Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2025, 23:08

General

  • Target

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe

  • Size

    371KB

  • MD5

    76b0182e3dc2f368facd1446a78d2ae0

  • SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

  • SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

  • SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+uangc.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/FEBFC37BC65753C3 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FEBFC37BC65753C3 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FEBFC37BC65753C3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/FEBFC37BC65753C3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/FEBFC37BC65753C3 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FEBFC37BC65753C3 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FEBFC37BC65753C3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/FEBFC37BC65753C3
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/FEBFC37BC65753C3

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FEBFC37BC65753C3

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FEBFC37BC65753C3

http://xlowfznrg4wf7dli.ONION/FEBFC37BC65753C3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (869) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
    "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
      "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\mqfqclwegnom.exe
        C:\Windows\mqfqclwegnom.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\mqfqclwegnom.exe
          C:\Windows\mqfqclwegnom.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:640
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:272
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4668
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb9b146f8,0x7ffeb9b14708,0x7ffeb9b14718
              6⤵
                PID:4248
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
                6⤵
                  PID:2860
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                  6⤵
                    PID:2956
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
                    6⤵
                      PID:3780
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                      6⤵
                        PID:3412
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                        6⤵
                          PID:3260
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
                          6⤵
                            PID:3268
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
                            6⤵
                              PID:5116
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
                              6⤵
                                PID:2112
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                                6⤵
                                  PID:2784
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
                                  6⤵
                                    PID:3068
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                    6⤵
                                      PID:2008
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4688
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MQFQCL~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4308
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:2192
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3864
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2780
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2924

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+uangc.html

                                Filesize

                                9KB

                                MD5

                                05d77e54a1571b42539ef97cda213742

                                SHA1

                                99766833dda1220f4aa1789cfad4b976fc5de97f

                                SHA256

                                5cd1e34379331f9c32ae13ab3ac71851ecbbe4227de8687003c8be1224b5eca3

                                SHA512

                                984d87ebd6a605df11e0b0ca52cc9ab3d1106976d64c52c0a7d8fd6e1a2b3e4320534fbf0e4e163d2d45290458421bd1fb1193cd09cafaee8ca52e5b5a4e684a

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+uangc.png

                                Filesize

                                63KB

                                MD5

                                d949ebe0b29eaf708c9d938cc822a493

                                SHA1

                                8b7459054658c63bff7fa0c6b0a49f37b25b9d85

                                SHA256

                                fc11cdda1070e43cc05582ce14013412b12944f781afe408f73e8a9c6e21ec54

                                SHA512

                                b82eff9ce00b4795fb41b229520b8e6f3251c1d3b6f61246f42ac2f1191d74f3334183c3bdeeda0605e2753d7089381a9150c47d636494543df9b7c472d227c1

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+uangc.txt

                                Filesize

                                1KB

                                MD5

                                af824c96f3a52fb28202b68e4f188eba

                                SHA1

                                69fae9d9ffe0541c58a13b06396a98fe981676ac

                                SHA256

                                4e57543bb1f63e9a6b61745aaba8abd193025db28747753b62dc1b337d87d36d

                                SHA512

                                70a8ac1697158125361a42c0c137b19aed239ba9c5620ec2854727285d7dbe5faa4ec1ccb0a966a6259b3be8175ae80c81015cdcddf3999a26456888ae6096de

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                5e907d2993f30ce9abdf6494edaa13cf

                                SHA1

                                9c5bf1c091135e0e849b437944e9aa9f5ac5c414

                                SHA256

                                5a61ff2a33758e5d395be953dacb7724314051c56ab7d1eb013b5a6e955a1864

                                SHA512

                                c203f9fc9e64e1c89f08cdf116584aba10e45e7762de8264b94675bd752feb5005ff02f8531cb13c538886d25d3bcc0e1574f1f6433a9a8386631696136fe3d6

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                10385de3d57b197f50fd8a56b7f453c8

                                SHA1

                                a43566044f688c25daba10fd729b466b5ea42fd0

                                SHA256

                                1ea42b3029dff87370f6264c1faa746bf0f6a8c400f05a82acdb8f757a58608d

                                SHA512

                                183c7c15fc5d29ca343cc0286b70a92915a6033ab7efee177537741b53b607aebaa50c68111d7fa2acd296291dd891b2f9e83914b83a30d25799eac095fd5b15

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                e580f1808aa099371e50bf6270f054cb

