Overview

overview

10

Static

static

3

VirusShare...69.exe

windows7-x64

7

VirusShare...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_9fb86c5050cc496dcdc3f53ee2c59069.exe

  • Size

    376KB

  • MD5

    9fb86c5050cc496dcdc3f53ee2c59069

  • SHA1

    ee358c3adca4413b6c30b146a8b33b70a230b3c7

  • SHA256

    a5643944606ce1fc7025ba988e0186ab8d37a44af5efd077a8934e36a41d8624

  • SHA512

    ecc5f28fe85343e1574112323e2f35853b49290100d450e5a4ca708c16f07018b5ae82be70bb5408d0e92183344c12d3612a9198fa7c641f61f8a5f6c536f21d

  • SSDEEP

    6144:Ee3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:EY5hMfqwTsTKcmTV5kINEx+d

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+mrykn.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5020AFA43C5E2913 2. http://kkd47eh4hdjshb5t.angortra.at/5020AFA43C5E2913 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/5020AFA43C5E2913 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/5020AFA43C5E2913 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5020AFA43C5E2913 http://kkd47eh4hdjshb5t.angortra.at/5020AFA43C5E2913 http://ytrest84y5i456hghadefdsd.pontogrot.com/5020AFA43C5E2913 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/5020AFA43C5E2913
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5020AFA43C5E2913

http://kkd47eh4hdjshb5t.angortra.at/5020AFA43C5E2913

http://ytrest84y5i456hghadefdsd.pontogrot.com/5020AFA43C5E2913

http://xlowfznrg4wf7dli.ONION/5020AFA43C5E2913

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (866) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_9fb86c5050cc496dcdc3f53ee2c59069.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_9fb86c5050cc496dcdc3f53ee2c59069.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_9fb86c5050cc496dcdc3f53ee2c59069.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_9fb86c5050cc496dcdc3f53ee2c59069.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\fxsciafqfopq.exe
        C:\Windows\fxsciafqfopq.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Windows\fxsciafqfopq.exe
          C:\Windows\fxsciafqfopq.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3148
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3328
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:3288
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa057146f8,0x7ffa05714708,0x7ffa05714718
              6⤵
                PID:1104
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
                6⤵
                  PID:2076
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
                  6⤵
                    PID:3452
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
                    6⤵
                      PID:1304
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                      6⤵
                        PID:324
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                        6⤵
                          PID:3480
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:8
                          6⤵
                            PID:2472
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:8
                            6⤵
                              PID:5052
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
                              6⤵
                                PID:1648
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
                                6⤵
                                  PID:3972
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                                  6⤵
                                    PID:4884
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16096273078474403625,7550525700808722396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
                                    6⤵
                                      PID:2568
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4000
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FXSCIA~1.EXE
                                    5⤵
                                      PID:3092
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                  3⤵
                                    PID:3988
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1140
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2412

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\7-Zip\Lang\Recovery+mrykn.html
                                    Filesize

                                    7KB

                                    MD5

                                    738c3825febcb3623783591f311c5a9f

                                    SHA1

                                    cc828bf10947d2cb2be808757cd55c5066a73331

                                    SHA256

                                    17a97ef1417153c05594d03867680996939c29d61c083b7e49afbe566cb0eab5

                                    SHA512

                                    dbcaf833c4f71bde8ab5a22308a6a44fbfe306140f572db60d8c1828084adfaed784f4f06845d61ffac86deccd028274a2fa6052d5d8d5cadb636d24a4a52350

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+mrykn.png
                                    Filesize

                                    63KB

                                    MD5

                                    ed4128d5e4592118e19797c28272b298

                                    SHA1

                                    d807196ba1bdb1d163cc92509870a25188da1326

                                    SHA256

                                    79f78b258d1b3cdc34837e8e53005feb71d117ce1ed1271f314da72e0e6bbfef

                                    SHA512

                                    b5ccec18e5b44172a1f18aa152285d5f68804e35f29aad499470f95b20d820df182623c9fbde422cbf03be7d80e26bd4a08e134f50b841055314d7cfbb5903e8

                                    Download Submit

                                  • C:\Program Files\7-Zip\Lang\Recovery+mrykn.txt
                                    Filesize

                                    1KB

                                    MD5

                                    86672d77c8b0ecfcdcc02716206334eb

                                    SHA1

                                    6bbdff45d8032564df0e8c8f32409741101a251d

                                    SHA256

                                    de0c35a33314d707ba956e67765cc297f21814cb908492e336daa41d2fc16276

                                    SHA512

                                    fd8e1b0b1e11d5f918f9089d4ab9c43ac102e8f47a6df591cf35d1571f9cce97f360f4e7c15a499b67f19bb47e4b61ccb7d611db4b0e1b34a535cecc2f65cd60

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                    Filesize

                                    560B

                                    MD5

                                    515b69dfbee91e1a0911abe69e9c1a79

                                    SHA1

                                    688fab6137244b587d2e17481a04a5384501a1cf

                                    SHA256

                                    113b6d2c780c258c9ecd89f96457679803df5f31e6dfff83bb00160d90c9f948

                                    SHA512

                                    85cb8dc6d24e69e32a6fc110bd28d9095230f57d376bc68584107fc11b45bb997a36e2e96cbe115a6865fddcc2b179c1b5f9df95413de59c32099e8f5b8377f0

                                    Download Submit

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                    Filesize

