Overview

overview

10

Static

static

3

VirusShare...5d.exe

windows7-x64

10

VirusShare...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe

  • Size

    396KB

  • MD5

    8c23e7c480280c24c6b34c9c9bafc05d

  • SHA1

    de75bf5f2115fb3399d2c94966218f91dd9c2362

  • SHA256

    d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740

  • SHA512

    04a631fbd1a3aca23956e316716375a77328471025f8391971aa33315ad8245419231f3b9b95229b1999c24c240ae97436ba9fcc3216d1a5b63ff75de9e9edf5

  • SSDEEP

    6144:4T3WR0F1lDPR+bJnm/jtowhxZWVrfQwBcTMMG26uw6fyQ7Q:4T3MA+bJmy4ZKfQRMh6

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+uqyne.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/71DA90B1859C3263 2. http://kkd47eh4hdjshb5t.angortra.at/71DA90B1859C3263 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/71DA90B1859C3263 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/71DA90B1859C3263 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/71DA90B1859C3263 http://kkd47eh4hdjshb5t.angortra.at/71DA90B1859C3263 http://ytrest84y5i456hghadefdsd.pontogrot.com/71DA90B1859C3263 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/71DA90B1859C3263
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/71DA90B1859C3263

http://kkd47eh4hdjshb5t.angortra.at/71DA90B1859C3263

http://ytrest84y5i456hghadefdsd.pontogrot.com/71DA90B1859C3263

http://xlowfznrg4wf7dli.ONION/71DA90B1859C3263

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (864) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_8c23e7c480280c24c6b34c9c9bafc05d.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\siafqfopqhnm.exe
        C:\Windows\siafqfopqhnm.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\siafqfopqhnm.exe
          C:\Windows\siafqfopqhnm.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1424
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:4268
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd084a46f8,0x7ffd084a4708,0x7ffd084a4718
              6⤵
                PID:4968
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
                6⤵
                  PID:4848
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
                  6⤵
                    PID:3532
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
                    6⤵
                      PID:2260
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
                      6⤵
                        PID:832
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                        6⤵
                          PID:948
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                          6⤵
                            PID:4524
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                            6⤵
                              PID:5060
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
                              6⤵
                                PID:4356
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
                                6⤵
                                  PID:4120
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
                                  6⤵
                                    PID:4088
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7121899165060795584,17434199220547298381,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
                                    6⤵
                                      PID:2824
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2100
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SIAFQF~1.EXE
                                    5⤵
                                      PID:4680
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:3700
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4992
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3672

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\Recovery+uqyne.html
                                    Filesize

                                    9KB

                                    MD5

                                    7ad35ca29b9aa3a2612d8c5d319626c7

                                    SHA1

                                    f2cd1d2ff402455d32c5421155eb2274f1cf7b07

                                    SHA256

                                    8ed031d077a94886ed3d5d520e4f2f44a74283f4978b0c064d294d64b901d254

                                    SHA512

                                    30e195e4f786452441406d547899df3746f3cd0603ee4c5f794e4446e622bcd6136959036794441035d1cba1ea498174c991d02649ac4d957a48f43d0441c291

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+uqyne.png
                                    Filesize

                                    64KB

                                    MD5

                                    5dc4a6984d05f2807f17dc1e0e5c055d

                                    SHA1

                                    087c13e47dcd2e403084d475728f4706ae90356b

                                    SHA256

                                    03b668e204ffaf0f9abf3f88cec3199b8a281e02289aa2ca2bea81d3d4195d05

                                    SHA512

                                    1f9f99abb3b0a72a7a69f4e76798a72cba87475cca4751de629acd471a50ffa2dcd62bb0f83f74a871a64ad64805d1d78b763d23374bc73f1862b0599f74cda6

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+uqyne.txt
                                    Filesize

                                    1KB

                                    MD5

                                    cd0ac50b58df52b687f2d4c87db1639a

                                    SHA1

                                    0d0adfbe95c42a90e05dc7c21e27582e0e9647f7

                                    SHA256

                                    e404fef33698397f9b8f7108481237dcb7bd04f0ae37212a62b67c94ada1b03e

                                    SHA512

                                    25c9962c41c947007669523a1b94651da7eb91ba447708130603170d6dde232df72f55a5d7ebb3600bab197790158918ebc768a96998c1bfc830201adc162ee5

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    49c14d635cd6c6cfc8575a32d9073c61

                                    SHA1

                                    a38f5bac8e4afec87df594bf5c24d0905c861218

                                    SHA256

                                    17f38a61e43936b84fc806079c7a64b7d51c4a3a849cf69cc7f749f30918ad3c

                                    SHA512

                                    77c098bd2abb79a23f80f595e85b6ce7947505dfc52594a4ea5b0b9cd9f6e4492ff4c0ea210dcff766338c39a0e046d236d1a3802a72f23af6b1b3a011e1ab69

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    b4bce8156a9ed7f8fcf9a01d217fa195

                                    SHA1

                                    eb5e87198d0c60996b9c630ed84d84cecb527463

                                    SHA256

                                    e5270023972692d838ab6fcec77b6d002363097fb127b482ca19cb8c7b3d626f

                                    SHA512

                                    1d3b256ca07ec29468d24dbb88bba642860a238ca9b847137f060d542522e09186dd0d4ecd1f511064c61a3b007e2b400fb5388cfc2651434b54d1219ddbc210

