Overview

overview

10

Static

static

3

8736b31e13...18.exe

windows7-x64

10

8736b31e13...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe

  • Size

    384KB

  • MD5

    8736b31e13bcd6e154dd6ad39b839f8c

  • SHA1

    9135b9746cb37636cd26cbcc73ffd0451a34b426

  • SHA256

    5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

  • SHA512

    1f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf

  • SSDEEP

    6144:SeVGON09XRWtlggcMOEqmgWqvANwxcLSgL8J4bAvtqjPtW6wU25vB8ynNd98UW:gON09XotWgOfmgLA8cNYQAojtwU2xnv9

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+vaskb.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C75A7D5E23D68FE 2. http://tes543berda73i48fsdfsd.keratadze.at/C75A7D5E23D68FE 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C75A7D5E23D68FE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C75A7D5E23D68FE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C75A7D5E23D68FE http://tes543berda73i48fsdfsd.keratadze.at/C75A7D5E23D68FE http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C75A7D5E23D68FE *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C75A7D5E23D68FE
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C75A7D5E23D68FE

http://tes543berda73i48fsdfsd.keratadze.at/C75A7D5E23D68FE

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C75A7D5E23D68FE

http://xlowfznrg4wf7dli.ONION/C75A7D5E23D68FE

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (861) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8736b31e13bcd6e154dd6ad39b839f8c_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Windows\dlqhkhwjoghf.exe
        C:\Windows\dlqhkhwjoghf.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\dlqhkhwjoghf.exe
          C:\Windows\dlqhkhwjoghf.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2296
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4416
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:4472
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe14446f8,0x7ffbe1444708,0x7ffbe1444718
              6⤵
                PID:3944
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
                6⤵
                  PID:4064
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
                  6⤵
                    PID:3344
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
                    6⤵
                      PID:2576
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                      6⤵
                        PID:2256
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                        6⤵
                          PID:5036
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
                          6⤵
                            PID:1212
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
                            6⤵
                              PID:552
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
                              6⤵
                                PID:2772
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
                                6⤵
                                  PID:308
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
                                  6⤵
                                    PID:2632
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,1725806745508988703,4729998753872252591,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
                                    6⤵
                                      PID:3752
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3756
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DLQHKH~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1392
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\8736B3~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:5036
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4924
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1668
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3636

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Windows Management Instrumentation

                              1
                              T1047

                              Persistence

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Defense Evasion

                              Indicator Removal

                              2
                              T1070

                              File Deletion

                              2
                              T1070.004

                              Modify Registry

                              2
                              T1112

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Inhibit System Recovery

                              1
                              T1490

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\Recovery+vaskb.html
                                Filesize

                                11KB

                                MD5

                                f422e6737f6f4d842404822f0e8e8b86

                                SHA1

                                12c57848aaad97fb9af11da2acc059b00d5931b1

                                SHA256

                                6a3aedb82fdb490fa78fb9dcae256ed415d9ccc407a18bcaed8a9e12e1e62ed8

                                SHA512

                                ef9ebf14c6f3fc9b4704024137b8993a9d127c44f1220a2a30c3b6f068b317edba9037cf75ee6282cfe733e97156459468bc97d45ef6fadec048093757e5e4c7

                                Download Submit

                              • C:\Program Files\7-Zip\Lang\Recovery+vaskb.png
                                Filesize

                                64KB

                                MD5

                                975dfe5d300a434f135bee620493e960

                                SHA1

                                123b78ccf0c428c8099f631733cb16bb097ce7d1

                                SHA256

                                c80dea46e2567c846af269e40de97250b9e254924581ff8489f708590dae0ef4

                                SHA512

                                de456bb631a017dbed0a750d2e1abbec40711c401f5fc4e1807e200c674ca20fd442b1c2926d465091c9734a1ce3f6c716a4085842239d2b5f3396c234da0f86

                                Download Submit

                              • C:\Program Files\7-Zip\Lang\Recovery+vaskb.txt
                                Filesize

                                1KB

                                MD5

                                14613dba88591bbb34213a680a609142

                                SHA1

                                2886b0c00f60295058eb418c53a1e3fca5bde07b

                                SHA256

                                d04cd89b72a18607ca2c52d1569927e7dc7ec0d80af84e7fe00586fe7beca84b

                                SHA512

                                1c709fda448eaea2f7d4c1e88ca373222700842183de678b390711172c2440a3240c21e24232681f77a7cffd17fe0e6a48e77ddb0202fdf21e8bcbf8d1947dc9

                                Download Submit

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                Filesize

                                560B

                                MD5

                                028bd851193cd31ffec70da7cdd6894b

                                SHA1

                                8b2a4ba50ef313b23e16e0a9dcd6dedee61e4650

                                SHA256

                                e9c9c607bc5d5dbb6791694001f8b959fd41e982b11a28ae10efe1da97639b1d

                                SHA512

                                435ac88eadb92ef33d93dbc59b4695c9f27a436523d05cfca2870bde8fefc2c89b49688fb8207bcc7e430e0a5266c239fc3f2b4598dcf6ec75d653920f5a319a

                                Download Submit

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                Filesize

                                560B

                                MD5

                                23cdc52fd2d4c31b77572354db87cb5c

                                SHA1

                                caeb5a1f5234f811d72dbacc480a09e3d05286a3

                                SHA256

                                9dd23948edcf1c519c9bdede22295e54f763c9e88448e50ee5f775614f9ccd68

                                SHA512

                                7922fd74f3f590b40c231f47ec093f5151ac6553a1e8896954887abfa09e9afbd2c1c0dd2cf3e5cb587a01e7d1d7cf0c503c2e32eba524c5f3a17e0c41bae443

