Overview

overview

10

Static

static

3

2a82a8d01b...cs.exe

windows7-x64

10

2a82a8d01b...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe

  • Size

    796KB

  • MD5

    2a82a8d01b2ddc18dd140c7473d2e3f0

  • SHA1

    c176cda981e9252dbb4f651611d0a105f23c2dc9

  • SHA256

    23dbff82389243685ef46c7f0a3bcb9c52806696e5d4701c7cab562891bc4619

  • SHA512

    760a78b554d3f668bc211641e57a8b700ebcccb35de6f7390ae35c5dfb344cc7ff8ba1087cb13f5b47053f35561e5f2b7465b875cadda56e5eaccae97f1bae13

  • SSDEEP

    24576:CgJ8cTa1yn1R6v+3Wqdd69lgJ8cTa1yn1R6v+3WqddG:rS+gi1c+GmlS+gi1c+GmU

Score
10/10
defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\HELP_RECOVER_instructions+uko.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pp4dehh5nlkcs.pesslaugh.com/47DED52466F0C399 2. http://ss7fh33dfnourebfle.geckoyao.com/47DED52466F0C399 3. http://h5534bvnrnkj345.maniupulp.com/47DED52466F0C399 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: yez2o5lwqkmlv5lc.onion/47DED52466F0C399 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://pp4dehh5nlkcs.pesslaugh.com/47DED52466F0C399 http://ss7fh33dfnourebfle.geckoyao.com/47DED52466F0C399 http://h5534bvnrnkj345.maniupulp.com/47DED52466F0C399 !!! Your personal page Tor-Browser: yez2o5lwqkmlv5lc.onion/47DED52466F0C399 !!! Your personal identification ID: 47DED52466F0C399
URLs

http://pp4dehh5nlkcs.pesslaugh.com/47DED52466F0C399

http://ss7fh33dfnourebfle.geckoyao.com/47DED52466F0C399

http://h5534bvnrnkj345.maniupulp.com/47DED52466F0C399

http://yez2o5lwqkmlv5lc.onion/47DED52466F0C399

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
    ransomwareevasion
  • Renames multiple (867) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Users\Admin\AppData\Roaming\vqymhcw.exe
        C:\Users\Admin\AppData\Roaming\vqymhcw.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Users\Admin\AppData\Roaming\vqymhcw.exe
          C:\Users\Admin\AppData\Roaming\vqymhcw.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2752
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} bootems off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1380
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:2620
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} advancedoptions off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:736
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} optionsedit off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1900
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1152
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} recoveryenabled off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:4864
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\help_recover_instructions.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:4592
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\help_recover_instructions.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4936
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe602f46f8,0x7ffe602f4708,0x7ffe602f4718
              6⤵
                PID:4128
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
                6⤵
                  PID:2144
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
                  6⤵
                    PID:4656
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
                    6⤵
                      PID:652
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                      6⤵
                        PID:2688
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
                        6⤵
                          PID:1452
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
                          6⤵
                            PID:4840
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
                            6⤵
                              PID:2056
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                              6⤵
                                PID:3796
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
                                6⤵
                                  PID:2548
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
                                  6⤵
                                    PID:3924
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12650079398616521545,943712634217285122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
                                    6⤵
                                      PID:4636
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:3148
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\vqymhcw.exe
                                    5⤵
                                      PID:3048
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2A82A8~1.EXE
                                  3⤵
                                    PID:4112
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4836
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:844
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2072

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\HELP_RECOVER_instructions+uko.html
                                    Filesize

                                    8KB

                                    MD5

                                    c1b6d6b1a89984ce7af8d13c213229b7

                                    SHA1

                                    a42d4c18118be4565d9d02c3790fa17aaa8ec5a5

                                    SHA256

                                    9961549e3b07f5650c4840b8e4b2711b71aa8e0ba57b83cb93e3b5394bdf4ed9

                                    SHA512

                                    9c4938e7b921d7ad0666749434560c876d1b55d6eda0af5115f2b9b8709dd5c34d9193e449af3dc409b7bd5b7df661e0fb3cb15ec1c864cf01a3654e9f5daaa5

