Overview

overview

10

Static

static

3

VirusShare...61.exe

windows7-x64

10

VirusShare...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe

  • Size

    356KB

  • MD5

    7bc8e9eb9f3d874764d2658b546abb61

  • SHA1

    40b7e79add5449ac8b11b20ddeb338437a0d17bb

  • SHA256

    d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb

  • SHA512

    2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d

  • SSDEEP

    6144:NOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:NFeq0F+PzcOLyWRsHA93/oswe

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nknrk.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C4A437FBE97B6FC 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C4A437FBE97B6FC 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/4C4A437FBE97B6FC If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/4C4A437FBE97B6FC 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C4A437FBE97B6FC http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C4A437FBE97B6FC http://yyre45dbvn2nhbefbmh.begumvelic.at/4C4A437FBE97B6FC Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/4C4A437FBE97B6FC
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C4A437FBE97B6FC

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C4A437FBE97B6FC

http://yyre45dbvn2nhbefbmh.begumvelic.at/4C4A437FBE97B6FC

http://xlowfznrg4wf7dli.ONION/4C4A437FBE97B6FC

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (887) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\iecvlfeisylh.exe
        C:\Windows\iecvlfeisylh.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:516
        • C:\Windows\iecvlfeisylh.exe
          C:\Windows\iecvlfeisylh.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3908
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3928
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:516
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3420
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcda8746f8,0x7ffcda874708,0x7ffcda874718
              6⤵
                PID:4332
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
                6⤵
                  PID:2756
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
                  6⤵
                    PID:4772
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
                    6⤵
                      PID:116
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                      6⤵
                        PID:4140
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
                        6⤵
                          PID:4620
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
                          6⤵
                            PID:4792
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
                            6⤵
                              PID:3204
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
                              6⤵
                                PID:3056
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                                6⤵
                                  PID:2928
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                                  6⤵
                                    PID:5076
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16565319024532934300,14347647662044545191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
                                    6⤵
                                      PID:2288
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4984
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IECVLF~1.EXE
                                    5⤵
                                      PID:2800
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:3720
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:220
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3644
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4248

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nknrk.html
                                    Filesize

                                    12KB

                                    MD5

                                    dc565b9a3c50b2a2e02da2d28a3c54ee

                                    SHA1

                                    34f5b69711aba81ab59a78bb6aaef0c663572c79

                                    SHA256

                                    9c5dba622f5bd0a5baaa8ae1a561fea30801172c7a825483f6d0b193fba167bf

                                    SHA512

                                    d7ef9a14929827c725b82c11a995ea37aa70bcb3b26951bacd874e950eed6009a4f8afbb8530760c6cffd9e348b76c8a2c29d960c81d0c04e46c7bcbc8fa3a64

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nknrk.png
                                    Filesize

                                    64KB

                                    MD5

                                    f932312b3cb746a5c80ef3f523607f20

                                    SHA1

                                    c428c85f98e79a6af210e1a6fbb83bb1e1e4258e

                                    SHA256

                                    7fa2fefff7a1f63ce500e770a7ae6f16624186daa9e54e0ad9c66579fd01ba40

                                    SHA512

                                    954f9495313585ee5b9b810df4f8992e05d0e499bd0669405994cfb736ede94027b660a916bb3e114dae0f221f99468e35c8b5b61dcba701a7501a81ab7131f1

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+nknrk.txt
                                    Filesize

                                    1KB

                                    MD5

                                    0367120714a4881e8e7165479a1dfa8f

                                    SHA1

                                    52fab5bd03c4296923e01e7d616565afc7d576f0

                                    SHA256

                                    ed804b534a5d316b50068cb077ab8b43ef53a6911a6ba80f87b43c244c0e93a4

                                    SHA512

                                    1151f0ccc182ce81868088576aac2a73249b634bc32363e7e3951c1aeaf05001a69ee1a7559d9046d8e8bbed714898c62f935f5e9e892bcab2ba4d6615f9c672

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    c1d99c40796a985d817bd5a23a3c3bd8

                                    SHA1

                                    a91efb3b4dc207d6c4df41f27149a92dc6659442

                                    SHA256

                                    a9e917f8ec2030a248a711629ee751fb90257a3f683c7782987df3d15366f4c5

                                    SHA512

                                    694552d9a0497d80ccf356945815d7795d017973e850fa591d7adfe06e227e1edbd052837a4d74e68a43232fd08738ae278099650f8fc47540b6092b525dd4c9

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    6934f2968f8364b51537d1292a25773f

                                    SHA1

                                    3e9b8118b639f97b03a091a9a5d3906ad1e84a13

                                    SHA256

                                    22d38dab47514934244b3b9cdd4ad62dd1f7765d9e688154a22162a7fa193550

                                    SHA512

                                    facd9397404c2b4ad59042e44a8cdd8da9f34848d4e9296de4cd335a9f83411a4411d43905ec593e33206f4ac3a7bb1aeb31f6c272348c6886b4f15ec0dcd1fe

