Overview

overview

10

Static

static

3

VirusShare...90.exe

windows7-x64

10

VirusShare...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_57b2a1db98a792e2498b6ba5344deb90.exe

  • Size

    344KB

  • MD5

    57b2a1db98a792e2498b6ba5344deb90

  • SHA1

    b8a75d237c860f0128eae5adeb7e76f41233fc36

  • SHA256

    6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15

  • SHA512

    36ebdbc0b27025e9bcc0edbe0cb9b40f2f4f4bbc1582d8e94e42d399a474d45227789d158b7d991fd04424188429fbc00fcf9db06922e3e8abf1506c4aa6d729

  • SSDEEP

    6144:FqvsZf39vcCN1RHCfsIltPv6qn0/+sK+x20Im5iTxSO+xUJ:FqIv/wTPv6Q0GwFPxU

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+bvbrs.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DF62EF4C258A68A 2. http://tes543berda73i48fsdfsd.keratadze.at/DF62EF4C258A68A 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DF62EF4C258A68A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/DF62EF4C258A68A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DF62EF4C258A68A http://tes543berda73i48fsdfsd.keratadze.at/DF62EF4C258A68A http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DF62EF4C258A68A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/DF62EF4C258A68A
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/DF62EF4C258A68A

http://tes543berda73i48fsdfsd.keratadze.at/DF62EF4C258A68A

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/DF62EF4C258A68A

http://xlowfznrg4wf7dli.ONION/DF62EF4C258A68A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (875) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_57b2a1db98a792e2498b6ba5344deb90.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_57b2a1db98a792e2498b6ba5344deb90.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_57b2a1db98a792e2498b6ba5344deb90.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_57b2a1db98a792e2498b6ba5344deb90.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\qrhhgehtlegs.exe
        C:\Windows\qrhhgehtlegs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\qrhhgehtlegs.exe
          C:\Windows\qrhhgehtlegs.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2324
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5048
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2280
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2196
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85bad46f8,0x7ff85bad4708,0x7ff85bad4718
              6⤵
                PID:3284
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
                6⤵
                  PID:3004
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                  6⤵
                    PID:216
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
                    6⤵
                      PID:3584
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                      6⤵
                        PID:2692
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                        6⤵
                          PID:4792
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
                          6⤵
                            PID:2372
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
                            6⤵
                              PID:1380
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
                              6⤵
                                PID:1244
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
                                6⤵
                                  PID:4384
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                                  6⤵
                                    PID:2908
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6551826870494263586,8337327439730801741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
                                    6⤵
                                      PID:1492
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2996
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QRHHGE~1.EXE
                                    5⤵
                                      PID:4404
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:3208
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2344
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2516
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4052

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\Recovery+bvbrs.html
                                    Filesize

                                    11KB

                                    MD5

                                    4d362932c608904befc37739f0f95c04

                                    SHA1

                                    a3667e3d4d2ee1fa3f8db8fb3d5cbb60e9f01f44

                                    SHA256

                                    d0e74883595b4eb4b3eda284d5a3594c39fe46440f42ff992066a0bc979cf53f

                                    SHA512

                                    3c66a940c41982bd469676ce95218bcdf78c7129cbe302bcbba82796c5bbc665e55ff851b2e8f2db6af280ce9291c700766474fefcd776db6b6efd6800f3347a

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+bvbrs.png
                                    Filesize

                                    62KB

                                    MD5

                                    359db81f07cb1bc2e7f8016a0ee9687b

                                    SHA1

                                    9983e3864760b3c7bdd4de184b71091a6859d1a7

                                    SHA256

                                    fa9e178fe444f84f0e9bc9aaa1db6b0723f98476fd67f0e83e4e510c7ab8b6dd

                                    SHA512

                                    b3f44004a3b2b79547ab9f00f813fe121e4dfec42cdaef04cf34076a2584ed20644d67d6ee499c160ff3f3119a70212afdb0572e108e08d6f0c07ac3a06e79af

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+bvbrs.txt
                                    Filesize

                                    1KB

                                    MD5

                                    db10ecc8472869d8d3dc586d864a2a5e

                                    SHA1

                                    368c10cc6c44f1568ea4525c72fe25f4a1e0b53f

                                    SHA256

                                    3d44c7002e5c8b8fd285a91f56f98249928eb95f4e8ee0f68f5b8f2b3c54e4c0

                                    SHA512

                                    5fabb6b91343fc1773da3dbc861965380ceb2a8690ae8b69643412ee1ca354535e6209223ac045fc8a933502ecbc80aeddc740b6536ba6ee78bd67f4d4ba2696

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    4f9747032f1cd704559e8de3b1d8a67b

                                    SHA1

                                    cf3617d0144265520530249f798395c2ce3aeee4

                                    SHA256

                                    f55325f14ad85a2edab6c682e04628227db00cb87a88dbcf35c2fb339a01a59a

                                    SHA512

                                    ad0384fb54a1f89fd594b30542d0d56f39957ce87a5b6490c486657ad9e44dd0464f544c35f3b24bc78405ecb8f732c5f79bae8e6bf5b755420bbce31e1e0817

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    a38deeb09529c8aa01f1a17b50b79c83

