Overview

overview

10

Static

static

3

VirusShare...95.exe

windows7-x64

10

VirusShare...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_1e096e7c6ffb32332933f693d00c6795.exe

  • Size

    356KB

  • MD5

    1e096e7c6ffb32332933f693d00c6795

  • SHA1

    28e7f909cbc28ca3af8af503111c5fc9f42502b7

  • SHA256

    963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256

  • SHA512

    8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c

  • SSDEEP

    6144:C94ZeMgE+D+G+33DpgPgRArNZltP8aLK9cdfdCWJATnKH92tIrWuZ/kE7eVmhgst:C94ZeMgE+D+G+33DpgPqArrltP839Yfj

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+txcic.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D7F26DBDAA14AD73 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D7F26DBDAA14AD73 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/D7F26DBDAA14AD73 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/D7F26DBDAA14AD73 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D7F26DBDAA14AD73 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D7F26DBDAA14AD73 http://yyre45dbvn2nhbefbmh.begumvelic.at/D7F26DBDAA14AD73 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/D7F26DBDAA14AD73
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D7F26DBDAA14AD73

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D7F26DBDAA14AD73

http://yyre45dbvn2nhbefbmh.begumvelic.at/D7F26DBDAA14AD73

http://xlowfznrg4wf7dli.ONION/D7F26DBDAA14AD73

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (863) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\jomlxmceysda.exe
        C:\Windows\jomlxmceysda.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\jomlxmceysda.exe
          C:\Windows\jomlxmceysda.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3992
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1964
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:4032
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa4a7d46f8,0x7ffa4a7d4708,0x7ffa4a7d4718
              6⤵
                PID:2028
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
                6⤵
                  PID:3468
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
                  6⤵
                    PID:2964
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
                    6⤵
                      PID:920
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                      6⤵
                        PID:3112
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
                        6⤵
                          PID:4476
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
                          6⤵
                            PID:4036
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
                            6⤵
                              PID:1960
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                              6⤵
                                PID:3284
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                                6⤵
                                  PID:1392
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
                                  6⤵
                                    PID:412
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,554005981276194745,17837298162481117558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                                    6⤵
                                      PID:220
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3092
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JOMLXM~1.EXE
                                    5⤵
                                      PID:4968
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:1828
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4108
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4664
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4536

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+txcic.html
                                    Filesize

                                    12KB

                                    MD5

                                    83b1bb6ed02da8c4b3ad62bb71f0b175

                                    SHA1

                                    83ee873b825f1550abd718314dc837df42af037e

                                    SHA256

                                    ce0d73b2b76e701cb7074b2dfe067fa68734a58df1f8081614e353ac3fe2a612

                                    SHA512

                                    7f81541447a4d2cb9f0e01d719b9f00f6a6b98760a09866aae5891bd45ba6e0d727e26d52ce64c197ab40f4cb9a932b7cf780335cd749964ad2cb5128411d3e1

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+txcic.png
                                    Filesize

                                    64KB

                                    MD5

                                    c6800ce36d95b4b3f80b1d015c8e82ca

                                    SHA1

                                    a740e0a2cb623ae87df8b400115cff6d88604505

                                    SHA256

                                    e041b837df8c9a0eb75aa8f167572436deac53767ba617f30e2b871149acbacb

                                    SHA512

                                    7dbb72bcbb10b5beb8ec9ef225148dacdde3393fd26311b6eaeda0a2101e1e8dd92a93f366111c62c73a94e75ef8c1029872e21cb5b0c9b1c1499434f43da346

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+txcic.txt
                                    Filesize

                                    1KB

                                    MD5

                                    f990023fa760df4628224357ddd5e5fd

                                    SHA1

                                    eaedd6bcef5c34d6930b8c901bb6fa594e033256

                                    SHA256

                                    ec09d9d95e1d5518b647c2e26d1c082a77a57908903d8e260b1ebd0008a60856

                                    SHA512

                                    b1ff04d5f275dd007f5c7c7d0133381fa0eb2401ec0864d001065494e9481b99590761d978a7afed851c0053d0b3e7305ac1b6d2d2986b199c10a2da2c81fa20

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    2b7832b805a8566b720c79fb88968acc

                                    SHA1

                                    24ca16b1520559a42191355b3ef21fe86c0eb24f

                                    SHA256

                                    7899d7a77ef583884d082b003852d9d9ab9029580e920e039d070b0f0ee0a550

                                    SHA512

                                    24bdbe2db4f48c7a83418e6c3a406fb6ed2fb4de26b9456ea10c4240bc84fb4164ffc617f3f25435c1cba5f6a809ee207ad87b3996c6bc6cda35b35a2f8905df

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    89ad57e96f831966b8ac9dcf9a14309f

