Overview

overview

10

Static

static

3

4df3ffbb78...18.exe

windows7-x64

10

4df3ffbb78...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4df3ffbb785795de68dec97206b6a696_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    4df3ffbb785795de68dec97206b6a696

  • SHA1

    e22f32f3e1371f6deeb39bbffb5fde6a08344c5f

  • SHA256

    1d58c2f7b8364b1d207e39f91138b5079e6368a78312557117fcdc9f38deb87a

  • SHA512

    310bda0a23f780b27937fe6065239326ca1576a3eba7fa7a1867a7d3b56da2dc29c5fcab1daa1e43a991e770a21d6cd208e21b5f551ebf219266315859c03122

  • SSDEEP

    6144:YutAHuAX1/7zv+Ul4s/KFxhNDPPHf2TNhOAL68v6RD/Nqr49Jr:YxHu4/H6xhtPPHf2JhTxvU/4rI

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+awkna.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/3A391476EB637F65 2 - http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/3A391476EB637F65 3 - http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/3A391476EB637F65 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/3A391476EB637F65 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/3A391476EB637F65 http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/3A391476EB637F65 http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/3A391476EB637F65 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/3A391476EB637F65
URLs

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/3A391476EB637F65

http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/3A391476EB637F65

http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/3A391476EB637F65

http://xlowfznrg4wf7dli.ONION/3A391476EB637F65

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (870) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4df3ffbb785795de68dec97206b6a696_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4df3ffbb785795de68dec97206b6a696_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\enrdqykxrnan.exe
      C:\Windows\enrdqykxrnan.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3152
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:284
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b05846f8,0x7ff8b0584708,0x7ff8b0584718
          4⤵
            PID:3128
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
            4⤵
              PID:4364
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
              4⤵
                PID:3748
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
                4⤵
                  PID:3292
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                  4⤵
                    PID:2076
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                    4⤵
                      PID:116
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
                      4⤵
                        PID:3796
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
                        4⤵
                          PID:4712
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                          4⤵
                            PID:4580
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
                            4⤵
                              PID:292
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
                              4⤵
                                PID:872
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6836013701440081734,2307235425432459400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
                                4⤵
                                  PID:4496
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4708
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ENRDQY~1.EXE
                                3⤵
                                  PID:2808
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4DF3FF~1.EXE
                                2⤵
                                  PID:2888
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1496
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1748
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3776

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+awkna.html
                                    Filesize

                                    11KB

                                    MD5

                                    c7cdb3d08207ea94c540c07d020cdbb6

                                    SHA1

                                    e270ae077513baab80e838e557f2193bb3fa11e0

                                    SHA256

                                    ce3e2f90e853b8d44f6a31e0c8d719b19e46c5ef43c5dfcdefb4ffe3f0a3fb26

                                    SHA512

                                    2f39ea897f34289960f20df85fc437c06b8ecba0f9f5841be6eac1af15423267754fe03a781bda51ea29664f62d803935ab8aae3b321c55d3c3642d318c7faa1

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+awkna.png
                                    Filesize

                                    65KB

                                    MD5

                                    f296e279d8fb887b757ebc79dd24e429

                                    SHA1

                                    8fa0254baa405aa93c733a2020fe8a758620090f

                                    SHA256

                                    a31ba94d1c789a688c1518b307680063ef0aaafc8945850b7fc7f2d3252034e5

                                    SHA512

                                    62ff2cd7c75eef08f7a5d7839d57e1ecd267e7892f731f49d729b7edcd875e18219ce182c38da5a7d281aec3a0e95966fc54742a1decd6ec5c67e0a8c16d0dd1

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+awkna.txt
                                    Filesize

                                    1KB

                                    MD5

                                    42eb08d5fa20c8890747ec4084dcd1fb

                                    SHA1

                                    2cd864d1cf8f86b43bc7a78171ec5b572b346439

                                    SHA256

                                    594a91513be290bfa3ca40c94bb922b28b6ab7a8006b0c4adfffdf72e5579c60

                                    SHA512

                                    0a2ea359ec4651ec7106e7581cd3d97505902b4161ecd76c621bced3f12df393c7d4e1838caf61f0899c1f5b321de517dbea65cdec6ec89f9ee922772e84ef50

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    6317a45b17e57688cf73d4dbe2f61bef

                                    SHA1

                                    4ec5b3c9cfa62c3b8f510209d2a1c51e1f6709fc

                                    SHA256

                                    1d79d361b198c817117a2e165ce6a61e1dcb660e864935dabf552062731bd565

                                    SHA512

                                    56d9409764c694458141e7f7160d74dfaf8f2ac481a1ffe46d504340c2a66687556904eaeba3aa660a995a97a121bb1121e4d22eba13ae0e097ba7a99dae9677

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    8692b7ae7d4761b0a23c59fbf4169416

                                    SHA1

                                    9a741e4f72606c2e2ea1ab02700f9fd1bccc0fcc

                                    SHA256

                                    d5442d734c202941fecdeac1f376ff8c7570a535247807e7f80838d3081723e4

                                    SHA512

                                    24003b1b2e5a7ff8b880e5e92ed8f2416539b7d8da8aa3ede3c5327cac7f9be7ff003966755f2c59ecdd111d27ead8f8527a84ae514ccdc9bacd8376317896b1

