Overview

overview

10

Static

static

3

91f480971a...18.exe

windows7-x64

10

91f480971a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91f480971a54e41cf899c9bd0d7bb009_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    91f480971a54e41cf899c9bd0d7bb009

  • SHA1

    150d74e9ba69d69dac4064c8966b3f192131d872

  • SHA256

    a4754955412700a50ec0778aee21e500c6a0b64a5e82c472f87af87cfc7c9de6

  • SHA512

    14f50fb4445f2c5409e434f8ab3166e610485c2d2d87bfb65782b5d81860176529d6aa914ed89f30c5d70ad88e0085d78a0c9aa719507e0960349eda0b115a5f

  • SSDEEP

    6144:ML+ROMHXZ99JX2WngMNSYZh1r0CLf2dWsLf2EUOH9:MQ7J9PgMN7LsqEUO

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wtgno.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/17EF79EC845082 2 - http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/17EF79EC845082 3 - http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/17EF79EC845082 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/17EF79EC845082 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/17EF79EC845082 http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/17EF79EC845082 http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/17EF79EC845082 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/17EF79EC845082
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/17EF79EC845082

http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/17EF79EC845082

http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/17EF79EC845082

http://xlowfznrg4wf7dli.ONION/17EF79EC845082

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (855) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\91f480971a54e41cf899c9bd0d7bb009_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\91f480971a54e41cf899c9bd0d7bb009_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\91f480971a54e41cf899c9bd0d7bb009_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\91f480971a54e41cf899c9bd0d7bb009_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\mhdxirutnwho.exe
        C:\Windows\mhdxirutnwho.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\mhdxirutnwho.exe
          C:\Windows\mhdxirutnwho.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3492
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3216
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:4612
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:636
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8956b46f8,0x7ff8956b4708,0x7ff8956b4718
              6⤵
                PID:4336
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
                6⤵
                  PID:3300
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
                  6⤵
                    PID:672
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
                    6⤵
                      PID:8
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                      6⤵
                        PID:3724
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                        6⤵
                          PID:4540
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
                          6⤵
                            PID:3188
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
                            6⤵
                              PID:2680
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
                              6⤵
                                PID:2716
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
                                6⤵
                                  PID:2544
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
                                  6⤵
                                    PID:1804
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8263068597748657251,6864742008060789989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
                                    6⤵
                                      PID:1656
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:764
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MHDXIR~1.EXE
                                    5⤵
                                      PID:2700
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\91F480~1.EXE
                                  3⤵
                                    PID:2156
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1092
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:372
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2340

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wtgno.html
                                    Filesize

                                    11KB

                                    MD5

                                    263359ecf6a8ec4e374c431c954deb50

                                    SHA1

                                    cb8dc9936986d8146fb9763ca621c367b8d468e3

                                    SHA256

                                    0ff683fddd4e27f099f888e5dad0be9c4e5541332a311d7ae4e8c5650c0fcc7a

                                    SHA512

                                    a57e8ec09d38de057be2e3c92031ea02c5ef918aa080bb06e5540cfe1c40e7ca77e54d50f776aa1275839b47fd06d0ba0ceef9128583ce119ed6ca070734cdd5

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wtgno.png
                                    Filesize

                                    64KB

                                    MD5

                                    2fc65953ffb5d2be8f43c1d3239c1c17

                                    SHA1

                                    43c883943ac6ace8150cc810887d2d99594e95c9

                                    SHA256

                                    2600bd3cb84d44f1e3a8d7cb36d51c54a3b8d2014d00f4a0847653c6178f53be

                                    SHA512

                                    a9378084c7dce701d00a4631d4aee90549d11ca36ced58cddce0f8ed134ba3bbe767bcc96c4e612853bad82674af49e6cde07c67c523dba7ce22009e9703fcc9

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+wtgno.txt
                                    Filesize

                                    1KB

                                    MD5

                                    dbbfdf5328ab4bc6a9d9bb61acae57bd

                                    SHA1

                                    a9b19b7ee297e4ce2ad55ff37d31a703c19053d7

                                    SHA256

                                    91e3d2ee1d1dd4f3c312d8d476f52059d69f82b55d2811be0380b21936b61c4c

                                    SHA512

                                    af97f2378a095a316087dec3e8a851b0bc64214bb70d07d1418188e14ee41ff6acd0ab41e17abcf4ab163ef3098c5e57f0656b87d1abe17311cee641caa8857e

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    cb1943136fa72f6990dd2fa163810ca5

                                    SHA1

                                    d96b9b1abd7e72c067b88abe4cbb1b0ea0a6e876

                                    SHA256

                                    99d6af1e8eae833ecb24a31310b006398dfafe9f479baa3039952d2f502cec90

                                    SHA512

                                    7178bc3ca050ea8a545bb993d2bd5de1c48664e4125db23a1c59c2e2aeae77dba0b5e84c22a5165c608a80e2e2537cca16d0ae501eefeb662171de1d9fc736d1

