxc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png	svcjxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\restore_files_grakl.html	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60_altform-unplated.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\MedTile.scale-125.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png	svcjxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-150.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-100.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-150.png	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36.png	svcjxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\restore_files_grakl.txt	svcjxc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-125.png	svcjxc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2924	vssadmin.exe
3408	vssadmin.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\msys	svcjxc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	svcjxc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3484	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe
3468	svcjxc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe
Token: SeDebugPrivilege	3468	svcjxc.exe
Token: SeBackupPrivilege	3900	vssvc.exe
Token: SeRestorePrivilege	3900	vssvc.exe
Token: SeAuditPrivilege	3900	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 2936 wrote to memory of 4888	2936	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	87
PID 4888 wrote to memory of 720	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	95
PID 4888 wrote to memory of 720	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	95
PID 4888 wrote to memory of 720	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	95
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 720 wrote to memory of 3468	720	svcjxc.exe	88
PID 4888 wrote to memory of 3048	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	90
PID 4888 wrote to memory of 3048	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	90
PID 4888 wrote to memory of 3048	4888	VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe	90
PID 3468 wrote to memory of 2924	3468	svcjxc.exe	93
PID 3468 wrote to memory of 2924	3468	svcjxc.exe	93
PID 3468 wrote to memory of 3484	3468	svcjxc.exe	105
PID 3468 wrote to memory of 3484	3468	svcjxc.exe	105
PID 3468 wrote to memory of 3484	3468	svcjxc.exe	105
PID 3468 wrote to memory of 1888	3468	svcjxc.exe	107
PID 3468 wrote to memory of 1888	3468	svcjxc.exe	107
PID 1888 wrote to memory of 2512	1888	msedge.exe	106
PID 1888 wrote to memory of 2512	1888	msedge.exe	106
PID 3468 wrote to memory of 3408	3468	svcjxc.exe	109
PID 3468 wrote to memory of 3408	3468	svcjxc.exe	109
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115
PID 1888 wrote to memory of 1176	1888	msedge.exe	115

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svcjxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	svcjxc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_688ada96ae2ead4fbdbf24faade64e3b.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
    3⤵
    PID:3048
- - C:\Users\Admin\AppData\Roaming\svcjxc.exe
    C:\Users\Admin\AppData\Roaming\svcjxc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:720

C:\Users\Admin\AppData\Roaming\svcjxc.exe
C:\Users\Admin\AppData\Roaming\svcjxc.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3468
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2924
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14174019195231753578,14694878730649920407,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:5024
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\svcjxc.exe >> NUL
  2⤵
  PID:5776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe8c546f8,0x7fffe8c54708,0x7fffe8c54718
1⤵
PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\restore_files_grakl.html

Filesize
3KB

MD5
33a4156392b6f4152cbc0f94802496af

SHA1
97c3c624d2bd48b15bdcd624d1962bb316e44d72

SHA256
1478def51b8af24aad2ea4e10c439caf76c063c081801ac0c842a236d10d6f26

SHA512
4930ce71abc1e3ec6a6aac399bdd1893f64599435413fa9f3c405223cc6f12a1715c78b80a15f8d20fad899624860c921d9dc09d5d6d2770a92db9fe69432ceb

Download Submit
C:\PerfLogs\restore_files_grakl.txt

Filesize
2KB

MD5
b9696b7611b73b8355b634cdf0e385f5

SHA1
9ca44172fa6f5adc02d54e3b6bc87be75496a922

SHA256
d8da3cc4610269d94d6cc4224386cef34431a93614c7493f5f038f46e771624f

SHA512
2bbd1f604292b8df9d6e0973b0928ed971cb8c810f3b4c48a8c598306ec71fced9077ee3500a0e34a96d0a2dfe72e6ba12ac14a07840b5a099d2c2e8c78dac6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E62A8F547B79FBF11B7311BEEA0EDEDB

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E62A8F547B79FBF11B7311BEEA0EDEDB

Filesize
426B

MD5
4f5e682bc91c01d0bb35649e74c9a0cd

SHA1
800005ddd6f74d0752a749107153b9bcb047e31f

SHA256
79ba38344d76c5a719c309dc82acf9b555b52140cdbfa6f08199758918e6d970

SHA512
75127aba689866a6af7044cd5ff3b6498af53e0620a811568ec44245404f7aa81eb5bd42dbd871d723466e45ee3bcd683ddf9b041b715b0dff50d8a94d8c4813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82282f2db57bc605eef6d7f245d4beb7

SHA1
fcffab09b8dac5373e626dd09f4aaa4367a945f7

SHA256
fdb7b74b6e23a9380385e28ec70e3dd5bdb56085a2a0024be16e0667c78138de

SHA512
6f1c8923c29720e93e284075c82a8e47de0a589c598d01b9d7ddb52e6dd51864fa5a29584efc05f3aefb3d260733856eb91f9a239b9fd0b01093bd173c693d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ce3570f57fee5ee5e4674881c3501c8

SHA1
fec32c12db1c08bfaba4c5e14ec8a6f7f0733c14

SHA256
5b1658ecd9763d07e5d365333824ffc412818e5b2bbc06b5e2ef36db281dca13

SHA512
442a29d37a327da3e3703e00329db9ef99aa46b31737d1e604dffba4429245b8dc822e2ba5d88bbe842c87a1d3ccb35b201718968949d81af63b81e9b23dccf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b0ba6f0eee8f998b4d78bc4934f5fd17

SHA1
589653d624de363d3e8869c169441b143c1f39ad

SHA256
4b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f

SHA512
e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9020f2f7e89ad13a2bbef886fbbdc578

SHA1
ad48cd549d6427380ce4b95eb8bb66c0e7250e7c

SHA256
e136deee6bad6507db6d9bd9b199791cbae8fa350830639a78e8fb149e71da7c

SHA512
1964175e53f101a6238b900e4ed0e7fc8c98b9f420d8dfe41d04ed05bcfe05319250d62b1bafedd29d5076dbc29e0f58c87bd5858ffd5abda27baeb6fe4740ee

Download Submit
C:\Users\Admin\AppData\Roaming\svcjxc.exe

Filesize
293KB

MD5
688ada96ae2ead4fbdbf24faade64e3b

SHA1
8a6a3d65186161690c71b31e8d203c8370d33094

SHA256
9150e5f78269d03dc63ddb2dbfa8d53151f56b3a96b26531ad7d07d5728b77f8

SHA512
e7e77b3ac355a27f783b2985ed446def6886959c7e5b04ca35ce027ac567572ef742ba9a78c9dacf3bcf6ad4cdef7c04c9f4c027ccde62b44ef7ca56b6c827f4

Download Submit
memory/720-19-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/720-15-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/720-14-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2936-5-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2936-7-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000075260000-0x0000000075811000-memory.dmp

Filesize
5.7MB

Download
memory/2936-1-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/3468-18-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-24-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/3468-25-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-8763-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-28-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-8783-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-8879-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-8920-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/3468-30-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-21-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-8919-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3468-8880-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4888-23-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/4888-6-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4888-8-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4888-3-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4888-9-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/4888-22-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download