Overview

overview

10

Static

static

3

VirusShare...20.exe

windows7-x64

10

VirusShare...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe

  • Size

    388KB

  • MD5

    27e887aa14f3890a72f06ec5d0759f20

  • SHA1

    8bacf22533725fd98c254c8eb6852edbe225a0ef

  • SHA256

    91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

  • SHA512

    56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

  • SSDEEP

    12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+jexdc.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6246099CAC3E040 2. http://kkd47eh4hdjshb5t.angortra.at/6246099CAC3E040 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/6246099CAC3E040 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6246099CAC3E040 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6246099CAC3E040 http://kkd47eh4hdjshb5t.angortra.at/6246099CAC3E040 http://ytrest84y5i456hghadefdsd.pontogrot.com/6246099CAC3E040 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6246099CAC3E040
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6246099CAC3E040

http://kkd47eh4hdjshb5t.angortra.at/6246099CAC3E040

http://ytrest84y5i456hghadefdsd.pontogrot.com/6246099CAC3E040

http://xlowfznrg4wf7dli.ONION/6246099CAC3E040

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (879) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_27e887aa14f3890a72f06ec5d0759f20.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\vwifgusttuex.exe
        C:\Windows\vwifgusttuex.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\vwifgusttuex.exe
          C:\Windows\vwifgusttuex.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2424
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:4164
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4732
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefa0746f8,0x7ffefa074708,0x7ffefa074718
              6⤵
                PID:4296
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
                6⤵
                  PID:4520
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
                  6⤵
                    PID:5028
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
                    6⤵
                      PID:4932
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                      6⤵
                        PID:428
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                        6⤵
                          PID:2012
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                          6⤵
                            PID:892
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                            6⤵
                              PID:2376
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                              6⤵
                                PID:5108
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                                6⤵
                                  PID:3556
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
                                  6⤵
                                    PID:4748
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14518798759249502110,12721850753613331828,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                                    6⤵
                                      PID:744
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:744
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VWIFGU~1.EXE
                                    5⤵
                                      PID:3636
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:4872
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3644
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4416

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\Recovery+jexdc.html
                                    Filesize

                                    9KB

                                    MD5

                                    b0cd75a8561c9f6373a19c3483e7d939

                                    SHA1

                                    1d1150d325909cc713ef1bd08a86e9e38a5fd655

                                    SHA256

                                    e6927857cc07a37cbb000712f8b633345b584063c25fd398519e8108b3d169e5

                                    SHA512

                                    5f15632632747692b424c9eaecee9853000416ab53e81913f5b9535b6e4daae4a7138183c8e4fab3e7c16867097dff0f8f24d2aa34c80a9681d300c6febe10a1

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+jexdc.png
                                    Filesize

                                    63KB

                                    MD5

                                    c949c6a5ae2daf6612ec6a2b847cdd68

                                    SHA1

                                    55cd6d34d7af9760843cf133b395e44887eaac51

                                    SHA256

                                    5704ec9b7a445174f7201f6c06bc5769b05ad7d8acfbda96f8618f2c4ec3be91

                                    SHA512

                                    d82c8393ab2828fa8418dd1131f45def36f416bd46ae507fbcdf337aca70dc361fbc73cacba7a22fca7c2929503d0e9e4dd57d580a16d6ecd38a4ce34e9d2761

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+jexdc.txt
                                    Filesize

                                    1KB

                                    MD5

                                    4e0f7f1f2bbbb6b6eb23ef6abf756253

                                    SHA1

                                    82765cf82d9881da8313936a4725e5733bb4b035

                                    SHA256

                                    d352fab4554bbec60d45127fd9eda4a99be8c6ceaa24179245a78053b9e34b98

                                    SHA512

                                    ff1e3c3fb0c114ce60d856f263172b7668b00b3a0d8e93e32989ddea26a7eb22462f58127b0a1f36774b0f11fab86afc1ff5ea12feb3bc14716c57e6436c6109

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    c2f709506c65f36e568d2c1c0a925d47

                                    SHA1

                                    b55936026da19ee5c5965bf8de1c3c0ec0215caa

                                    SHA256

                                    8a20746666bb54a1d75e9e0af9fc34d8104b034175ecac051575c852051d10fe

                                    SHA512

                                    97dbf38f1605c5cb4315faf0049a233fadbb00e84483b69aec17c0b05680a0b457aa1cb3aa3bab13a666ee7648cf2a5cb4f72717182e775db881baaf1f7e32a5

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    d751d9b7f943cb3a6128044abcab14cc

                                    SHA1

                                    732587731c96b403be1786774ee48950f0afef4c

                                    SHA256

                                    e4f4c189ea976279fc5db207ebd0d06b7c931151b5d1d653bdaa0810bd8fd5c5

                                    SHA512

                                    b18c0dd20d1173ada8b60be12c38a935a8abf2728a9f15c394d1f6a534283b14ed50474f761e48bec7a03e910dce9b2811fe5517fa065fa2f287583ddd87a2e0

