Overview

overview

10

Static

static

3

VirusShare...88.exe

windows7-x64

10

VirusShare...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe

  • Size

    368KB

  • MD5

    627ec4f42d9649bc8309d87f03d1c288

  • SHA1

    6cd845e8de2c2197cbab48f94eea823f88b0efd9

  • SHA256

    3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

  • SHA512

    62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd

  • SSDEEP

    6144:e680E92oeOE4G63VEuFwm+DDrhd3wbYqaUq/JyKSmi97Msg4piwbBS9lkw86C:e68PIHt6DObD5dmYqarImi9jB4SBylkN

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rrrku.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/727A811BF4B2B4DA 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/727A811BF4B2B4DA 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/727A811BF4B2B4DA If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/727A811BF4B2B4DA 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/727A811BF4B2B4DA http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/727A811BF4B2B4DA http://yyre45dbvn2nhbefbmh.begumvelic.at/727A811BF4B2B4DA Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/727A811BF4B2B4DA
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/727A811BF4B2B4DA

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/727A811BF4B2B4DA

http://yyre45dbvn2nhbefbmh.begumvelic.at/727A811BF4B2B4DA

http://xlowfznrg4wf7dli.ONION/727A811BF4B2B4DA

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (868) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_627ec4f42d9649bc8309d87f03d1c288.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\ybbvnmxxrmwu.exe
        C:\Windows\ybbvnmxxrmwu.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Windows\ybbvnmxxrmwu.exe
          C:\Windows\ybbvnmxxrmwu.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4480
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:4388
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1352
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffe1a46f8,0x7ffffe1a4708,0x7ffffe1a4718
              6⤵
                PID:4852
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
                6⤵
                  PID:284
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
                  6⤵
                    PID:2416
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
                    6⤵
                      PID:4804
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
                      6⤵
                        PID:2324
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
                        6⤵
                          PID:4008
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
                          6⤵
                            PID:2360
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
                            6⤵
                              PID:4476
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
                              6⤵
                                PID:1940
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                                6⤵
                                  PID:5064
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                                  6⤵
                                    PID:3892
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15278409920800682210,1094150655736795644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
                                    6⤵
                                      PID:3800
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2460
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                3⤵
                                  PID:760
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2404
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3616
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1248

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rrrku.html
                                  Filesize

                                  12KB

                                  MD5

                                  004c6bf177b13c2c62c2dd1ce0e2acf3

                                  SHA1

                                  f27822b77b4b848b3b1584f1f27f6e77a118a89a

                                  SHA256

                                  d181651d5819b65b33ced68b15f3a294d14b340ba86e3bf49f091d6fd3bbbc22

                                  SHA512

                                  ab7016aba68ec06454e1bc3f70ed1762adeb3caf40a1b5eb4ecb3cfcb4253947f46dfc216af173ac9f2575150d46f2ead51736078649904219735141090ce783

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rrrku.png
                                  Filesize

                                  64KB

                                  MD5

                                  ddd002be90def1ac94fb08f124417aaf

                                  SHA1

                                  9ea51c26368fd2924ec0abdc1be3864e7dfb2a4f

                                  SHA256

                                  009114362184d66c3181ff3a7e58d31de7f9687c1ba89cab3abd1339ee2a7b07

                                  SHA512

                                  82455bdcb0f668cf3b66eae53b0885bdb861b35a3549b3e6b3d64d6bb1a029104b34f45fd88d506c22c2893b98af94bc70bff4bfd7564e210fe8f6c0fd5f9f9e

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+rrrku.txt
                                  Filesize

                                  1KB

                                  MD5

                                  5f963af5ef6f1414d93f3953cafc4b81

                                  SHA1

                                  b198417c173cfcec3af8a2e12836aecd37a9c646

                                  SHA256

                                  d62f73e6165f6a94242f966d0598bb1fe32bfea21ee833aeec2aa713a6377dce

                                  SHA512

                                  89745c674738f086f77917e003f8c3210c76d87a2e3822652247b013d047e8ebbbf9563667f4d6e1fcc60cebf0a121c811f97d57e1095a8740bc41cd7b831792

                                  Download Submit

                                • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                  Filesize

                                  560B

                                  MD5

                                  7ea327fae10ae235cad9c5a152174005

                                  SHA1

                                  e12ea7b4493a0d3631a26366b5e2bb25f7960468

                                  SHA256

                                  86cb408cba9e896ee1877a83284c49946975b26fa60349b277c43d0d512b65cf

                                  SHA512

                                  86df8723f2faa6d62552b3524674b09c7d131f1595214e2a7a3276879ec6c80765b45bed511ae2dad513ce771af9b90b597498e1b90d674cf20484e7b4966a10

                                  Download Submit

                                • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                  Filesize

                                  560B

                                  MD5

                                  9845e1dcc52595f3bd5acd2f98b3b1a8

                                  SHA1

                                  cb860b7a23de02b8204713e2bab919962edf2a28

                                  SHA256

                                  3874d10fb6bed4624232fde9f28d167cdec5582b0da75d90359383d1297c2434

                                  SHA512

                                  d308b6bf85e264fee4ec42de5b45ff7a0c9a33d73a8a725c6f63bab3bc966f3d78132414d5f0d40f44296b85270fd39651a9fbe6705e4e1d2476be785333b752

