Overview

overview

10

Static

static

3

VirusShare...0e.exe

windows7-x64

10

VirusShare...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_2b15e8b996a5e439f4bb7c9e98a2ae0e.exe

  • Size

    388KB

  • MD5

    2b15e8b996a5e439f4bb7c9e98a2ae0e

  • SHA1

    a8dd6a2388e0e75add58a86bc0b72448e969e7c5

  • SHA256

    0349b7b5d9d720f8c454b69716f21346967bfff297ac2f6ceec40ce80747054d

  • SHA512

    ed6e2b79df27034d2f72230db1b3c83ed1d5acdc6cdae3ce9ce456884f682a18cfe6995b7169cb6c7cca668d662d0e72b6bd971799de5e5e0e280df3d089e1d3

  • SSDEEP

    12288:z+QA5i2ipjoMARxOJ7dLQsNeqKLGrDh/:CngLpjoMARxOJJsLLG5/

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ldpqo.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/885F76C14C9A598 2. http://kkd47eh4hdjshb5t.angortra.at/885F76C14C9A598 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/885F76C14C9A598 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/885F76C14C9A598 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/885F76C14C9A598 http://kkd47eh4hdjshb5t.angortra.at/885F76C14C9A598 http://ytrest84y5i456hghadefdsd.pontogrot.com/885F76C14C9A598 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/885F76C14C9A598
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/885F76C14C9A598

http://kkd47eh4hdjshb5t.angortra.at/885F76C14C9A598

http://ytrest84y5i456hghadefdsd.pontogrot.com/885F76C14C9A598

http://xlowfznrg4wf7dli.ONION/885F76C14C9A598

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (885) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_2b15e8b996a5e439f4bb7c9e98a2ae0e.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_2b15e8b996a5e439f4bb7c9e98a2ae0e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_2b15e8b996a5e439f4bb7c9e98a2ae0e.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_2b15e8b996a5e439f4bb7c9e98a2ae0e.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\igusttuexyfj.exe
        C:\Windows\igusttuexyfj.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\igusttuexyfj.exe
          C:\Windows\igusttuexyfj.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2144
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3224
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:3556
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1184
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fff5f4346f8,0x7fff5f434708,0x7fff5f434718
              6⤵
                PID:1660
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:2
                6⤵
                  PID:4724
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
                  6⤵
                    PID:804
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
                    6⤵
                      PID:3536
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                      6⤵
                        PID:4400
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                        6⤵
                          PID:2416
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
                          6⤵
                            PID:4712
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
                            6⤵
                              PID:4548
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                              6⤵
                                PID:3740
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                                6⤵
                                  PID:3972
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
                                  6⤵
                                    PID:3136
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2312,5805897534976457119,13018030228590979318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                                    6⤵
                                      PID:2148
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3652
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IGUSTT~1.EXE
                                    5⤵
                                      PID:4616
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:3096
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1852
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4100

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\Recovery+ldpqo.html
                                    Filesize

                                    9KB

                                    MD5

                                    a719e22b252ba3ad45bd62a600dac588

                                    SHA1

                                    dc539a7b68eb3d8c1c6843269a4855e207467ff4

                                    SHA256

                                    94f58696591caeb9800fc31162d72f7a879a794739461e756c628b12fd04ef72

                                    SHA512

                                    6774dd10e97fdf6fa5e17a001416fc45534fdcbc6e345490b774b78aa7fc72cce9c310e6f7e1923ac37b7cfada250f6f99a84b6b04b96bea570c7df4f25e60c8

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+ldpqo.png
                                    Filesize

                                    63KB

                                    MD5

                                    72a2acd1ca6c9d918ee8e3548e56edd3

                                    SHA1

                                    d22a92de0162e669c66fad2bc0b3dab79f5f9cb2

                                    SHA256

                                    063c06df6e14db0bbba413c058b264a4fddf35a6798a35ebf18424a2e28853c6

                                    SHA512

                                    e270430c285e2043bd29f88da47dc0e98def5146b679c91709bf78b7f395ce51ffcffbb771528d22c4edcd38564ca493d0749d5bc59d8d4db74b831ef4f90e40

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+ldpqo.txt
                                    Filesize

                                    1KB

                                    MD5

                                    c7336502ca5768e3776510f4cca7a59a

                                    SHA1

                                    ad6e1ec6e89bb43b415755aea0040d3c00d150e3

                                    SHA256

                                    e2b2cff35c845de023d980d1091717e625a3c8b8b99250fd2c0333acd7addbe0

                                    SHA512

                                    f6fa7e1c3905adbee7a4919dee573aab91027b15e80e6cec0e7c5e462d47e2e1dbf11667c964a796d9f0f783bb300f8f00ca5c743f05d29683772d1670816a42

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    cf725135666afdb70dda5e85ac28df70

                                    SHA1

                                    67286f8c0e10a8bb9a5777b261bef45609f68f03

                                    SHA256

                                    5252ec5edb52e196f12942f5dd4f65f90fddec4ecde041e43d36727613f55dfb

                                    SHA512

                                    86e996235891de4b9f33221c4e146376487c732ef25b465c137f0ce9d15289c628032635b9b93b9fb2d4ae859f2c7225f199aab4b334e8d7569387f65e771f15

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    4a47b437f35b13902a6759dda8d44458