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    faff4d1cfa9a79675279405362a5bead

                                    SHA1

                                    fab91084c2c91847a00dc7c7ba698f9849c99b57

                                    SHA256

                                    35861bd02ceac04134c3def8171dda295020fe4da3fc78541003d069f718624b

                                    SHA512

                                    2fb0633dd94fb95b63d4970c17e2f83ae3c28fdc2419d29b775bf52927021a31a28d846a5b5754c3e2eac4e16e244600c3d0d1fb588df047b37b82e70ea856c4

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    87f7abeb82600e1e640b843ad50fe0a1

                                    SHA1

                                    045bbada3f23fc59941bf7d0210fb160cb78ae87

                                    SHA256

                                    b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                    SHA512

                                    ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    f61fa5143fe872d1d8f1e9f8dc6544f9

                                    SHA1

                                    df44bab94d7388fb38c63085ec4db80cfc5eb009

                                    SHA256

                                    284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                    SHA512

                                    971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    7f8b981376b47fa573699619ffc3b39d

                                    SHA1

                                    18960ac7f62dc6cdbb23d09f9c8560133d0a914e

                                    SHA256

                                    eb7f7d77a9f2d043776fbf86f201e69a741c4489521105623be11a0ccf1d7690

                                    SHA512

                                    ed3db9458df92dc2a5546aff001e96dd88b14cb73059c79ef1d1540060dbc11b840eb8f6882b58f2899dc0df8a1d1b44b7716e5ee71dd726f0a6ca05457f6208

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    03b2e4d0c991e949c840a01b8417e444

                                    SHA1

                                    3ee5bb5a3cf7830c2313fa302cf27e8a35635bff

                                    SHA256

                                    89abd59d0d52f3903b41c053620df3b2c1c158a7f83721dd3c27ba1bd360dd1c

                                    SHA512

                                    577c0d8fdf380cfbd3582e2c5709dc3586fce323bb5c7b0b3daca1e2ca646cfca5cf8125b82762ce49111d5199d732be8f4ff8dbc6b04678de20561a504288ea

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    2671e25a59c0c1a94cc783f967376aa0

                                    SHA1

                                    feb3c752e52bcc11c956feeee120c5073f23afb7

                                    SHA256

                                    4d470e57afa974b69ddebee341278061fec673fe2e0466e4ab64b5727981ea78

                                    SHA512

                                    f6d9524ba3fc4a8afa2a6c3c63a6f68f73514e2ed78089333736217d077142a1fbbe8646a241fbd64c909a92ab8c45c32dbff8d3f8dad20a46b5f36a9889dd22

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380552933791.txt
                                    Filesize

                                    47KB

                                    MD5

                                    8a149b5443b9bc923dfdac280902df84

                                    SHA1

                                    7bf208ecc94daf3a4a5d8bba900703a6b446b465

                                    SHA256

                                    00b98c3bc2e59fc4b8c17047a9b6401bc7882bc767e8ef74bb1e8d4030f40b4f

                                    SHA512

                                    1cec0dca30d44564ac7c97a3b9afafdd7163d30c129829b8457774f2e332600d5c9528eda84a189691507ac7450cd3f3c99a98ab9c0667cb5d16d639a8ccac2f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596399960351113.txt
                                    Filesize

                                    75KB

                                    MD5

                                    226e9ed87af0d0aab28c8141ace8229b

                                    SHA1

                                    49e50a77a1acf30e0cade8e4d6863ad654794995

                                    SHA256

                                    b6cd50c6621e393df7a073b6db402544203e220b86a273f919c19d5e23634082

                                    SHA512

                                    81fd2f72a25fdd424fb73d51b27850298b5f777d9fc393a4df8a7bc872cc5d6cda3006d642772e9d2643ddd4eeadef25487005163de8fe30e13c8e0cf460acc8

                                    Download Submit

                                  • C:\Windows\vwifgusttuex.exe
                                    Filesize

                                    388KB

                                    MD5

                                    27e887aa14f3890a72f06ec5d0759f20

                                    SHA1

                                    8bacf22533725fd98c254c8eb6852edbe225a0ef

                                    SHA256

                                    91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

                                    SHA512

                                    56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

                                    Download Submit

                                  • memory/804-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/804-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/804-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/804-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/804-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1768-12-0x0000000000400000-0x0000000000633000-memory.dmp

                                    Filesize

                                    2.2MB

                                    Download

                                  • memory/2424-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-5080-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-2634-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-410-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-8646-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-10374-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-10375-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-10383-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-10384-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-21-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-10423-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2424-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3304-0-0x0000000000980000-0x0000000000983000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/3304-4-0x0000000000980000-0x0000000000983000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/3304-1-0x0000000000980000-0x0000000000983000-memory.dmp

                                    Filesize

                                    12KB

                                    Download