Overview

overview

10

Static

static

3

VirusShare...5c.exe

windows7-x64

10

VirusShare...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe

  • Size

    336KB

  • MD5

    a5eb9cf3b138e8466071ec20a6722b5c

  • SHA1

    5b8db28fdc2e40fd67b3de164eb9d904122e5cef

  • SHA256

    ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e

  • SHA512

    499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24

  • SSDEEP

    6144:81w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:8i0Uu6ikyjcuk5y0hXaxpKkB

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+unjwq.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/58A27862C2E3DB49 2. http://tes543berda73i48fsdfsd.keratadze.at/58A27862C2E3DB49 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/58A27862C2E3DB49 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/58A27862C2E3DB49 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/58A27862C2E3DB49 http://tes543berda73i48fsdfsd.keratadze.at/58A27862C2E3DB49 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/58A27862C2E3DB49 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/58A27862C2E3DB49
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/58A27862C2E3DB49

http://tes543berda73i48fsdfsd.keratadze.at/58A27862C2E3DB49

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/58A27862C2E3DB49

http://xlowfznrg4wf7dli.ONION/58A27862C2E3DB49

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (873) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\gsucedsfqjts.exe
        C:\Windows\gsucedsfqjts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\gsucedsfqjts.exe
          C:\Windows\gsucedsfqjts.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3652
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4708
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2700
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4240
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9d67f46f8,0x7ff9d67f4708,0x7ff9d67f4718
              6⤵
                PID:680
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
                6⤵
                  PID:1312
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
                  6⤵
                    PID:968
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
                    6⤵
                      PID:4488
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
                      6⤵
                        PID:1796
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                        6⤵
                          PID:2728
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                          6⤵
                            PID:3664
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                            6⤵
                              PID:1784
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1
                              6⤵
                                PID:3160
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
                                6⤵
                                  PID:2460
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                                  6⤵
                                    PID:3004
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4961122365889691570,11627574287955306187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                                    6⤵
                                      PID:4436
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4352
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
                                3⤵
                                  PID:3760
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1372
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2356
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4872

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\7-Zip\Lang\Recovery+unjwq.html
                                  Filesize

                                  11KB

                                  MD5

                                  1d6aff9a8c1f228ae2c024d3a2e41ca7

                                  SHA1

                                  6127da5e07b4b4e48ec0eab0d2fae18437dd348c

                                  SHA256

                                  c2fc84babe5464cfc6ebdc5b5ed4ebbd5ebc62474b158397c83ceb0e2a12f9c3

                                  SHA512

                                  0e9327d2625321ab5160b941739b4e0662b5ac155ab53bb7b06384e8ea6c71f2dfe8d74640f18691b2169e4a85b44e97c094c1ebddd9cf232558b8f9beaa1549

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\Recovery+unjwq.png
                                  Filesize

                                  63KB

                                  MD5

                                  fe5704b635ebf1c8e033d2419dedfbdc

                                  SHA1

                                  e6a59067f36dcc6d2d52f0d09f301047f5d43599

                                  SHA256

                                  b4770a9cd099ba38066b730a0f2dcdbbf2a96a3f863fa221bd801947cec16fd2

                                  SHA512

                                  0a6a0960e309c386500141e9abfb5f0230ba435d75ff311563366e413d70fd4928d3fce384bfce4b7e6236e20d21e3b07ec68fd41a3dc260c8a9e846dd0d6e91

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\Recovery+unjwq.txt
                                  Filesize

                                  1KB

                                  MD5

                                  8cc1b8afcaaefa20f3b43218d306dafc

                                  SHA1

                                  5acd12d08ed888be624fe518c93140a316c18d18

                                  SHA256

                                  71b29eb7ce1484e925d50e9593e1e0ddbe3b573e4879dc8df44f87ff7b45803a

                                  SHA512

                                  5fefdb4f97f0544cb94405390af801b3933f6447512d4e3eba7605c6b7878df52beb56ef3b69072eb46b138054c3c3f9ae55433765752018e81c0cf94b997dfb

                                  Download Submit

                                • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                  Filesize

                                  560B

                                  MD5

                                  8fb2c8ec555061970613f7277d26e214

                                  SHA1

                                  eafb8cd6c04e8df90d1a070f6401394fdda2da78

                                  SHA256

                                  c7998219b9c7d31fd6be148a071d6ee74e84b980643a03bc2519af526b833f45

                                  SHA512

                                  ec403d1a7781710b96e70208fc068f8316c7c160fe054c8cc783207915380718a5fb71ebaa59143739406ae2b44185684db49992e99cf5f0a30296d8a71c2960

                                  Download Submit

                                • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                  Filesize

                                  560B

                                  MD5

                                  353c28e76a70c641d7ca9d8969568685

                                  SHA1

                                  5881f6f20f5b711eba1252f9c11297a4be5fc120

                                  SHA256

                                  f0816925a55bf7d4e09e1aeefdafceba5370dbdc8201092d0796153ecace0548

                                  SHA512

                                  41da202718e7cd318dede051750947927ef97b6df9320c44c717797d7dca62baef67a512f9b07568a1fdcfbc3b7035aa6e17e76bbd2adc1a158b15ed88437bda