                                  Download Submit

                                • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                  Filesize

                                  416B

                                  MD5

                                  916b9daf6515f376e885bae9f5edf6e4

                                  SHA1

                                  7c9ccc954b985d8cd5929759e1a580eb206f26e0

                                  SHA256

                                  ef9f4242831a7016d46b723dfde24a7a78159fb31e89ebd0d2f966cb7fcedeeb

                                  SHA512

                                  c745af594192052f0abde6daf5289f3b0250f30b3ac496a8541c1d31af26534836d770ff7e086b4b35d42982e8a672c0ee233c91a48c7816f91469aa8b282377

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  ea98e583ad99df195d29aa066204ab56

                                  SHA1

                                  f89398664af0179641aa0138b337097b617cb2db

                                  SHA256

                                  a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

                                  SHA512

                                  e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  4f7152bc5a1a715ef481e37d1c791959

                                  SHA1

                                  c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

                                  SHA256

                                  704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

                                  SHA512

                                  2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  506b9ed8471fd52211e48e5b66f1906c

                                  SHA1

                                  ef411707a7eb64a59fd008bd692b074c7db76740

                                  SHA256

                                  fef6009072b1831447280f0780c343afd47697ea43a0d69fdd49bfbe6015b4e9

                                  SHA512

                                  b82240e6c58daf0996bb10ea12432cb58071d086edf51e41610edf55d2b292f196e237d4317b99b05f40eb9f102b8762e8991a289a6a1be229f816a7074ae7c7

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  a5ef824edc40e1eaba63bc1d31b0dd51

                                  SHA1

                                  8aeb15c9cba834ae6048d29558fcb9c2faea7aa1

                                  SHA256

                                  11152017fd2e21f144e27857375db95397b1b8a47611163b0419c5b0b179e7a0

                                  SHA512

                                  69390451dd35f35e3b612d57954021b669986b7ade6a241a890abb8be5aa5e09b644d3f5893ede7119bccf6bb5e6e88628a343df511bdefb1aba4e266cdaf1ae

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  10KB

                                  MD5

                                  16e016c6eea6bff9a6beb5f1dd35541f

                                  SHA1

                                  bca6b6fcb71a10537834fba2fe36456447cd0f2b

                                  SHA256

                                  98e5f214d59ac306ea080b2ac499b1eb9e042c5c345dc8a52c57c3405554adc6

                                  SHA512

                                  76a96528b25e6a4d6fcdf62b662b97eaeecd0e404897050a101e4961aaead1b305fe05121fabfe583c020308765e3ec23bf03be2c5f8d640d92ad0af27f7aa66

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt
                                  Filesize

                                  47KB

                                  MD5

                                  72c58d61bac82b33adfd463a48c3f77c

                                  SHA1

                                  8dbef38b2e4b8703f4a4430123718d37d18850dd

                                  SHA256

                                  7e5d761a2d159c6f13dc32b794a28272706e2cfe0a9a193aae75458502478701

                                  SHA512

                                  23afb12399b9c5aa83068dccfd05eef0792cfb5c6c6fbd1afdd919b9787a352a4992d3618e7f7701a0253fbafe2f61af2eb763694079cb3d98c0227d995ebf2c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586133455468809.txt
                                  Filesize

                                  75KB

                                  MD5

                                  00e22f3e0e7e7fa2c060ec11dfe107c6

                                  SHA1

                                  eb0445c348cd6e9f5374090277eea5156d2603f3

                                  SHA256

                                  1d3217b3fa262427504c9b84f88c4d752bec5c23cf320ba479459bc7ce88e052

                                  SHA512

                                  677e07c5ecc266867486924961d5dc7bc9d1d8f36dcda668a3bbc75bccb54ba58f352ce646f32a5f7a64b33fb9f9bbc4c6b47da7d9a3ee2e6844b65072d26b27

                                  Download Submit

                                • C:\Windows\ybbvnmxxrmwu.exe
                                  Filesize

                                  368KB

                                  MD5

                                  627ec4f42d9649bc8309d87f03d1c288

                                  SHA1

                                  6cd845e8de2c2197cbab48f94eea823f88b0efd9

                                  SHA256

                                  3503e011b2844b6eb3f18b3a7c0965ff07171ac6af2488fcf03c0e69d95cd066

                                  SHA512

                                  62899ac229fbfff6cd6ace9610b6d6dc027cc32ffe5b7b2c08fb3445815e134caec32047e0a5129118675f22b32aed516fc877b33c90da98261eb44f119a74bd

                                  Download Submit

                                • \??\pipe\LOCAL\crashpad_1352_TWBFPSUNFLKKVGVQ
                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  Download Submit

                                • memory/2392-0-0x0000000000670000-0x0000000000675000-memory.dmp

                                  Filesize

                                  20KB

                                  Download

                                • memory/2392-4-0x0000000000670000-0x0000000000675000-memory.dmp

                                  Filesize

                                  20KB

                                  Download

                                • memory/2392-1-0x0000000000670000-0x0000000000675000-memory.dmp

                                  Filesize

                                  20KB

                                  Download

                                • memory/4064-12-0x0000000000400000-0x00000000004E2000-memory.dmp

                                  Filesize

                                  904KB

                                  Download

                                • memory/4480-8214-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-26-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-2533-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-5042-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-5570-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-22-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-10386-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-10387-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-10395-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-10397-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4480-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4912-15-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4912-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4912-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4912-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download

                                • memory/4912-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                  Filesize

                                  536KB

                                  Download