Overview

overview

10

Static

static

3

dc56ff2ad2...18.exe

windows7-x64

10

dc56ff2ad2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc56ff2ad208373e7894272128dcfd13_JaffaCakes118.exe

  • Size

    332KB

  • MD5

    dc56ff2ad208373e7894272128dcfd13

  • SHA1

    492b49938fe3b9477d9f650ea81ea44e1bce2c79

  • SHA256

    1ec6d16bb03201b4bb5bf1f2912a037e9f0470b9037e04a1cd40081887ad4f0a

  • SHA512

    a944e27f309f003e392104bcfb54bb165793c049bc6cddf562296136038571602abcad2ebfb3d20ad62abbb02f95f0954718da052e6b90d05d2fb6873ca7dafe

  • SSDEEP

    6144:tBRwPAvE5Ugv5yEMhQzwKSPKx+f2DmkAKLYmbCT597:tCWacQlSPGhmkx0

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ekvaa.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/193CCC969F35A6 2. http://tes543berda73i48fsdfsd.keratadze.at/193CCC969F35A6 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/193CCC969F35A6 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/193CCC969F35A6 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/193CCC969F35A6 http://tes543berda73i48fsdfsd.keratadze.at/193CCC969F35A6 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/193CCC969F35A6 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/193CCC969F35A6
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/193CCC969F35A6

http://tes543berda73i48fsdfsd.keratadze.at/193CCC969F35A6

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/193CCC969F35A6

http://xlowfznrg4wf7dli.ONION/193CCC969F35A6

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (887) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc56ff2ad208373e7894272128dcfd13_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc56ff2ad208373e7894272128dcfd13_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\dc56ff2ad208373e7894272128dcfd13_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dc56ff2ad208373e7894272128dcfd13_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\yyqqotqvhigc.exe
        C:\Windows\yyqqotqvhigc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Windows\yyqqotqvhigc.exe
          C:\Windows\yyqqotqvhigc.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:316
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:876
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:4816
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c1ba46f8,0x7ff8c1ba4708,0x7ff8c1ba4718
              6⤵
                PID:3516
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
                6⤵
                  PID:4888
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
                  6⤵
                    PID:2160
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
                    6⤵
                      PID:4344
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                      6⤵
                        PID:3136
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                        6⤵
                          PID:3708
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
                          6⤵
                            PID:2844
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
                            6⤵
                              PID:3560
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
                              6⤵
                                PID:5092
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
                                6⤵
                                  PID:5020
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                                  6⤵
                                    PID:4696
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14057532624536164367,4652875781505509633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                                    6⤵
                                      PID:284
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3472
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YYQQOT~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5112
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DC56FF~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3656
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3444
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4028
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3964

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Windows Management Instrumentation

                              1
                              T1047

                              Persistence

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Defense Evasion

                              Indicator Removal

                              2
                              T1070

                              File Deletion

                              2
                              T1070.004

                              Modify Registry

                              2
                              T1112

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Inhibit System Recovery

                              1
                              T1490

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\Recovery+ekvaa.html
                                Filesize

                                11KB

                                MD5

                                7b384598a7f6f2d892961713aab3591b

                                SHA1

                                23baf40368202fa6bfd55818be4aec3df61ef0e3

                                SHA256

                                de89fc48d26eaddd88b613ce65bfed0b72bd099117528562399ddeae8842d899

                                SHA512

                                0d2684d2843e4a7777f60b29696d0b091c934b0b21d5c6c62529e8191cd1c2675e8e859808e4fac054507503089119db2e1a6e5f3e2df69bd7812da287311fb9

                                Download Submit

                              • C:\Program Files\7-Zip\Lang\Recovery+ekvaa.png
                                Filesize

                                61KB

                                MD5

                                d1a88f9924832be12bb8f986b10ac4d1

                                SHA1

                                b632c0d94a86afb94778902d97a0c93764ef629b

                                SHA256

                                3fcb8a3573ae3049c07a2841031124a8a3a0b8ef12dc917f0909aaa6e52da02c

                                SHA512

                                4fa76ec23d152aa276451d6c7de13d04eb6621c2c3b35546f72cca034f5bd1b916cdfeff2030c109fbf9a6f7249ba3b156710b8b81d3e5179d70afef6b224442

                                Download Submit

                              • C:\Program Files\7-Zip\Lang\Recovery+ekvaa.txt
                                Filesize

                                1KB

                                MD5

                                63b44ee90acaa11077d3e696d6cab23b

                                SHA1

                                291ea81e0282ff4dd1dd0382144ce377ee9ce20a

                                SHA256

                                38601e027db3ea03c63f8012052cd268fd8dbf883f1c812d1beed23ca8ca7073

                                SHA512

                                db7d42ec50e7a3e8148c87831ff4121db8e7b6692a6ac9e1216693f67893d7eb032df9d0487e04070f3b51e5bd8c1bdf984428dff3586032a3f26a19c0e9d28a

                                Download Submit

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                Filesize

                                560B

                                MD5

                                a586433a59ccd807618e1a2a18d9d2ac

                                SHA1

                                b4f3706ed2d395f829305f9c338c45601113e7cf

                                SHA256

                                d280d14dc4af843429eb146474edaec70d7c7ca1c0d37114e102a095babda27e

                                SHA512

                                8d4065c375ec28ccd24c3dec4fd291895be7d3f5717c4ee011c8a4c8324946683f262443bb97452153f44fdee1b7988c222c55d6574affe4c41e47fbefdf394a

