Overview

overview

10

Static

static

3

b702f4bdd3...18.exe

windows7-x64

10

b702f4bdd3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe

  • Size

    360KB

  • MD5

    b702f4bdd3ddbb11baaed1c12cd69a8e

  • SHA1

    fb7efeb7aecfe40e719177b0fe99e4ab5cddc837

  • SHA256

    4bcb995d10d907933ffddc84d50c36a57464cd1192384744b8d62f18084c0e86

  • SHA512

    88a8f76ca2a7c73e99944631345c159e6bd0b14ca6aada1c29a585287d4702200298dc4f78f7eb5dced5537f2081bd019aeff3f21ea124bc3c29457ead4d9157

  • SSDEEP

    6144:lwWQWOQ2Gl8KgCNrvkAVShWOsyAm4Y+P/ggUDKmdZ0gwJF1qUiWBd3Rb77V3N:bQWx2Gl6yziyyeY+XgfHPVUiI3NPV9

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mqsls.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/52BD4AB5DF95BDCE 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/52BD4AB5DF95BDCE 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/52BD4AB5DF95BDCE If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/52BD4AB5DF95BDCE 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/52BD4AB5DF95BDCE http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/52BD4AB5DF95BDCE http://yyre45dbvn2nhbefbmh.begumvelic.at/52BD4AB5DF95BDCE Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/52BD4AB5DF95BDCE
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/52BD4AB5DF95BDCE

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/52BD4AB5DF95BDCE

http://yyre45dbvn2nhbefbmh.begumvelic.at/52BD4AB5DF95BDCE

http://xlowfznrg4wf7dli.ONION/52BD4AB5DF95BDCE

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (869) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b702f4bdd3ddbb11baaed1c12cd69a8e_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\kpinjeonlufi.exe
        C:\Windows\kpinjeonlufi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\kpinjeonlufi.exe
          C:\Windows\kpinjeonlufi.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4892
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:4464
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff8bd2146f8,0x7ff8bd214708,0x7ff8bd214718
              6⤵
                PID:4236
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
                6⤵
                  PID:2352
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
                  6⤵
                    PID:3296
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
                    6⤵
                      PID:3744
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                      6⤵
                        PID:1076
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                        6⤵
                          PID:4016
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                          6⤵
                            PID:1416
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                            6⤵
                              PID:3848
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                              6⤵
                                PID:2656
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                                6⤵
                                  PID:4692
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
                                  6⤵
                                    PID:1064
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,11136972818655187128,17702996464762180478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                                    6⤵
                                      PID:1804
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2560
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KPINJE~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3244
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B702F4~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:5056
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3076
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1804
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1480

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Windows Management Instrumentation

                              1
                              T1047

                              Persistence

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Defense Evasion

                              Indicator Removal

                              2
                              T1070

                              File Deletion

                              2
                              T1070.004

                              Modify Registry

                              2
                              T1112

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Inhibit System Recovery

                              1
                              T1490

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mqsls.html
                                Filesize

                                12KB

                                MD5

                                d2d32a54a874212913d6649f26d5a472

                                SHA1

                                7b33b4e4f9c0119d60682cf065d4db8774af89d9

                                SHA256

                                76a4a98843757d222e29bcb15245a55075c27227085dc95ff2ed771569d6d1e5

                                SHA512

                                3afb4a524f7940aa74c38cab1e0972211264e2c2ff5e57c91c2c64ca987798a3d783211cb9030f3d7dbf58a27e8904f02a5a80a05b4af0bebf0a63211292c0f0

                                Download Submit

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mqsls.png
                                Filesize

                                64KB

                                MD5

                                a7caaa564a1218aabc75ba754c0c3e72

                                SHA1

                                ded475e7d2e63cff53356010641cd63af8455d41

                                SHA256

                                6cc3f0c9aceeada271be834421f30aa9f512e7e058dba6e879bb215454a7c29c

                                SHA512

                                e4c26be007b5c672ae1f8dcb27c89916d304e5514f64045471a245c1e7f0e404b2fe6625aabebc80d6a7900a347438d2bacef7588b16d2260c68aef3b4123641

                                Download Submit

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+mqsls.txt
                                Filesize

                                1KB

                                MD5

                                bb5a51315fd56a7af9fb9bd5658b2c60

                                SHA1

                                4b5f7ba6379cc52187ff9495e1763eddcb79d8a9

                                SHA256

                                a1be0730af8e2de60beaff4d9aa457343d0ecd77029a4b2edad9402b6312a88f

                                SHA512

                                e51a341bca25f63e12e129fa2560c1da9d0f48467aaf31e3906e197a89d62ab7eaa069edd164f4191951cae6e279a7554975da79a37ec12d074a46cd4694ac29

                                Download Submit

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                Filesize

                                560B

                                MD5

                                9c3629b4c10959da7fa2aff49a33dab4

                                SHA1

                                a3217d0a3687947cf4c13b4d3fbda34d8d042b32

                                SHA256

                                936cd4e7042028c80b1e146b3dd947972064952cfac1304e00b773fc84b1d640

                                SHA512

                                8b31a10c42309eb4dc3d70fd6b1d2ba464a45d2ab88259393302f125ef964c8ef4510c9eba1f9c1af65852f0f5022efa4d2a48ae6b5e8219c603cdc5a266df14