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\HELP_RECOVER_instructions+uko.png
                                    Filesize

                                    66KB

                                    MD5

                                    6c8471f267a747ef482a8c577bffd48a

                                    SHA1

                                    c0f0fbd5777d981768f7c69bd85b6a05c0d0c6b9

                                    SHA256

                                    c32ef66ce847ea58ea3a37a5b72124472cb51134d7bc3ea1445db65a8739bcf1

                                    SHA512

                                    263d03bd42d0a8fa2b00fe4d0b4d5d73e00fcbb8c9ff0ed9c5be811e64299c03e91be7ab8016a728fff56fa3a1798b04e116244b9799f7325c451f40093c606a

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\HELP_RECOVER_instructions+uko.txt
                                    Filesize

                                    2KB

                                    MD5

                                    3671711ba3e90dd02626b2e555713f82

                                    SHA1

                                    db403e9e66ad260a044cc59b96f805754c552123

                                    SHA256

                                    7ed18871b8cc69e5bb25a5b5b72995f9805d75a4d901e84491801b3b7be1f87f

                                    SHA512

                                    503e8fce9a21835932ee60da24d647ec6c12425eccac0b0d42916421016e101ac121c71d52ea2ef9905e01e28b4a749104a39513a0632280848159867d2afed4

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    716234db16183bc476414dbd343beaa2

                                    SHA1

                                    7bf76e8982b9efa29a38fb4bb12874847fd6c00e

                                    SHA256

                                    9c202811c6027db676b8c4106b709b120da1914274bb7d8995d8443233e6ffbd

                                    SHA512

                                    565a0b3de49302147bb7d35399614e2639dae11096b6899e955d9b89907040949f4a579e530522765fbe974700ce0aab01b545fe209c7ac02fbe62d570dbeab4

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    f97c5706d6d894d4b307b52c3beba547

                                    SHA1

                                    5cf427de1a2c6eabba717b1f5f24559713516114

                                    SHA256

                                    9dae2a85d44ed815b7cd894da83299f34aea7dccb06ad8a53897964134becd43

                                    SHA512

                                    c81460fca134bd3ed66577b73ca33e79feb4ae4d5857a3dc1c2b15b69e39aee868c87fb9cb9b211323fcbc6d0151f0d923b08ae7f8a26350e065b23b3847ad8c

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    a4a21097d7e09fa885415eabc6269c4b

                                    SHA1

                                    4e2e8f1e2a00241db2c5f1183873650b79fc6f89

                                    SHA256

                                    80b5c4bff2598b008d03cc72483e74c18ce4823e6704293b8df3ace791abe701

                                    SHA512

                                    c7076e798c2f88aa3863652351826a56ff2238148844e1316e24fda3f27e9f96cdd9d7f361445b2be0ece27a7b8ae36a818b93069a1eecdd8cc80ead84333f24

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    b2a1398f937474c51a48b347387ee36a

                                    SHA1

                                    922a8567f09e68a04233e84e5919043034635949

                                    SHA256

                                    2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

                                    SHA512

                                    4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    1ac52e2503cc26baee4322f02f5b8d9c

                                    SHA1

                                    38e0cee911f5f2a24888a64780ffdf6fa72207c8

                                    SHA256

                                    f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

                                    SHA512

                                    7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    78934812355f6886a6be72726fa9fc18

                                    SHA1

                                    c94c91eff5555896659f9aad3521d32268c2cda9

                                    SHA256

                                    c92ca35f2f0f1cfff11bf0744a16356123d77c6b69318f5b5901d96fec88f8b3

                                    SHA512

                                    269bfb28a3f400257d34e8d2bbd84155ad203f4e74d0efd2fa7b0075580d4214f4028789cb5bb612c0e86446318d53c0efbe345d5bcd417c35f1b8f712a4c71e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    346efb824dcd4e40d937792c47cb5641