                                    560B

                                    MD5

                                    0825d044fa02d27ef1e422bd96225eb2

                                    SHA1

                                    69a5d5a52e544f0d73c419143ade96701d615c63

                                    SHA256

                                    58ab40d58bda582b50d8eb388584e33ecd0cb89c32216a03ad4fe61b3339af56

                                    SHA512

                                    4c10e37312cd99aa33ee93f256e39db3760127c765cf0ab5e8bb71cc0c0c6a512a0b4530218291759eba183c5af27f769bcab2562c9c2ff9841088e1b5902b66

                                    Download Submit

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                    Filesize

                                    416B

                                    MD5

                                    b9cbac0115572e9631af3b67b75e3d68

                                    SHA1

                                    66dc97a818b08ac959d954dd26c821a930574930

                                    SHA256

                                    01c49bf0f0169c03d8a11017165c81f15ae48611b07b556f0c6ec5d9b3b4d74f

                                    SHA512

                                    8415c1ae783f4dffefbbfa54a7ae9c74fa5e834fd2297e20b2e244af1d9975fb4ba1a8692034b5f0c011d8521934361d827c4faa8a1d151c71fb02ff274605da

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    4158365912175436289496136e7912c2

                                    SHA1

                                    813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                    SHA256

                                    354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                    SHA512

                                    74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ce4c898f8fc7601e2fbc252fdadb5115

                                    SHA1

                                    01bf06badc5da353e539c7c07527d30dccc55a91

                                    SHA256

                                    bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                    SHA512

                                    80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    0ab36fdafcb2132f784262d32285f384

                                    SHA1

                                    553fcde4162ff8fca2f0d7c5880fc9be5fcda818

                                    SHA256

                                    689a66bc310c18ce2e821e8377a99db4391f06da91e5e4b71585acb6669cf7cd

                                    SHA512

                                    bd41a41d8b9d4e036eb778b634ac0ea173c72a3a978b7b10cf471ee9c630367a4d147edecf9571929922585bba05448633e5ce9e757dc68760ad67830be8d753

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    767e5769884054dd58cc062de022e575

                                    SHA1

                                    e668df9e17f7e9ae3e98b87d1b959f4151364208

                                    SHA256

                                    8089a5ad82e0c9c1681cd315d1f592f798639bf49e9b4ae9699f1a627bd851d5

                                    SHA512

                                    a6ade31cf8320277a357275148affb11de4cf1fdb22db8e282a162a83b519ae3469f97963e35432a90978c06d6eb96e28b18a74d8377df3fd5363d3932c2ac4e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    4f2313bfe8ffbcc1357e49a77957d9b0

                                    SHA1

                                    33e74a1987cf18eca64eeac197fe4eeb5278f4aa

                                    SHA256

                                    8c4614dcc4f56288bc53012956218b4bb8aed3bc5af294cd022de39c18dc2364

                                    SHA512

                                    a3f09b9d9316b287fc8dd06e3e679858682ae22833442613b26845a27070e1ed29e2d13a20e1f079400fb8dc23a2359725e72efdb369f7b75995e7beb2d466c5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440659070499.txt
                                    Filesize

                                    47KB

                                    MD5

                                    2a6bc0598b9a6098ba515379cfeb1e3a

                                    SHA1

                                    30b711f903e81a88bb3a5c6d6af1e1d46eb34d8c

                                    SHA256

                                    365e2f88d308a9566b2f1a25570f03fd5deba4ca15196a0fefcc9a333593e4f0

                                    SHA512

                                    dd675d7c64652629f40c7436a858780ddba6924a57d567598c902ca986853523199257f978ee916ad255b18cb0b4da625e2bb921fc37433a3d9917548018aad6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449628541770.txt
                                    Filesize

                                    75KB

                                    MD5

                                    6789214bd757fb72e965b4c44b377db1

                                    SHA1

                                    7e1e892a2b521799845bef3141a7ddb50fd7b600

                                    SHA256

                                    27f6dcc8f8cd3b2361e5547031f8323d43fbc33337b2fe1485339775d125263e

                                    SHA512

                                    034640e0c26d9992171c93d14b3bacc540f1cbc3a631b1733dc2e335b65faccfd5ecc94e8860b93c7234ce6f633fe5fa9e6546ce5e44df0f31516b9837e0b084

                                    Download Submit

                                  • C:\Windows\fxsciafqfopq.exe
                                    Filesize

                                    376KB

                                    MD5

                                    9fb86c5050cc496dcdc3f53ee2c59069

                                    SHA1

                                    ee358c3adca4413b6c30b146a8b33b70a230b3c7

                                    SHA256

                                    a5643944606ce1fc7025ba988e0186ab8d37a44af5efd077a8934e36a41d8624

                                    SHA512

                                    ecc5f28fe85343e1574112323e2f35853b49290100d450e5a4ca708c16f07018b5ae82be70bb5408d0e92183344c12d3612a9198fa7c641f61f8a5f6c536f21d

                                    Download Submit

                                  • \??\pipe\LOCAL\crashpad_1256_CASPKXTHWWEBUOQF
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit

                                  • memory/540-0-0x0000000000770000-0x0000000000773000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/540-1-0x0000000000770000-0x0000000000773000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/540-4-0x0000000000770000-0x0000000000773000-memory.dmp

                                    Filesize

                                    12KB

                                    Download

                                  • memory/2624-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2624-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2624-3-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2624-6-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/2624-13-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-17-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-10365-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-4301-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-9891-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-10355-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-10356-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-10364-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-6996-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-3195-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-2141-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-23-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-20-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3148-10442-0x0000000000400000-0x0000000000485000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/3672-12-0x0000000000400000-0x00000000005EB000-memory.dmp

                                    Filesize

                                    1.9MB

                                    Download