                                Download Submit

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                Filesize

                                560B

                                MD5

                                1b601a4187520f52c455ff82d21184a0

                                SHA1

                                e96f6f32bea83f8deb84fbbd74e9e4b1d238018e

                                SHA256

                                082129250acf01e76db021a1cba934542beef428a01d772e30fe3cdbbac1c08b

                                SHA512

                                128a608b2dc6c84de75bedaf610f0eff257b13b666d5eb3b4d0ec4fe2ef94a1f75ef17ca5b849233dde40a47c8d2e97603035f6db7ddde0bc1ba235ad562dd77

                                Download Submit

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                Filesize

                                416B

                                MD5

                                43b4aeddef046704ecd9328073a1ae2e

                                SHA1

                                7ea573654de92fb7e7e046cef184fb0fae1c5ce7

                                SHA256

                                5ac0d3b4caf7f2bbf3ee254ebb6c4e56d4bb06258dc0b1f5bc2f85fa98000afa

                                SHA512

                                76e872a64d783707b88126635be27a11407373365487d218443f90fac058121a6587e64f8380ce510fccf9652923ac7789f2f6a0b3a10aac19337c6423b11301

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                61cef8e38cd95bf003f5fdd1dc37dae1

                                SHA1

                                11f2f79ecb349344c143eea9a0fed41891a3467f

                                SHA256

                                ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                SHA512

                                6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                0a9dc42e4013fc47438e96d24beb8eff

                                SHA1

                                806ab26d7eae031a58484188a7eb1adab06457fc

                                SHA256

                                58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                SHA512

                                868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                99689a7f779d54582e86cfc6ea94d380

                                SHA1

                                7f9e5b4a11d0d74f963040ec103880c81b59ef67

                                SHA256

                                dbac6594cf9ef928b6b49df0f8be37d6198deab261f901b4138e2aa135e29925

                                SHA512

                                1ec44fe8790cf0505377ca891313b03c1b01f334aeab240ca6eb46a1076a7bc7017de22bb17008251a3e21e9c4fd1605f5e9ffe4be5246e6e241cc3aabf54ac0

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                7f02fdc8e66742a7da8cd5f376c7bc3a

                                SHA1

                                d10e56e51afcb2dab354f1816078508162efd73b

                                SHA256

                                47d7134167adc293f25107dfe48dd8ff7b957b349e07f3b4e74eb6bccd062841

                                SHA512

                                8b712761cb0e6806e919c2b6b186edb9479be6f349b53ad2ca95518d55122adf00d1dc2bad3b1d457d3df438ec77224186199e66d09c74921cac5dee1f2a9cbf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                1c3d29168f8eb0c2f371f24ef3dd549c

                                SHA1

                                a1748ab7fb77270999a8842efa2446124e621fc8

                                SHA256

                                94c69277b25d886c5b688ca425a01d64c9d9a853bddcfdb471903ccc9287c35d

                                SHA512

                                65480f3300dce1112e0b8e1eee7b9833f7a6ed4a364687614a65a904d8ef235b67976554040f0b65acb4f64da1a73d1ffb3b96c47680d4f9751f7910473d643a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt
                                Filesize

                                74KB

                                MD5

                                474d01aab19f7a08f98b5918f075fca1

                                SHA1

                                5c245ffcc63b88a506e92a0297fdbe8c09f4c3c0

                                SHA256

                                792dccdd0dad280b58c72ca19399c08343f23e0ff34a6df4007ee0530b84102d

                                SHA512

                                fe3db792bfc91f015a73138c35221985e880a25181c3b8a9776faf7f46ecfe6fb775e0fc2ffb23f6f41763b5a9c2ebe3801d1c7cd831faadb6f0dfcdfbc55225

                                Download Submit

                              • C:\Windows\kpinjeonlufi.exe
                                Filesize

                                360KB

                                MD5

                                b702f4bdd3ddbb11baaed1c12cd69a8e

                                SHA1

                                fb7efeb7aecfe40e719177b0fe99e4ab5cddc837

                                SHA256

                                4bcb995d10d907933ffddc84d50c36a57464cd1192384744b8d62f18084c0e86

                                SHA512

                                88a8f76ca2a7c73e99944631345c159e6bd0b14ca6aada1c29a585287d4702200298dc4f78f7eb5dced5537f2081bd019aeff3f21ea124bc3c29457ead4d9157

                                Download Submit

                              • memory/548-12-0x0000000000400000-0x00000000004E0000-memory.dmp

                                Filesize

                                896KB

                                Download

                              • memory/3776-0-0x0000000000640000-0x0000000000643000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/3776-6-0x0000000000640000-0x0000000000643000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/3776-1-0x0000000000640000-0x0000000000643000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/3856-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/3856-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/3856-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/3856-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/3856-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-5538-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-2710-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-8990-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-10532-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-10533-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-10541-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-10542-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-2697-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-10551-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-203-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download

                              • memory/4892-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                                Download