Overview

overview

10

Static

static

3

VirusShare...c6.exe

windows7-x64

10

VirusShare...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_6bcc066e2a81f34c7e052895001f44c6.exe

  • Size

    340KB

  • MD5

    6bcc066e2a81f34c7e052895001f44c6

  • SHA1

    6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8

  • SHA256

    39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

  • SHA512

    b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c

  • SSDEEP

    6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+kwdye.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/89BCB9CD372FE58E 2. http://tes543berda73i48fsdfsd.keratadze.at/89BCB9CD372FE58E 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89BCB9CD372FE58E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/89BCB9CD372FE58E 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/89BCB9CD372FE58E http://tes543berda73i48fsdfsd.keratadze.at/89BCB9CD372FE58E http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89BCB9CD372FE58E *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/89BCB9CD372FE58E
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/89BCB9CD372FE58E

http://tes543berda73i48fsdfsd.keratadze.at/89BCB9CD372FE58E

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/89BCB9CD372FE58E

http://xlowfznrg4wf7dli.ONION/89BCB9CD372FE58E

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (882) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_6bcc066e2a81f34c7e052895001f44c6.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_6bcc066e2a81f34c7e052895001f44c6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_6bcc066e2a81f34c7e052895001f44c6.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_6bcc066e2a81f34c7e052895001f44c6.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Windows\clfeisylhwkb.exe
        C:\Windows\clfeisylhwkb.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Windows\clfeisylhwkb.exe
          C:\Windows\clfeisylhwkb.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3512
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:3312
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4528
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7d5c46f8,0x7fff7d5c4708,0x7fff7d5c4718
              6⤵
                PID:1432
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
                6⤵
                  PID:4004
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
                  6⤵
                    PID:4548
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
                    6⤵
                      PID:664
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                      6⤵
                        PID:3780
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                        6⤵
                          PID:4556
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
                          6⤵
                            PID:3604
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
                            6⤵
                              PID:4820
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
                              6⤵
                                PID:2472
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                                6⤵
                                  PID:5084
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
                                  6⤵
                                    PID:1088
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,16072084049510204809,11454540843948499920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                                    6⤵
                                      PID:2676
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1324
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                3⤵
                                  PID:440
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4360
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1316
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1964

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\7-Zip\Lang\Recovery+kwdye.html
                                  Filesize

                                  11KB

                                  MD5

                                  9b389cb90e89a8f15d5dcaded0f3cd5c

                                  SHA1

                                  291a8c17215e7d6bd83cd7c95943f752ee0aad80

                                  SHA256

                                  432a540e43b852b7b2de3a175247ade278533bb51f0c102d5bbcf600d65569c5

                                  SHA512

                                  8b41f918f50b623d238e7771d35769334d03ce40269b61fab6128b3c4325b1549fa1d9bf5b7ff107d2a51dc2c18fa5c0fdd3a0504541e90401b54d37aa8e780a

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\Recovery+kwdye.png
                                  Filesize

                                  62KB

                                  MD5

                                  65e7fd1649b1d232e4cd93770d348bde

                                  SHA1

                                  b2edcda61cea38b4b648952450b6c157065f1bc9

                                  SHA256

                                  e47bc7905c8e36391cb399c8d16f5eb516f58212453af49d1db5f52718da393b

                                  SHA512

                                  41925fb4bc681ff2fb7e54668fc336a2e216fc4abe6050620dfaf47c475b49b59661661b23e1ee95e9bab5d54a870ace9a2507f68199b9a99ae0f46955b05f5e

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\Recovery+kwdye.txt
                                  Filesize

                                  1KB

                                  MD5

                                  9edb1eb718c817f042e20d4ea564f384

                                  SHA1

                                  eba03c4e9871f63fa8ad6c1a6fe620d2f2739772

                                  SHA256

                                  930ab95d8b19aa6e8d78659ec455550ce2c5b80c4dfd0a2ebf18a3bbaeebf605

                                  SHA512

                                  16be818f64edf2ef352a040c2f9ce65683ece23ec50ed8b09c7a81e3b4cf3994b7b13a03e67312dcafa012016ce7d3f57a0d35e47062f99d8c3691fa83165cd9

                                  Download Submit

                                • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                  Filesize

                                  560B

                                  MD5

                                  4ea496a8e82ad0872a1e452267e8b98c

                                  SHA1

                                  9907e0feb610317cbc14839cbb0969983071e69c

                                  SHA256

                                  a83d7d892a7e0c89f0e88735a5e5c821cff8e62be77af4bff7d0378aae022c5f

                                  SHA512

                                  9918ef9c08c2a54aa9960187d6a4fa55ff47774fcf080ae4f15c2b41f808fd3adbdf92bf68e32334e0cbb90a106ddf0d70e310645c8c52092a81fced8bf4da57