                                Download Submit

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                                Filesize

                                560B

                                MD5

                                7edfd5285df7c0410d49b8a870515a30

                                SHA1

                                1bdc2c84dd89d95c3763328526677ee53902e16a

                                SHA256

                                dee1f9f011138bbf18e6e305e9560e18bf9e7f0aa212ae6c95fdeeae5249dda3

                                SHA512

                                b8b3aee9a546252c1be84c4d6e10ed57c20278281331949358e88735af79779133b0430070c0e339a4622e2027ca2a9d193864f288c68ca6d45acc5adf73abe6

                                Download Submit

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                                Filesize

                                416B

                                MD5

                                f13e4ebf9e49ff0ff2fc6af1ff4af0ea

                                SHA1

                                9cfddf97d0bbfc34291933a8a704624a1fe40cf3

                                SHA256

                                6d28f36e38b38706cbaa673d096781121d41cfe66394da6b8d05cf6991b788e8

                                SHA512

                                214515eb98fbeab94057ce24a7575b0055f99c05132e99dae83aeb3b02f6d9c529f083fea0baffaba2803bdc0a924c08d9afcfedc93db18ae492399211ad95ca

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                e443ee4336fcf13c698b8ab5f3c173d0

                                SHA1

                                9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                SHA256

                                79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                SHA512

                                cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                56a4f78e21616a6e19da57228569489b

                                SHA1

                                21bfabbfc294d5f2aa1da825c5590d760483bc76

                                SHA256

                                d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                                SHA512

                                c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                c9dbb3c7d4bce198ec8cca2d590d07a0

                                SHA1

                                0351ec452454e1bb3863e355ed363789d5b22d5a

                                SHA256

                                5922b0a495aed822e0f6b4df66fc718cc14fe0f746b680af218819349843835f

                                SHA512

                                b6378af2401c4acaaea0e2be9de8f6f7bb08ed75f7ca2765c7feb64969818a09e1b73f132f885185bd8111b7a5c2e0fcc7ffb62deb1811dd19539760df24f7d4

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                b794e037a7234c97d921d4abf8766f8c

                                SHA1

                                381136a934ff7c433b6801db47a59500a33cc5ff

                                SHA256

                                3427540acdf08fad437f20c0128189cb426c23ff88ccae9100a882ad7e735346

                                SHA512

                                f810b35ed1452421eca1656fa98be98f523839e663b3a6091788f4a34f866255c14036bb2a196e6f3c991cd8765c2741f964e38ff8ff04143196a1466e45d368

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                15d1b7d0a05b0481d81078f59c1c45ed

                                SHA1

                                a8eec2db5f929391d14b3b889e46757e386ab0ee

                                SHA256

                                9fd80c69920ed7237940c0a5668bda977785536879b8977517ac794682f6df75

                                SHA512

                                6ee9aadb3d18f6f30947b6076eebd606ec6d23495ba1b51da178804f4efe511bef900f0ced023cbf2377f38a20df44892e945d44a3a1dcf6d25ed99a93d81dce

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656067266351.txt
                                Filesize

                                77KB

                                MD5

                                7a21b2874f19f749fbc123402df55820

                                SHA1

                                836da67160cefa4b76035bd374e7a04bf0469efe

                                SHA256

                                8b5280e9fcdee6f582fc6261096316f3ab976f8bb313cf2343b6570138f6d102

                                SHA512

                                ac66c25efe2207da821376e33b7c6d9f4bb7e54aef7f52d55951a893d9a459a3fc2bfcbaf7ea4dac006f9a3c648deb1603081122da0c3e1d9b917e1211ef16f6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt
                                Filesize

                                74KB

                                MD5

                                3d44046e33d1438ca228be3d6886aa65

                                SHA1

                                f9fe365dd364238cd01640960ed2bfe1d8b6f9d8

                                SHA256

                                bc174a004fde98813ae7b64e5344961aecf342cb8772f11fd02af3f0e7060a77

                                SHA512

                                c15c33cd530921fcfe6c6325f7a517aebe64f68b32e8996f8b3a1b475b45f8923001535cc6ea541fdb875811f3ad8c0a3e7b81da40dfb0a151dced09b5b16692

                                Download Submit

                              • C:\Windows\yyqqotqvhigc.exe
                                Filesize

                                332KB

                                MD5

                                dc56ff2ad208373e7894272128dcfd13

                                SHA1

                                492b49938fe3b9477d9f650ea81ea44e1bce2c79

                                SHA256

                                1ec6d16bb03201b4bb5bf1f2912a037e9f0470b9037e04a1cd40081887ad4f0a

                                SHA512

                                a944e27f309f003e392104bcfb54bb165793c049bc6cddf562296136038571602abcad2ebfb3d20ad62abbb02f95f0954718da052e6b90d05d2fb6873ca7dafe

                                Download Submit

                              • memory/316-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-10567-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-935-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-23-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-21-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-2652-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-2653-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-5328-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-20-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-10618-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-8900-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-10566-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-25-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-10575-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/316-10577-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/2320-15-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/2320-4-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/2320-6-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/2320-3-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/2320-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                                Download

                              • memory/2352-0-0x0000000000CC0000-0x0000000000CC3000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/2352-5-0x0000000000CC0000-0x0000000000CC3000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/2352-1-0x0000000000CC0000-0x0000000000CC3000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/4992-12-0x0000000000400000-0x00000000006F8000-memory.dmp

                                Filesize

                                3.0MB

                                Download