                                    SHA1

                                    baa76af865b071e08abe16d055aea0da02a1cb58

                                    SHA256

                                    38f1b37c80d02b209b9b046a58a9a4a9a7d0b9f35b5922bf2164b01edfe7dbd3

                                    SHA512

                                    b9986de4bcdd8cee17e8283c6e7644bb6848ded1a37e568cfd8cd2ed21d7545e7b951a14a3619c5ffe4c432fe9500af14bfb1880d92c5fc121635421365420af

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    50ed2cecb5e28ee9b18728ab989a4f94

                                    SHA1

                                    cc8dc33973e6b6dd3f61457368f95986e0b6e08b

                                    SHA256

                                    71f0402a85ac826de162b0ee428f08f187202510d959b1633115ff3dfbb2c054

                                    SHA512

                                    8f834bcb7ed3bce40cb47f51dcf842c14a47f0792b003e235fc9a7fd00eb3a837b0780ead302690a5f51c5071407be2d5cb5014607974ba0f282151cef14c567

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    4158365912175436289496136e7912c2

                                    SHA1

                                    813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                    SHA256

                                    354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                    SHA512

                                    74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ce4c898f8fc7601e2fbc252fdadb5115

                                    SHA1

                                    01bf06badc5da353e539c7c07527d30dccc55a91

                                    SHA256

                                    bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                    SHA512

                                    80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    41eb7fea21707bcfa37bbfd4e52fcfd8

                                    SHA1

                                    d6cc9fe97e656b510f99f6a50707ed1c37363bf7

                                    SHA256

                                    e60f37d2731b9bc92f5132aa6eaa959ededcc288b2c7dfbb0435c0902a46cee9

                                    SHA512

                                    77ca29efbdc4ddea19baf26af2187a71098a694410066f18b3f07d439044e8996c6376754b656272040da38e36129e1dbc9adeb170993e99f3b6eeaca23a4d86

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    3b842574f7431552edfc258b8cb8914d

                                    SHA1

                                    9842b59dd43eaf886638dba5d8f807936b496a3d

                                    SHA256

                                    f30d1381a8c9fc5867455406575e21dbe94f91998dbc19768b1de4425c3aff71

                                    SHA512

                                    371d49e7d042c4f8a0e6e101f9ecfed470976a74db1b029112177d370ccf38cc0f8247abb8407491cd6faf91dddd75f418f9136f9d802638d4ffa38aa26a2803

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    5bcc808a9d80b2357944dd57d0aae31d

                                    SHA1

                                    b9cb33dc958c3525a81a425caa70508c425b74e2

                                    SHA256

                                    c18e9b25f3c13083e8b1d366e318eeb8ed6c28d8ac93010d0196fb79ad41c8d6

                                    SHA512

                                    3013910944aeab3e73c7cbeebbe37ce12b5b69ac0f79fcd3ed59f510fbc72b5c4245a8524076ff8f9d0e84de398bc379262cda287cf9e9ef2aae023fa450918c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440659070499.txt
                                    Filesize

                                    47KB

                                    MD5

                                    ef911fe5aacf814528de49f8cff768f7

                                    SHA1

                                    043f32cf02b9921d624591ee54c215693627eb12

                                    SHA256

                                    32b3a0f54e636d50b72830764b6b462ec60aafcb016e0f66603696fa4e0a3cd7

                                    SHA512

                                    4ba54ede21ca49c61337443706abee46be96ccc52a347e3ea4eb2ab20103bf59a87a87b5a15d7fa1af0e6c101a0ecc5786189051fe293595aff610baee792559

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449628541770.txt
                                    Filesize

                                    75KB

                                    MD5

                                    da5cba9e52fd01259adde1fdba04458a

                                    SHA1

                                    377d11c6ab9f3ccb45ea40b6fcb546c5e62acbd0

                                    SHA256

                                    5a7ee8f865db6270eb567433026ee9a150ee330c3a09216dc556bd2b9c980347

                                    SHA512

                                    3a0285093c646d245b758e1be5bbbd451e79a973d4d33be13c2bf238060a977f3af60d54825f0c699d284aada3aedcbe5069d88bf4a2ff2aec6ba52b7684a96d

                                    Download Submit

                                  • C:\Windows\qrhhgehtlegs.exe
                                    Filesize

                                    344KB

                                    MD5

                                    57b2a1db98a792e2498b6ba5344deb90

                                    SHA1

                                    b8a75d237c860f0128eae5adeb7e76f41233fc36

                                    SHA256

                                    6950d9f5794147161a7628aedcea38671ee33148580e015cf973f6a86c158d15

                                    SHA512

                                    36ebdbc0b27025e9bcc0edbe0cb9b40f2f4f4bbc1582d8e94e42d399a474d45227789d158b7d991fd04424188429fbc00fcf9db06922e3e8abf1506c4aa6d729

                                    Download Submit

                                  • memory/1796-12-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/1796-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/1796-3-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/1796-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/1796-1-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-17-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-10371-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-7028-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-1888-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-24-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-9952-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-10359-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-10361-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-10369-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-4219-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-22-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-16-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2324-10443-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3556-11-0x0000000000400000-0x00000000007F6000-memory.dmp

                                    Filesize

                                    4.0MB

                                    Download

                                  • memory/4784-0-0x00000000009D0000-0x00000000009D3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/4784-4-0x00000000009D0000-0x00000000009D3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download