                                  Download Submit

                                • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                  Filesize

                                  560B

                                  MD5

                                  2b0efd301cb7264f27bc008d6090f7dd

                                  SHA1

                                  de278f359407388b407e0fff3b151c93f0ed4cb6

                                  SHA256

                                  0fa315b2731506964202aefea8ce5ab8eb0db987ada54cef45ef62d32fb807d4

                                  SHA512

                                  6190d5a730fb57ab6ed719d2e70a9248130d3b14d7bff807db1db577e19dd3cdea28165269f45331d6fa5b4f694381ae24e058d9df1ef69dd38a45ad68a5b8c6

                                  Download Submit

                                • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                  Filesize

                                  416B

                                  MD5

                                  1702de7001920d14c13eb8b4cd216d55

                                  SHA1

                                  12910bcaab20704cde2ba24ad271087b11eb6fb8

                                  SHA256

                                  6ce1d35234d3f64db50df7a7769d098d3d55835c1ba18de5b6be81c054dfaf39

                                  SHA512

                                  f250c7539f5b366ef08778a5f4445d68e113d6497f1d823de04e7932f3823c92f16a25d7944537622d28b3bb115209ba54781126aa18f9cffc63d1de6ad73724

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  439b5e04ca18c7fb02cf406e6eb24167

                                  SHA1

                                  e0c5bb6216903934726e3570b7d63295b9d28987

                                  SHA256

                                  247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                  SHA512

                                  d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  a8e767fd33edd97d306efb6905f93252

                                  SHA1

                                  a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                  SHA256

                                  c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                  SHA512

                                  07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2f3189f8-5d13-486a-ae4e-66c3e6ead7f8.tmp
                                  Filesize

                                  5KB

                                  MD5

                                  5d6a4e5c69b7464ff8f9b90027c5abd2

                                  SHA1

                                  903bfca8061cd4975fe0a6f5888655f790080c99

                                  SHA256

                                  7a1ddbb98ae62cdef7e9a21c74fe641274dac89dbbec00276fb10e4efcecae15

                                  SHA512

                                  0dcfd335ddfca3525cceef6d762874fd4a8739553ada41f29b0e9fb38cdfecf06a574709b8db71a6f16789043de1a56a7a9f126ea61994d349e200e8b0d2a51f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  39a3c3d3c7628992b322502d554884cd

                                  SHA1

                                  255f452ed48338ec0b356cfd9c03e3c83e723080

                                  SHA256

                                  e5d2635588f0d64752b6731177d380320a51d744f8f35abdb5306895b168197a

                                  SHA512

                                  bb5ee50fab58bd8326d77485ee12246592d5aa646abcad353f4c350eaf7dc0de2675fca42ab7de29e09accf835fef689ec3b3dda0e9751a24ce5a5a47f3f0d2d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  10KB

                                  MD5

                                  c9a14214c3e6031e4baf1f7b411fe4d4

                                  SHA1

                                  403caec2dab6005d7ab1d6f9b93862381a5054ea

                                  SHA256

                                  6c88aac5eb338e67444e51ab6a63f5567cfdfef90767a036b5bcc136b60f24db

                                  SHA512

                                  c9616992d3adda5bd6876d4801506c9499f8c6b8ba91453ed9e6c331ba8fc308913013fb0e7f117d346cfa81bca5a9f4c87e1005747496e8afe53db3f315f6b2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt
                                  Filesize

                                  75KB

                                  MD5

                                  bce0b10b7e00dea1ce480fdf88f13734

                                  SHA1

                                  ad66648f8809d5c01583134f7325fe65e0d986c5

                                  SHA256

                                  95f632c1218b9433be9e4c1abeb18cdb31f1af1f3d170e7a27a28261a0f71a5c

                                  SHA512

                                  f096bf49d95b0bc37280c6a278f484ee6f01330918ef8be6f6479cf268e89aad9b42c3901ba91a87addaaf40cf0ebd138f23e1850d5cc6126637e7a9504a568f

                                  Download Submit

                                • C:\Windows\clfeisylhwkb.exe
                                  Filesize

                                  340KB

                                  MD5

                                  6bcc066e2a81f34c7e052895001f44c6

                                  SHA1

                                  6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8

                                  SHA256

                                  39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

                                  SHA512

                                  b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c

                                  Download Submit

                                • \??\pipe\LOCAL\crashpad_4528_QBSXSVPLZBLHRZKO
                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  Download Submit

                                • memory/428-12-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/428-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/428-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/428-4-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/428-1-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3096-0-0x0000000000740000-0x0000000000743000-memory.dmp

                                  Filesize

                                  12KB

                                  Download

                                • memory/3096-3-0x0000000000740000-0x0000000000743000-memory.dmp

                                  Filesize

                                  12KB

                                  Download

                                • memory/3512-947-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-3700-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-5443-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-1285-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-8162-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-10395-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-10397-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-10405-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-10406-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-24-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-22-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-16-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3512-17-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/4224-11-0x0000000000400000-0x0000000000578000-memory.dmp

                                  Filesize

                                  1.5MB

                                  Download