                                    SHA1

                                    329fa448b1d8673d083455248dc68ca3d2c64193

                                    SHA256

                                    7f8edc3d3219b68913c7d1af4c787699e3ad9bdc953a3bf1d5c53e6ca61a2c91

                                    SHA512

                                    4af4b0c28e0a0e6ed726380316c56b1d9906a84f757672b585a0d853ae69043da37b134529b47f2b034b17f9ab982d9d4e78074adab06281522776ea6a611f72

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    6bbe7aa43a182a8c88ceb232a4a48eda

                                    SHA1

                                    38dff5cc72d3d0f7c4403ad2a844024b23156892

                                    SHA256

                                    58c0a1c9d8cd98fdefca1ae7e8d856bf2c99cc513cdb73eb044e4ca361a14c91

                                    SHA512

                                    6b0c38a8d1648f4c85e396b621b934cb7db1cad5e00034373802a5670eb1e3f416f74a18b463377e962b642d8569f269c3ee4737b8ed61f31ff3c9b9e9450c6b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    87f7abeb82600e1e640b843ad50fe0a1

                                    SHA1

                                    045bbada3f23fc59941bf7d0210fb160cb78ae87

                                    SHA256

                                    b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                    SHA512

                                    ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    f61fa5143fe872d1d8f1e9f8dc6544f9

                                    SHA1

                                    df44bab94d7388fb38c63085ec4db80cfc5eb009

                                    SHA256

                                    284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                    SHA512

                                    971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    72cb7361eb4ce936e0592019a438be57

                                    SHA1

                                    1eb2a332944d1e1a1fa34d210f5ed12c0c2bc2de

                                    SHA256

                                    37dfa902d1eb722ae32ccfb4b96579df4942de40f3868c32597ce646c101714b

                                    SHA512

                                    219f04412d405a762e0d32ca84c87149eecb50ac75fc03188df808b30d71bf3c8c8588a5df436b52acf6be7d9b09e3279c17705db2fab1d2c9d1fd9414dd264e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    f93aebfb413ed14013b940e65fec9a79

                                    SHA1

                                    921d68c1205164dbd73b2171342239394e3cc98a

                                    SHA256

                                    fc55a5503a979b3ba182e76f3da778a6bc69ab56bcd791dbd634a1663b7559ed

                                    SHA512

                                    326803df64035670d132630d23f4695a574549f4906b8640af644b23dd2d755f78ac4e636df6bc0aed34a1dc9d3c31599b0f78a9091ab2911dd67c30a998f1ce

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    4366f20d5c75ff6c6deb167e9bcfa605

                                    SHA1

                                    f48483d9465d533b42e0d0358f53cb81bd5a2720

                                    SHA256

                                    569171b2fbb53318a5b5adfcd228851a7d82711c6c4f88199673b9cd6ae14e6b

                                    SHA512

                                    5d556822c3f1c629abf18d2be9c91b4bed1a82892543ec43c87d29186d5222b3c25e93687376f99da74a5e2a9bd4d14d2ae059e2d710218e255fc4c38f50429a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380552933791.txt
                                    Filesize

                                    47KB

                                    MD5

                                    81a4a480fdc7f95da9559c404d10bef6

                                    SHA1

                                    75288599bfb51a9a16dee9e1858fdf0efb634921

                                    SHA256

                                    4d51f05c258ad4169e2b5bfaa8f7ead296551ed812fc71ead91f983a3af31ff7

                                    SHA512

                                    10f73064a105a52c9e706b0091bc297583a2a1bf8ab07e176db26387e098a431d169f7b4f437e881d97285e7340d6d3481dc7cdcc24c8c6ee852aca9aab24d88

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596419010217437.txt
                                    Filesize

                                    75KB

                                    MD5

                                    6b6049193645703f8cd433df4ea21474

                                    SHA1

                                    18da325cd0c370ceb25dc283f5fc1cc7a9cbb12a

                                    SHA256

                                    2f32c9c8fbbcc638cf9be61f67a72f62cceaf1da09db8523a1be427dbac9ecff

                                    SHA512

                                    193d8d94b2a0269aa493d1f3dcb79cfc18b25c9bfb86c6a622197f97eeae5a4946723d85017fec6bc62c7718c94a54734f663f67f37c4d2fd62bada6e3585b08

                                    Download Submit

                                  • C:\Windows\igusttuexyfj.exe
                                    Filesize

                                    388KB

                                    MD5

                                    2b15e8b996a5e439f4bb7c9e98a2ae0e

                                    SHA1

                                    a8dd6a2388e0e75add58a86bc0b72448e969e7c5

                                    SHA256

                                    0349b7b5d9d720f8c454b69716f21346967bfff297ac2f6ceec40ce80747054d

                                    SHA512

                                    ed6e2b79df27034d2f72230db1b3c83ed1d5acdc6cdae3ce9ce456884f682a18cfe6995b7169cb6c7cca668d662d0e72b6bd971799de5e5e0e280df3d089e1d3

                                    Download Submit

                                  • \??\pipe\LOCAL\crashpad_1184_DKJILTGUYVSGZRBZ
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit

                                  • memory/1188-0-0x00000000006C0000-0x00000000006C3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/1188-4-0x00000000006C0000-0x00000000006C3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/1188-1-0x00000000006C0000-0x00000000006C3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/2144-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-10398-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-22-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-2885-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-5769-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-9507-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-10389-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-10390-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-267-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-10399-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2144-10438-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2876-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2876-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2876-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2876-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/2876-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4688-12-0x0000000000400000-0x00000000004FC000-memory.dmp

                                    Filesize

                                    1008KB

                                    Download