e0aea54912d5f4e793d03303151a5d83b2d9c818b5ce8fa6ea3f609a3273114e

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe
Size

222KB
MD5

41fb9932be35e9e5ea61d74f8517c748
SHA1

69330b95b02db41a23198f164af47a151556e863
SHA256

e0aea54912d5f4e793d03303151a5d83b2d9c818b5ce8fa6ea3f609a3273114e
SHA512

c46c433a4cd5bd52ccf23a0d9ff705d1a8eaa123adae5b71f6f9a18a13281850af954850a074c45157dad352b0cce27b3ef6ac905d603344d3e4d86cd0b3aebc
SSDEEP

6144:FiIqk2kmqtVqu1S0IaQsG8c6Ty9Av4DObk:FLqzkvBSJ+G8XySgaI

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\Common Files\DESIGNER\-!RecOveR!-rmooc++.Txt

Ransom Note

448)2=(,>$5);(>4(#*03'(2#1&/9?0 ----- 448)2=(,>$5);(>4(#*03'(2#1&/9?0 448)2=(,>$5);(>4(#*03'(2#1&/9?0 ------- 448)2=(,>$5);(>4(#*03'(2#1&/9?0 NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? 448)2=(,>$5);(>4(#*03'(2#1&/9?0 ------- 448)2=(,>$5);(>4(#*03'(2#1&/9?0 It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? *** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key , which you received over the web . *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. 448)2=(,>$5);(>4(#*03'(2#1&/9?0 ----- 448)2=(,>$5);(>4(#*03'(2#1&/9?0 What should you do next ? There are several options for you to consider : *** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or *** You can start getting BitCoins right now and get access to your data quite fast . In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://74bfc.flubspiel.com/8CEBE358D35D2297 http://ibf4d.ukegaub.at/8CEBE358D35D2297 http://k3cxd.pileanoted.com/8CEBE358D35D2297 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Install TOR Browser, run TOR Browser *** Insert link in the address bar: xzjvzkgjxebzreap.onion/8CEBE358D35D2297 448)2=(,>$5);(>4(#*03'(2#1&/9?0 448)2=(,>$5);(>4(#*03'(2#1&/9?0 448)2=(,>$5);(>4(#*03'(2#1&/9?0 ***************IMPORTANT*****************INFORMATION******************** Your personal homepages http://74bfc.flubspiel.com/8CEBE358D35D2297 http://ibf4d.ukegaub.at/8CEBE358D35D2297 http://k3cxd.pileanoted.com/8CEBE358D35D2297 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/8CEBE358D35D2297 Your personal ID 8CEBE358D35D2297 448)2=(,>$5);(>4(#*03'(2#1&/9?0 448)2=(,>$5);(>4(#*03'(2#1&/9?0 448)2=(,>$5);(>4(#*03'(2#1&/9?0

URLs

http://74bfc.flubspiel.com/8CEBE358D35D2297

http://ibf4d.ukegaub.at/8CEBE358D35D2297

http://k3cxd.pileanoted.com/8CEBE358D35D2297

http://xzjvzkgjxebzreap.onion/8CEBE358D35D2297

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	gexyupsyxgpk.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\-!RecOveR!-rmooc++.Htm	gexyupsyxgpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\-!RecOveR!-rmooc++.Htm	gexyupsyxgpk.exe