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    6fa2e0c0498540bbba09dfc5ff74628c

                                    SHA1

                                    681663207da4df086fb12bdd6f604b5acb611d85

                                    SHA256

                                    55fc91e946926a30c9ed66c2766fb6c6d21f98a32cb9a20761d2dfbf9051cbdc

                                    SHA512

                                    448db52d41bde50e5cb5e377fe25f0ce24b036110fce0ea58151ef1604a0a6d5af157b1bb65a501d4417cafa249da7cb4cf45630ff80691ee1dfb063dcce72c0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    87f7abeb82600e1e640b843ad50fe0a1

                                    SHA1

                                    045bbada3f23fc59941bf7d0210fb160cb78ae87

                                    SHA256

                                    b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                    SHA512

                                    ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    f61fa5143fe872d1d8f1e9f8dc6544f9

                                    SHA1

                                    df44bab94d7388fb38c63085ec4db80cfc5eb009

                                    SHA256

                                    284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                    SHA512

                                    971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    308bee2225eaccd713ac937a76e6722e

                                    SHA1

                                    46fe1da6b1a4a547d165cb582fc0ff2f1f1b6ad4

                                    SHA256

                                    e83f51510a289f87a8ead19354a961c9adef67649b8b800e2e78d47ab4ad0ceb

                                    SHA512

                                    9cad0bbe192f2384fea72a099850bcc3b285a6afa0e367154b67a9f149a7dc5b57d16988751cc139f877ae1bf6e41adca066d4586cf8d197fa8873b2d438ca07

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    c19862aed016465b2b95bb38c056a39a

                                    SHA1

                                    7f6f146b14fe405f94a10fc2e28bbe95b15f0e8c

                                    SHA256

                                    1eba9775de26a387a1df0f6f9e3d94820a8035ee76e455c197c2e57575592c8a

                                    SHA512

                                    20c5d1b7ae7f964967281b5e213c2fe932f9d3836c4b9b01812497c9990ca3d1a90f74d50fa10ea36d408df09a9140362b57471bd52c8a02f6c6ce8dbafb54bb

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    8790f3630aa15229c2edcf9c3f36e633

                                    SHA1

                                    1da380c4540a57bbe236a514ab066d850905dd10

                                    SHA256

                                    ee45282f3c2e27734572a6fdc3238617717ef61336f047b460338853c505d703

                                    SHA512

                                    dd6c83e25fd325c63d352da9f7a8ab56692943bda1eac6aacd37e1fa93fa82653ced521216795c857d98972f70653bc3145b04809fb055132f78b0357377a44c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380552933791.txt
                                    Filesize

                                    47KB

                                    MD5

                                    e786d6b27ab9031e146bdbadc561ee47

                                    SHA1

                                    1a9c3052854cb255a7ad9aa2f2f961c81ff3f1ea

                                    SHA256

                                    4a71aef0944d58fc35cb86ca16357201f78f4164942e1bf52337638bca94ab15

                                    SHA512

                                    26f86adb17f68bec8568e9431be47920efd93582c423a2d9f45bc3ca05117c7ff1c95b680ee9024314e0f57954425ec42a420f71697aa674be16e388e2cc2884

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596409679270107.txt
                                    Filesize

                                    75KB

                                    MD5

                                    2b9c52af28f80e216df7be474097df58

                                    SHA1

                                    cb1d1a24b7da45a833077aa30436a41aff21b8e5

                                    SHA256

                                    038612d267a89ee24ef8db8e8bbb92d12011d0be6712eb2344898c3b754769c3

                                    SHA512

                                    cd3601f43c5876855ada2178ebf5aa1aeb42bcccdf4bbf8d916116a1820664822b11e704da5e2488d9ead2fab82c6510634d2583f02567b4f2206ac7258855d6

                                    Download Submit

                                  • C:\Windows\siafqfopqhnm.exe
                                    Filesize

                                    396KB

                                    MD5

                                    8c23e7c480280c24c6b34c9c9bafc05d

                                    SHA1

                                    de75bf5f2115fb3399d2c94966218f91dd9c2362

                                    SHA256

                                    d898a79292edb0059156844e559cf65ab68819786b1d344dec42993851751740

                                    SHA512

                                    04a631fbd1a3aca23956e316716375a77328471025f8391971aa33315ad8245419231f3b9b95229b1999c24c240ae97436ba9fcc3216d1a5b63ff75de9e9edf5

                                    Download Submit

                                  • memory/1072-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1072-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1072-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1072-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1072-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-10363-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-2178-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-4487-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-7490-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-10353-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-10355-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-332-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-10364-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1424-10403-0x0000000000400000-0x0000000000486000-memory.dmp

                                    Filesize

                                    536KB

                                    Download

                                  • memory/1680-0-0x00000000022C0000-0x00000000022C3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/1680-4-0x00000000022C0000-0x00000000022C3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/1680-1-0x00000000022C0000-0x00000000022C3000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/2500-12-0x0000000000400000-0x0000000000620000-memory.dmp

                                    Filesize

                                    2.1MB

                                    Download