                                    SHA1

                                    4734f3ec4305f47726441c66cbb29ba5cef0737a

                                    SHA256

                                    c3b2c2e149f6170aba2dcab1dee30aa7acb1e66caf37b76b416b915125f5ecef

                                    SHA512

                                    d07813b5cd4660688bb6afd4fc154f7242edbf036827c4291f750689a387aa70a8e04669c46627071124ac1fdfe964d32f9b3e39f2de0d50c27bbb37eb0c5401

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    6d5500b4e926629721c962d2024819ac

                                    SHA1

                                    f17be3258596472bab36c48328fb0a5f7cb7ff21

                                    SHA256

                                    452cf553f57ca240ec586c09ceea8f13c586cd81a2d019b596dcfabf10bc8c7b

                                    SHA512

                                    9bea9353b31fc2050c555c147f230ab735844bd57e00b7fb4fc7fa8d3e119d2a0d87cb9147097513d341af09168ec73e163746ec50994ca3ee1f563b9c14f056

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586087795228297.txt
                                    Filesize

                                    47KB

                                    MD5

                                    df903fe2ca1f0f318ed6c90d8dcb242b

                                    SHA1

                                    9ae94727b1003b25d990971f469bdc5ae809956f

                                    SHA256

                                    f5228a960ca981ac2160c27fbfc9ea90d08987323204f375c0fe48fc36a37d92

                                    SHA512

                                    2dad2fc31a5b981a74d13f008b0e98855793a693f5a7a900c1ac0442f2f0f0f1a082268278ad508ce5746d719eeb7946b58aab99128cd4e2a17d19d19b822562

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586106130932495.txt
                                    Filesize

                                    75KB

                                    MD5

                                    b1b168255629c986c1111a014f41c5c5

                                    SHA1

                                    d313f923d33d96ef706952661beac5228d0115ea

                                    SHA256

                                    e06dab5ffac62d89cf50fa2b2f07cf12856e9784dcb8ca5d00adc642b3ff9eb2

                                    SHA512

                                    080deca874c0147339b280edb673e1f7ad6a1b1de58d291d33e174eb86709fad502a6af3d87521754a2672bdabbe53ed360ff3186b3c7d4ff9d8898aad670fec

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\vqymhcw.exe
                                    Filesize

                                    796KB

                                    MD5

                                    2a82a8d01b2ddc18dd140c7473d2e3f0

                                    SHA1

                                    c176cda981e9252dbb4f651611d0a105f23c2dc9

                                    SHA256

                                    23dbff82389243685ef46c7f0a3bcb9c52806696e5d4701c7cab562891bc4619

                                    SHA512

                                    760a78b554d3f668bc211641e57a8b700ebcccb35de6f7390ae35c5dfb344cc7ff8ba1087cb13f5b47053f35561e5f2b7465b875cadda56e5eaccae97f1bae13

                                    Download Submit

                                  • memory/468-1-0x0000000000A60000-0x0000000000A63000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/468-9-0x0000000000400000-0x00000000008D9000-memory.dmp

                                    Filesize

                                    4.8MB

                                    Download

                                  • memory/468-7-0x0000000000A60000-0x0000000000A63000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/468-3-0x0000000000A60000-0x0000000000A63000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/468-2-0x0000000000400000-0x00000000008D9000-memory.dmp

                                    Filesize

                                    4.8MB

                                    Download

                                  • memory/468-0-0x0000000000400000-0x00000000008D9000-memory.dmp

                                    Filesize

                                    4.8MB

                                    Download

                                  • memory/920-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/920-15-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/920-8-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/920-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/920-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2524-14-0x0000000000400000-0x00000000008D9000-memory.dmp

                                    Filesize

                                    4.8MB

                                    Download

                                  • memory/2524-21-0x0000000000400000-0x00000000008D9000-memory.dmp

                                    Filesize

                                    4.8MB

                                    Download

                                  • memory/2752-10400-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-10399-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-885-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-8907-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-28-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-10391-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-3820-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-5559-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-10390-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-22-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-6178-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2752-10478-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download