Executes dropped EXE 1 IoCs

pid	Process
4480	gexyupsyxgpk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bssimgtkdbtj = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\Documents\\gexyupsyxgpk.exe\""	gexyupsyxgpk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-100.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20_altform-unplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-lightunplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-unplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\-!RecOveR!-rmooc++.Htm	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-unplated_contrast-black.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.scale-200.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\-!RecOveR!-rmooc++.Htm	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-100.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-white.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-40.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-150.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fr.pak	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\30.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-200.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\dotnet\swidtag\-!RecOveR!-rmooc++.Htm	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\startup_background.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-20_contrast-black.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-100.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\CottonCandy.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-white.png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\-!RecOveR!-rmooc++.Htm	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\-!RecOveR!-rmooc++.Png	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\-!RecOveR!-rmooc++.Txt	gexyupsyxgpk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
444	vssadmin.exe
312	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	gexyupsyxgpk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe
4480	gexyupsyxgpk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	gexyupsyxgpk.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4480	2108	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	80
PID 2108 wrote to memory of 4480	2108	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	80
PID 2108 wrote to memory of 4480	2108	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	80
PID 2108 wrote to memory of 1772	2108	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	81
PID 2108 wrote to memory of 1772	2108	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	81
PID 2108 wrote to memory of 1772	2108	VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe	81
PID 4480 wrote to memory of 312	4480	gexyupsyxgpk.exe	87
PID 4480 wrote to memory of 312	4480	gexyupsyxgpk.exe	87
PID 4480 wrote to memory of 3820	4480	gexyupsyxgpk.exe	96
PID 4480 wrote to memory of 3820	4480	gexyupsyxgpk.exe	96
PID 4480 wrote to memory of 3820	4480	gexyupsyxgpk.exe	96
PID 4480 wrote to memory of 288	4480	gexyupsyxgpk.exe	97
PID 4480 wrote to memory of 288	4480	gexyupsyxgpk.exe	97
PID 288 wrote to memory of 4400	288	msedge.exe	98
PID 288 wrote to memory of 4400	288	msedge.exe	98
PID 4480 wrote to memory of 444	4480	gexyupsyxgpk.exe	99
PID 4480 wrote to memory of 444	4480	gexyupsyxgpk.exe	99
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 4360	288	msedge.exe	101
PID 288 wrote to memory of 3524	288	msedge.exe	102
PID 288 wrote to memory of 3524	288	msedge.exe	102
PID 288 wrote to memory of 4104	288	msedge.exe	103
PID 288 wrote to memory of 4104	288	msedge.exe	103
PID 288 wrote to memory of 4104	288	msedge.exe	103
PID 288 wrote to memory of 4104	288	msedge.exe	103
PID 288 wrote to memory of 4104	288	msedge.exe	103

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gexyupsyxgpk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gexyupsyxgpk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_41fb9932be35e9e5ea61d74f8517c748.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\Documents\gexyupsyxgpk.exe
  C:\Users\Admin\Documents\gexyupsyxgpk.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4480
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" Delete Shadows /For=C: /quiet
    3⤵
    - Interacts with shadow copies
    PID:312
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\-!RecOveR!-rmooc++.Txt
    3⤵
    PID:3820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\-!RecOveR!-rmooc++.Htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4dd646f8,0x7ffd4dd64708,0x7ffd4dd64718
      4⤵
      PID:4400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      PID:3524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
      4⤵
      PID:924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
      4⤵
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17261845280252633259,11993254594812879600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
      4⤵
      PID:4028
- - C:\Windows\System32\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" Delete Shadows /For=C: /quiet
    3⤵
    - Interacts with shadow copies
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\GEXYUP~1.EXE >> NUL
    3⤵
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
  2⤵
  PID:1772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\DESIGNER\-!RecOveR!-rmooc++.Htm

Filesize
11KB

MD5
cfc29f5dc3dca90e3a6b5db8c5587acc

SHA1
84a9a6f68c8e3abab8a17a3a994c6180f49ba338

SHA256
961b4b8e1f592423172d9951af9b1a1866c7d38d98f72dee9ccb300558370a97

SHA512
4432576c30c4a50b7df8d7964a2ce2de76276c48fb6ebc63f44e06064dca5b6f6a4f3e18b3f3537a23f2f7236e99e52ac741d91bc43567b4a94cd43a92f3498e