                                Download Submit

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                Filesize

                                416B

                                MD5

                                95123e7c36e7509a5716079387e69045

                                SHA1

                                af6b8fe21bb59fd95afa4947ec2f440a82c78ab5

                                SHA256

                                6222d3f339efbb0624227784db2a2414a46e73c56084cc2889ea3f717093f98f

                                SHA512

                                14da8f17c12d9ff8e688d491f91565408f1e665f886451ffc13cef4b60361a9004bc6cc4bf26b1e59f9a2bca81b062361c5f71327c3d8f34901a75a92cb31b74

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                37f660dd4b6ddf23bc37f5c823d1c33a

                                SHA1

                                1c35538aa307a3e09d15519df6ace99674ae428b

                                SHA256

                                4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                SHA512

                                807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                d7cb450b1315c63b1d5d89d98ba22da5

                                SHA1

                                694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                SHA256

                                38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                SHA512

                                df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                9e77327342103bd08b1422442141690c

                                SHA1

                                9f1c4462f88d951e554bb01ae8e011bacb5b908e

                                SHA256

                                79a1ab651db7f03a725c772dcf0ad5c44698c8ec56d3655461525e7a5021861b

                                SHA512

                                a81f10a7c645ab49038ab5873ce9afa3a8e9a6d499c75035f8c0091d618fb0ef86ee590e0a9eab786a27580a8dc4da0983fd5b51e7477bc779673b2d5c429d55

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                4f657a066cc0c6d542a994b366bc88d9

                                SHA1

                                e2ffb98d92c6c3c138ef871f1d83adbcf27aeeea

                                SHA256

                                372c1ec580b115015b7e817b3f2e90181e0f4cc66988fdb4291b6002406646c3

                                SHA512

                                70cc5dd0ac5f852e14af94a338945388289ea9897e7b768f0d9d1e3d7736c65980e23563313cd58a8aa75a57283ddc997cba065536c50816724b45c190ce2373

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                11KB

                                MD5

                                7a90f2fb7079234a34eefc5939a3c9f0

                                SHA1

                                f3fda053fe1eedcd3295b07907518bf434444cd2

                                SHA256

                                bc496c31c79dc604a8d9fd45fcb7c1cd5982b644b0f6d3580d7ef7a698a066ba

                                SHA512

                                8f2035f3a06b27e17c9e37059ccc7ca467625f045090781a2c735c57a19b4a4a179921ed9b81aca833593e784c0d00d7ea42f969032f33f47af2dab94bc9aa81

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt
                                Filesize

                                77KB

                                MD5

                                0d26b32eee8e1c0c7a5900a64e52eb24

                                SHA1

                                1475cffc18686a3dbbb26e0bf71027e6350bf6ea

                                SHA256

                                e2c0f7a3d95030a14f5f09d1a86ed72ab801f394750fa403b6746af26eece576

                                SHA512

                                2fed2cb1eb8417eeff27f25d3c2718a76c2037f1b8671d650b5e73b6a63f9f2a465341008a37edb8cbf09f76b7f6d60844edb465bf732f3d52c59109e202ba87

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt
                                Filesize

                                47KB

                                MD5

                                d951d580878d3c772553e487ccc28cdc

                                SHA1

                                836214f98f353b1a5131b58e70c4ed4c28f2757f

                                SHA256

                                9cac2b2b84d1712662a1fb8aa1966ca69a6e526e93e4d6650128072c0b009131

                                SHA512

                                67012da935aae005197a8a1f41faf1ec4566aa0b2430fe89f344a346a7093cdc9bc8a2b7db27cb61abce34aa6b655943ca58f60a6dc5fa9fdca3f016c680c945

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt
                                Filesize

                                74KB

                                MD5

                                5e9cbaebda55ac198c35d98c948d3254

                                SHA1

                                84d193fa98c7ca05fd34aa93405ea20d3033bda1

                                SHA256

                                e310e60ec776100168373048c7516512e47dff6ace960797609c5ad6dd66ccac

                                SHA512

                                11b2859d999769f7640d56580fa5abbc8a963fab54818d605398ea09c555f305372a94e1e70fd0716d54af1b522cefa9d8701c0e70f8fbbb2b072026fdcd911a

                                Download Submit

                              • C:\Windows\dlqhkhwjoghf.exe
                                Filesize

                                384KB

                                MD5

                                8736b31e13bcd6e154dd6ad39b839f8c

                                SHA1

                                9135b9746cb37636cd26cbcc73ffd0451a34b426

                                SHA256

                                5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

                                SHA512

                                1f8a4ca3b1d33e6208e45c8f42fa1650dd1b97162b499053cc45c034dc87f4d03448a4289d9efbc64bd0e135b7cb597036311dd0f5c763dd6ced6f36ac6a01bf

                                Download Submit

                              • \??\pipe\LOCAL\crashpad_2572_TDNODXIBSPDSSTBK
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                Download Submit

                              • memory/2296-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-10509-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-1047-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-21-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-2150-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-2149-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-4309-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-7188-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-10560-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-9568-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-10510-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-10518-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/2296-10520-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/3608-12-0x0000000000400000-0x000000000054B000-memory.dmp

                                Filesize

                                1.3MB

                                Download

                              • memory/4064-0-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/4064-4-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/4064-1-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/4740-15-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4740-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4740-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4740-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4740-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download