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    6687a20a4d105755c4f3e33a33944bd3

                                    SHA1

                                    ca0ca9a073e67dacbae2876057088173c847a6d0

                                    SHA256

                                    1afde89a1bcf3dca02e09b64589cc0767098bec39effee508564c1e680f1d168

                                    SHA512

                                    1bb173a3a1421516b5837b38d475f01cbca5f421396583a8af6c04b9bd6f7d8f348b29098180648abe9f486edfb441c34aa21e66ef7d46cd03d8f8a62e1fa48f

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    4bca53412526ee710032e15f06c3d617

                                    SHA1

                                    32e6190f3785f5b4a465c6494fbc294297d844f2

                                    SHA256

                                    aa78cbc3f957ac30b1f7590438c2d5163d93423d3b5d3f2c6ff87875d72221d5

                                    SHA512

                                    bdf312357d6032691e7ece943d03b46be24c8e8ff59f0ffd4f295ada7205f65f0bf7b323cd690a5368894bb6b997e3cb288a2904b4c30a0c1723a9939de69d75

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    439b5e04ca18c7fb02cf406e6eb24167

                                    SHA1

                                    e0c5bb6216903934726e3570b7d63295b9d28987

                                    SHA256

                                    247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                    SHA512

                                    d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    a8e767fd33edd97d306efb6905f93252

                                    SHA1

                                    a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                    SHA256

                                    c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                    SHA512

                                    07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    8470823e4a488152cec4b1b55472cb29

                                    SHA1

                                    eb560d4e320216352de2632b3d74a508db2be290

                                    SHA256

                                    e72dd7b8579d0f5df73c6fcda37b697d7692182323b937bf715e29a02777458b

                                    SHA512

                                    9ebdd07729cec1b8b1f634353ec8b491d86bff2c1bdf5552cfb16ffd6fa7f9233f0305061c6b4dae6c08d2acf30cc26e97a97403cb76208f59a82f561f3f5690

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    57fcca5bfcf8600a46702bf829e2aebe

                                    SHA1

                                    02d87cf7f30934d22048912a7f13268c7ce15a20

                                    SHA256

                                    936d9f2c157a911d77a6c16c467fa7f9b63eaeadc196991eac04ab6a01f7382b

                                    SHA512

                                    30b9d0d39bfd611f406f5c3e45943c57006423dde3ba2124639edecc295767f069575bba4a7855a8c330806d4ec413aeaec6d307758336346a53a96e02fd9e14

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    ec98f7dcefb7193d2289932b6b0f073b

                                    SHA1

                                    705305b10e9492acea1bdd57b4647afe2980bd39

                                    SHA256

                                    2f8a1315dbbf85bab7e4c067dd17820fc4c8f95b5fd0a2c44cb366b2f3fd3389

                                    SHA512

                                    66b1f1ac5be88f56eac63a73d8378103ce872ac9edd5d52097259fe45bbaf03f384c7150117f703d151dba1086f5246d8b7ebe5f7942cb7c2492458b0ae0d5c0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt
                                    Filesize

                                    75KB

                                    MD5

                                    742f16cd38d2ebe7db1f3d60a1d30464

                                    SHA1

                                    af48a95b3330fa6a76a015e7061191672061bce4

                                    SHA256

                                    1f6eb3e6a37b057a5d3d97c99101f89891050a318180078c13f00a0ab0160347

                                    SHA512

                                    60137f617160892de487ecd53f7d55e64b208a8132a674e04092859c9e4ae30d4beeb4c1af66607f948315c189acb6f32d29e0929d4e4b76573cf8efedcc2f17

                                    Download Submit

                                  • C:\Windows\mhdxirutnwho.exe
                                    Filesize

                                    276KB

                                    MD5

                                    91f480971a54e41cf899c9bd0d7bb009

                                    SHA1

                                    150d74e9ba69d69dac4064c8966b3f192131d872

                                    SHA256

                                    a4754955412700a50ec0778aee21e500c6a0b64a5e82c472f87af87cfc7c9de6

                                    SHA512

                                    14f50fb4445f2c5409e434f8ab3166e610485c2d2d87bfb65782b5d81860176529d6aa914ed89f30c5d70ad88e0085d78a0c9aa719507e0960349eda0b115a5f

                                    Download Submit

                                  • memory/1528-12-0x0000000000400000-0x00000000004CB000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/1640-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1640-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1640-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1640-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1640-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1940-0-0x0000000000560000-0x0000000000565000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/1940-4-0x0000000000560000-0x0000000000565000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/1940-1-0x0000000000560000-0x0000000000565000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/3492-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-6871-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-9755-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-10330-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-10331-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-10339-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-10340-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-4020-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-1806-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-375-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-22-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-21-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3492-10428-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download