Download Submit
C:\Program Files\Common Files\DESIGNER\-!RecOveR!-rmooc++.Png

Filesize
86KB

MD5
2ea730488b82c0ec0e5064c2f640abb4

SHA1
967403fcc298da7f4b2851bb75318a345e3c92ec

SHA256
149b8363ddf67d2dc7af26ffe4baeb066cfdaf8ad48188a30d3560dd287cea68

SHA512
948a3e5f3ae9cbed2ef64e4d3da71a11faf3872b9a83b3308d0ad27aa6b26041cd70fae39d5f892cafae6b1ffc317fd843560f03a64ab297c9018423c5940c41

Download Submit
C:\Program Files\Common Files\DESIGNER\-!RecOveR!-rmooc++.Txt

Filesize
2KB

MD5
995c3b68976f227e8ecef749935e2079

SHA1
ab17ae7736a12d8a46a63bdccc071e531e761c59

SHA256
6e803fc1b47376b10db149622193dd6e0f52b910b1cf3859671312f11f5f26b0

SHA512
12b9fb024912f22518f081ed21fa45dece3ddc58df10a5951a8566b6430a2fd976c4d62c913c19261a121f79400bb68228735d4d96ea1ea6665a573d9102e5e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79d4cfd10834b289a9eee1b3b4fb17ed

SHA1
056704e22dade1d70e119204822fca05bf755ffc

SHA256
f58be4b8a5f3968d56a2ca87a9a24b693f88d379acb9565eefa7b426b484d5a0

SHA512
574f9fccf2b63399fee002ea964ab4a06738f12c4329e5a9c14d0fdf1e482ff4462bf9c0b0f0e7e8aed51f75725039f139b0ed6a2e5734d080b4c428fe9fcc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35e661a7a2b69cbf49c40dbfdf9d8ddd

SHA1
7708f55e9c460b85ef3217808dca2709bc74692c

SHA256
0b5c26fa06265527f579d1e67bf25422d9b8bacb735453450105807b960478b4

SHA512
ccfcd86798a26e47c4904a823f1fa7ce11977fab332df01ea255cd135ed02892df5e4ba395bdb7da6285ce79079f289ef5d15c5a55473bef0fa4045a009f78c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
950046a5aafbd1d3c16c8ab3f169805b

SHA1
36430712393db5af8563e36114ff0c0dae23edf9

SHA256
46f6198c063cb34de95b28bc2ab2c247da5eed94215cfcc290eefc5552a127ef

SHA512
0aafd97f9061150f84d8f160758a594bf723a01d905f182475c3f44b454cff4c82746c45d4d3f4f0e4f1f5e6c77d35518005b8437352ad25d864dffd66834cbd

Download Submit
C:\Users\Admin\Documents\gexyupsyxgpk.exe

Filesize
222KB

MD5
41fb9932be35e9e5ea61d74f8517c748

SHA1
69330b95b02db41a23198f164af47a151556e863

SHA256
e0aea54912d5f4e793d03303151a5d83b2d9c818b5ce8fa6ea3f609a3273114e

SHA512
c46c433a4cd5bd52ccf23a0d9ff705d1a8eaa123adae5b71f6f9a18a13281850af954850a074c45157dad352b0cce27b3ef6ac905d603344d3e4d86cd0b3aebc

Download Submit
memory/2108-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2108-12-0x0000000074BB0000-0x0000000074BE9000-memory.dmp

Filesize
228KB

Download
memory/2108-11-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2108-3-0x0000000074BB0000-0x0000000074BE9000-memory.dmp

Filesize
228KB

Download
memory/2108-2-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4480-13-0x0000000074BB0000-0x0000000074BE9000-memory.dmp

Filesize
228KB

Download
memory/4480-9468-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4480-9345-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4480-6137-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4480-9530-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4480-9531-0x0000000074BB0000-0x0000000074BE9000-memory.dmp

Filesize
228KB

Download
memory/4480-3506-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4480-1287-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download