                                  Download Submit

                                • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                  Filesize

                                  416B

                                  MD5

                                  22444c7d719c8d1dc4acf733f6bed6e9

                                  SHA1

                                  636b73729c25f753dc62a78f1f656b909a8d31cd

                                  SHA256

                                  2bc61302034de81fbe15e7e7c55f761b13df6bc4e88b1c7354a807205e9f2c7f

                                  SHA512

                                  3910954c2712986ec173ab168e20000025a0bbcb233f239af55371ecd5a523d7d77624a20cfe616acfde181a9c9c9ccbeefd6aa164a7247faeb401dd760d57fb

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  eaa3db555ab5bc0cb364826204aad3f0

                                  SHA1

                                  a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

                                  SHA256

                                  ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

                                  SHA512

                                  e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  4b4f91fa1b362ba5341ecb2836438dea

                                  SHA1

                                  9561f5aabed742404d455da735259a2c6781fa07

                                  SHA256

                                  d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

                                  SHA512

                                  fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  38a4af3b17a725523ae74cf8a9f30ccc

                                  SHA1

                                  c39a64af4c2c253f7c9322f4e56077452ffad3fd

                                  SHA256

                                  af915389387c63fc43b982926aab2c62888df1bf55d7335856e8672d7b14b887

                                  SHA512

                                  38efd93eae32e5995a465ea973d148bf59bc98bc6fd18e9113d1710c30a36d690c103020f75e7e3bbebb7e95f6f5d13ad49268f5b3155188267863d0c3d18e0f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  8de8768f35b6b64e9dacec86ba8fb935

                                  SHA1

                                  dab7e5bd9c6113a479ad0475d906ba36dd53b0ae

                                  SHA256

                                  ab578113afa69cadab04b78c46ef82a3256b04eeae2baf6390fd35f06ad30b4c

                                  SHA512

                                  45cfa99383d6ba893f05e3990a7270c3923e6e5e62e1bb87e93edab6342168888fd41ebd3ab4f4336cc616a051b4d9a9b9f1141c9ce0b527822c695caa619d39

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  3049878cc9410a9e6e0093a66f1918bb

                                  SHA1

                                  fb95a061f62ee8f2d4447659b30f321260fe8330

                                  SHA256

                                  b9adbbe8c80b98249e7b018ede443c1e8476d4094db1ba6c0f6749390f723aeb

                                  SHA512

                                  bb46465718c0a827f4fe9b4441ee0153cef83780d25096e84d75a38eb65a05f59425c14e56c89db58ae897436ca86bc12fe72d52f933914670d3b02bc10b7668

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596380890952339.txt
                                  Filesize

                                  47KB

                                  MD5

                                  7835014852dbede6ccf16f1c9f294414

                                  SHA1

                                  d974bbd4d3163e26ab454258d41b358e2a72b0d3

                                  SHA256

                                  fe370dc162793b674d336b3da188430ad0c3e1ae74308301614759cc5336689d

                                  SHA512

                                  58919f0e8cba14788caaf341a6a45eccee644c829c43bcd487fb33783e7404416c736a5408b80aa36200932860465b73b35c6a65e21eb372fffdc4e95bb02e5e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596422533627225.txt
                                  Filesize

                                  75KB

                                  MD5

                                  16997124746de1938cc2b87c4b080fd9

                                  SHA1

                                  bef4c90e900c960a4fa0fde1e51d790ba7268845

                                  SHA256

                                  5f737996c52f1940280077646a829ab1fe9fb687deac9c05bb1a2694ab4bd715

                                  SHA512

                                  d9abf434732f379afe10685e71226b9b058ef638a31ed580e308ec2382bdb65976422c96d142f52201799e44bbb4eb3be6f1f7d34b0236cc38848b5e4d6e5e36

                                  Download Submit

                                • C:\Windows\gsucedsfqjts.exe
                                  Filesize

                                  336KB

                                  MD5

                                  a5eb9cf3b138e8466071ec20a6722b5c

                                  SHA1

                                  5b8db28fdc2e40fd67b3de164eb9d904122e5cef

                                  SHA256

                                  ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e

                                  SHA512

                                  499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24

                                  Download Submit

                                • \??\pipe\LOCAL\crashpad_4240_ALOWMXFVPHRDCKCF
                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  Download Submit

                                • memory/3652-17-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-10183-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-22-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-16-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-2226-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-2708-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-4341-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-7310-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-10465-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-24-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-10455-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-10456-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3652-10464-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/3976-11-0x0000000000400000-0x0000000000748000-memory.dmp

                                  Filesize

                                  3.3MB

                                  Download

                                • memory/4028-0-0x0000000000BD0000-0x0000000000BD3000-memory.dmp

                                  Filesize

                                  12KB

                                  Download

                                • memory/4028-3-0x0000000000BD0000-0x0000000000BD3000-memory.dmp

                                  Filesize

                                  12KB

                                  Download

                                • memory/5020-12-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/5020-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/5020-4-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/5020-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download

                                • memory/5020-1-0x0000000000400000-0x0000000000485000-memory.dmp

                                  Filesize

                                  532KB

                                  Download