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    e06dd7af3d262480324430d57e83f9df

                                    SHA1

                                    7555a9799c33213d618497005455274e521a6557

                                    SHA256

                                    6983f57def8e4fe77b8904bd279f16b747a0e1cfa3f0b05d05a4b637c28bd9ab

                                    SHA512

                                    b5fffe7111f130f1f3af580898ca307e371b5ec071ee5a89fc904527a9874391721024642cf8820d9a404cc0697dd653226217c9fb2020eddf67826947ed86c6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    4158365912175436289496136e7912c2

                                    SHA1

                                    813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                    SHA256

                                    354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                    SHA512

                                    74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ce4c898f8fc7601e2fbc252fdadb5115

                                    SHA1

                                    01bf06badc5da353e539c7c07527d30dccc55a91

                                    SHA256

                                    bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                    SHA512

                                    80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    0418e949a0874f121896d96730737f11

                                    SHA1

                                    d3d709f858efd51a287d0fef3d4251a0bf7d16a5

                                    SHA256

                                    1f81cadae217aef0c9afd0d55ba2011b077cab493a647e60a06ebaf1c933fe38

                                    SHA512

                                    97d9c843b2a7d47c11f3c8d833d2c0150fb2af19642c3efb568b6384e8d261e3f081ddf4f5dbc9987b1a03c4bc1d8811405e7daa7d6d15f468b64e4b690dfc44

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    4bf2e3d65053bcac5a732a92be740bd0

                                    SHA1

                                    0cbcec2c111c91c2e040b166b0ee5165e83a533b

                                    SHA256

                                    c6a43d2b1214c4f760d23119a0c5702ccb3efb4f048f12301e81d2a719f326c4

                                    SHA512

                                    6e27e8dfde80c79948755cbbd0c50886561d7213039bb7192dc983621b1b308a1251f6c0933f3a4066c9c533d6e501b40e45396acd615019f83a019566d497dd

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    b937cc180b51c3b91c5282d84d62382a

                                    SHA1

                                    176299fb992756be25d7662538549030a98d5f6c

                                    SHA256

                                    1995e1413e6584507b33733a8d06c55d9d519f6ad22d48796feae299e0175499

                                    SHA512

                                    0d2002867b2b549bb02f577ebfaf5a5c89d2603099897e87466067be1eb2f7fe0cb5426aca424a739a3e66fb3bd5a3824203605b8bd1dd80aaa1d5392f6a8971

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440659070499.txt
                                    Filesize

                                    47KB

                                    MD5

                                    6e9ab041b1359652bd41f84405eff7a1

                                    SHA1

                                    44ffe4227e2f67942e9e5a61a86ddc2633aa290a

                                    SHA256

                                    19527430b3661527727920173dca392748bf75a60981fc931a06868283091b6d

                                    SHA512

                                    429bfef53fca213792c7dca325fdbeaee76e61d433c830831726c8128c15448a42e9230d71c059c09a233782ef0d6dcc35199b223d0855a6f745ffb12e5407a2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449628541770.txt
                                    Filesize

                                    75KB

                                    MD5

                                    8bdd49a90fe255fe0f9eccc15ecba06e

                                    SHA1

                                    680249175f46e475de4f14aaf713690cc0bbf08c

                                    SHA256

                                    f4062207d3037d9cca53ee072dd0159dd188906353c8b92b3cded4cc69925f60

                                    SHA512

                                    8e41d9d88f9b5dead7a1e05ccf8c7a5d4b942772eb9423d0055bed6f1e9201f694988ab438ab809f6e427b45c69a33e7184f658633fd651c0336f4748124bc0a

                                    Download Submit

                                  • C:\Windows\iecvlfeisylh.exe
                                    Filesize

                                    356KB

                                    MD5

                                    7bc8e9eb9f3d874764d2658b546abb61

                                    SHA1

                                    40b7e79add5449ac8b11b20ddeb338437a0d17bb

                                    SHA256

                                    d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb

                                    SHA512

                                    2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d

                                    Download Submit

                                  • \??\pipe\LOCAL\crashpad_3420_YDJVQUZZVTEZQGBK
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit

                                  • memory/516-12-0x0000000000400000-0x00000000004DF000-memory.dmp

                                    Filesize

                                    892KB

                                    Download

                                  • memory/612-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/612-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/612-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/612-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/612-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-2297-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-4666-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-244-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-8000-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-10387-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-10388-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-10396-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-10397-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/3908-10436-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/4440-0-0x0000000000630000-0x0000000000634000-memory.dmp

                                    Filesize

                                    16KB

                                    Download

                                  • memory/4440-4-0x0000000000630000-0x0000000000634000-memory.dmp

                                    Filesize

                                    16KB

                                    Download

                                  • memory/4440-1-0x0000000000630000-0x0000000000634000-memory.dmp

                                    Filesize

                                    16KB

                                    Download