                                    SHA1

                                    6d0901c41bbdbcded50ba7040d33c43e7742eaa7

                                    SHA256

                                    fea217b66b7d94fcca9e47094b2e6c8dfacebfe72864ffd1b9a9a4c5df198f7d

                                    SHA512

                                    361bac852d15b666fbb7ff9ca7249bb18628c9dcb49f59afa15c50b9564840476d5412930bcb282263f27a3ec5117b0e0c8630db8d78b4e5c9458e2b86191595

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    5eb018e52bff012a578c39c741f9066f

                                    SHA1

                                    482824d45ec42db919475417fb4df560b0658f89

                                    SHA256

                                    ae9ce0ee232a7154e3e654d8a7ca49e30bc1d2ca2657c107aa0173d892656d08

                                    SHA512

                                    a8bb111b0e96b07558b5a92e09fccc68354026408d1b037647267f46101c66e671eadce74588376ac971dde93aab0fd9825650ce68c18e520353f70e6ac80d55

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ecdc2754d7d2ae862272153aa9b9ca6e

                                    SHA1

                                    c19bed1c6e1c998b9fa93298639ad7961339147d

                                    SHA256

                                    a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

                                    SHA512

                                    cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    2daa93382bba07cbc40af372d30ec576

                                    SHA1

                                    c5e709dc3e2e4df2ff841fbde3e30170e7428a94

                                    SHA256

                                    1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

                                    SHA512

                                    65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    ee06efd0f3597e237cbc6a1c67ce423a

                                    SHA1

                                    c1e14dd09c9b768956cc441d7f366326ea1d5f49

                                    SHA256

                                    f62c0cf4df6da0c01e19ad7e681af81c2910d47ec2f2ff876dc30a6dc337056d

                                    SHA512

                                    0a45a34a142ad416b7cfa37d859dcd1eb9d46f601f485bf73b1d69e2ef4a201f8977c583f729a3fe6dab9fd1c534f72004790646edd411d809b519dddde1e13d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    fa512896a4606d7307202f6ed604c3a1

                                    SHA1

                                    b6d472ab2ed63a0dfad56e0ff50f3d2edfb95a1a

                                    SHA256

                                    66c22e5a714e70edb694a9195482b11ec09a933ee09daa6abb01e9942da91a05

                                    SHA512

                                    6eaf83458ed814d3fa95ee239005e1824756806fd3aa239edec1112d208738e1df5498da708e4f0c6bf3cd9b45fee5d084d513163288d02fac6aca78c030267c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    5e0aad4e49d4113a218d3a8e198f9d9f

                                    SHA1

                                    b680ccb9e7a492bf122d83aacc3cfccaded2ea70

                                    SHA256

                                    b77a4d5d9082a1d7c4fb11370daae09754bbd3bae886145b16b7e02e27d90d8f

                                    SHA512

                                    b02ecabf502184885b31fd3e11ee8d310ec326a6fcdda1a9e44f43bdbef639aac03f590033515ddd9b4f65d934ee7dbddfe129cc6cb9dac24e9c251d901b7b8d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586130303836659.txt
                                    Filesize

                                    75KB

                                    MD5

                                    0f119a338d2dc1991040df485fc1d46c

                                    SHA1

                                    500875642ad939e69719c09d71eae098dec73555

                                    SHA256

                                    e076bc2626c6565d92a3a944fa26df4966bda057e59c5dc603f64d5f9789ecd1

                                    SHA512

                                    71851a2e44056c180ca80399026126a7c871145d11fa71cb43c8a88c9eea12a455a246dad8be1081d19e1e6a66aa2469e7eb774a0e2768f8dd7cc944277defc4

                                    Download Submit

                                  • C:\Windows\jomlxmceysda.exe
                                    Filesize

                                    356KB

                                    MD5

                                    1e096e7c6ffb32332933f693d00c6795

                                    SHA1

                                    28e7f909cbc28ca3af8af503111c5fc9f42502b7

                                    SHA256

                                    963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256

                                    SHA512

                                    8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c

                                    Download Submit

                                  • \??\pipe\LOCAL\crashpad_3712_DFSYDQWJJHDMIXZV
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit

                                  • memory/1096-12-0x0000000000400000-0x00000000004DF000-memory.dmp

                                    Filesize

                                    892KB

                                    Download

                                  • memory/3992-10412-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-2491-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-350-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-21-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-4966-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-8084-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-10466-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-10413-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-10421-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3992-10424-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4468-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4468-15-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4468-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4468-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4468-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4748-0-0x00000000020F0000-0x00000000020F4000-memory.dmp

                                    Filesize

                                    16KB

                                    Download

                                  • memory/4748-3-0x00000000020F0000-0x00000000020F4000-memory.dmp

                                    Filesize

                                    16KB

                                    Download

                                  • memory/4748-1-0x00000000020F0000-0x00000000020F4000-memory.dmp

                                    Filesize

                                    16KB

                                    Download