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    81327321f78ecad11f2974f5849d8ea9

                                    SHA1

                                    fb341f5be6e0c979abbdc608abb3f3e2eea6cd87

                                    SHA256

                                    b3c03e7a152d920723379b4e14c8b5cbab2dd2a83f9e0cae990527e16597d730

                                    SHA512

                                    e8ac19fb554f5c48442ca641ec09b7ec4e1128c0b9087ff14b3b0f1afbf71abfc221715423892cb737ad239dda7ab096c62be5170d8213e55ec8c024998fd799

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    4158365912175436289496136e7912c2

                                    SHA1

                                    813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                    SHA256

                                    354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                    SHA512

                                    74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ce4c898f8fc7601e2fbc252fdadb5115

                                    SHA1

                                    01bf06badc5da353e539c7c07527d30dccc55a91

                                    SHA256

                                    bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                    SHA512

                                    80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    111B

                                    MD5

                                    807419ca9a4734feaf8d8563a003b048

                                    SHA1

                                    a723c7d60a65886ffa068711f1e900ccc85922a6

                                    SHA256

                                    aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                    SHA512

                                    f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    1e9dfa59dfd58de3c202a27b5914b106

                                    SHA1

                                    c4000d80ecd93c2bf554101cbd67790780b9a700

                                    SHA256

                                    94e4c98d423a9cc75179c5ddec6dc4ed51598d8e136cc37370f9e103bf4cda14

                                    SHA512

                                    63465280cf7b1c362e3c2317d0061130ccb84e2e3a400f03a456ffcb986f3b037e382c6af32d7552bd6ba77f2573f8c0e3a639040964f82bdebb5dcc731a712c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    470b5e97b9a7853344ae78b4787d8ebc

                                    SHA1

                                    57611fa356a21a165e3ca58fcedeb72a9b21500a

                                    SHA256

                                    9e6cfb11ab5d4028e3fde5ea33f04005c3a57596a324c3a2b89e172cdfd4b7b6

                                    SHA512

                                    5ed060c1519974a62d95b989ffcd16bc433712ececac866b352cbc6130b91fa8e20abcc13c28d35f05e51798447622ea14b9e6e028a46a03f33fab2a403567dd

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    31abc24765aa2dad4548f413aaa6440d

                                    SHA1

                                    f6d60ab0e390b07eae75bc17dd06f95bc64970d6

                                    SHA256

                                    14d9902708a95797ed1be8df5ecefaf6f1db268706cab6dc84546756aed2b55a

                                    SHA512

                                    193fb8f3f5bad293dd8c3cd98214fa2358bdd4a1ce6667a4edaa6c24d09815ada07994d17f23cefa282b45ba5f7906f4e70632a2afaadc9eb4f3724b9597785c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440659070499.txt
                                    Filesize

                                    47KB

                                    MD5

                                    2bfff3bf8bea85d56fccb966a63bb69b

                                    SHA1

                                    6d501ee565316608e1ef645303a560ca0bdaeef8

                                    SHA256

                                    4cf3d8b862cd90b68c04ad077770220c94e2c4c8344fb404b0bbb5e6418855e6

                                    SHA512

                                    1ff66b7663b1ae7e4f7566388d7fc4f8c793908cae400f3b62806e317b88d4fa1bfaae567b29cfc15b686d19a877fa8ed7f07adad3c339492a48c55e6eb5721e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449628541770.txt
                                    Filesize

                                    75KB

                                    MD5

                                    154b9ec4992485be1f0da899c31b0b91

                                    SHA1

                                    414ac05632270b902477dde5b035636cc2459df6

                                    SHA256

                                    1c8d5d55b5ae3efd28aa5d50f4fdb062edd8fe55dca0942e0b8a5e4252ad6e5e

                                    SHA512

                                    44ad8087c6db4d4ca55e4ba12ee0f611927394cc2693aab42df8811c1586b521a07bef9e653ec8a6a6d8d6ef93ff130d6cf33e35f8fc8e0b022011b3aa3ea5cd

                                    Download Submit

                                  • C:\Windows\enrdqykxrnan.exe
                                    Filesize

                                    484KB

                                    MD5

                                    4df3ffbb785795de68dec97206b6a696

                                    SHA1

                                    e22f32f3e1371f6deeb39bbffb5fde6a08344c5f

                                    SHA256

                                    1d58c2f7b8364b1d207e39f91138b5079e6368a78312557117fcdc9f38deb87a

                                    SHA512

                                    310bda0a23f780b27937fe6065239326ca1576a3eba7fa7a1867a7d3b56da2dc29c5fcab1daa1e43a991e770a21d6cd208e21b5f551ebf219266315859c03122

                                    Download Submit

                                  • \??\pipe\LOCAL\crashpad_4668_MXSPEOUHNCGOCBYO
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit

                                  • memory/3152-4549-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/3152-10339-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/3152-14-0x00000000009C0000-0x0000000000A46000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3152-2410-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/3152-10383-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/3152-7742-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/4392-9-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/4392-0-0x0000000002170000-0x00000000021F6000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4392-10-0x0000000002170000-0x00000000021F6000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4392-1-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download