                                SHA1

                                36185fd3b24477bf7cde529a0b764993a442f161

                                SHA256

                                6ddf6199f67a73932f676116e637e22ee36ab22d0c057979c0f9784ccf2fdbfc

                                SHA512

                                470ca0536bef4920dbf4b88b1b7c8fb53e6736e724f59d0fc6689cd59cb2d4597e8a4e0023cc3f615145de7d14fde6579bd088d70891ef8bbb2a364f312809d8

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                36988ca14952e1848e81a959880ea217

                                SHA1

                                a0482ef725657760502c2d1a5abe0bb37aebaadb

                                SHA256

                                d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                                SHA512

                                d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                fab8d8d865e33fe195732aa7dcb91c30

                                SHA1

                                2637e832f38acc70af3e511f5eba80fbd7461f2c

                                SHA256

                                1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                                SHA512

                                39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                331ea3189495200d7dfdbc4450fc60ce

                                SHA1

                                b7483ecfd9fcc8ad4150328fe327d948a669099b

                                SHA256

                                36ca6869219c5026748f7a454c9c7ad5345978f9d2b92a402c91dbacbd831aed

                                SHA512

                                7b85c13e97821c85a8680718103fae8d3d1a45b1df56a546ac7247d4674efc4c3628ebf89a8a46bba0f7effa32697b747e45ae6a7e7af389943f0e5eb42e0475

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                e2ada8b54849a4a145689ce206ce63be

                                SHA1

                                2540c7895e5c92ed8cf2e67aacd0ff0cbdfb7c98

                                SHA256

                                56d294d00e91c93e0c2bbf96d837933dfbff0a1b017b519d0a813791e5a30e54

                                SHA512

                                eef1c8346d121f0be94d8807bebc69a3315e089a4d598d17c08a5cbeaccae1488e696b7a0e94c7881317fdff834865c2e03906d3917652476ead30a63f76a9f6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                ff71b5c2e4a1c4acb7d61ae0e795fa47

                                SHA1

                                d2ae4befb022f7a852e822850489112f6ddc0ee7

                                SHA256

                                3ea8fcfd12bedfad13dd5ec207168de355323f6af444ae6283c2c15c475536cd

                                SHA512

                                268f308d450c28ff8bebfdce01e991ad58eb88623f5f2038ebcefc143527981d19b09fea3a02f7bd987501dbf364b20f1d2e87b816666c1a47c5074ae0391d67

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656325443828.txt

                                Filesize

                                77KB

                                MD5

                                1ae6736ed2671b317f27bd7dcd75bd7c

                                SHA1

                                84310fc1120bfbfe0e508689e7f2c48075c2a572

                                SHA256

                                6e0ad91ad26a92af5d2ba1b1087ab7c7a443a27c818f6d5c2b25b84c02b7be28

                                SHA512

                                f268a0c564332c80ce8e85d2aff1f1f9309c1f7933087144a7f17da3e6be1f28f123cd7a43342b0f8f9bbec010c23cb0126b8dcbcbc960ba38da59b488eabc45

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657695736094.txt

                                Filesize

                                47KB

                                MD5

                                46f0cd9796d51f6f9f735b8e53826922

                                SHA1

                                450331631cbec7aacf329facc0af7edbffb95f09

                                SHA256

                                79d2aaf69e8f2be4360b2b7cf9300e124fe71fde43cd6201574808cfce56ce28

                                SHA512

                                d5f46d57f29951add194105af0942ab87fb9dfa821e829957872da8173ebe41214f3a1f7dae4e8ceaa22266f1134d767c7ecd5a67a75fb303d0210815355c29e

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666235612999.txt

                                Filesize

                                74KB

                                MD5

                                78c90621b8dfb530fc3bf2a3601599bb

                                SHA1

                                75658829e52320fd11860dbd54a39395ffe4857f

                                SHA256

                                0e83d529c3dba1aff5c51d43e6e0e5a580b93e753f4b54e6e605d8abafe48959

                                SHA512

                                fc01731cf288dec3e52a31b60d1b588afc2a6a87a2c75d6eccb78a677394fd055a2e6fbdb94dbe62f00c5fc23ee12a8e3e14fe9b550f8d535fa5992b9937614e

                              • C:\Windows\mqfqclwegnom.exe

                                Filesize

                                371KB

                                MD5

                                76b0182e3dc2f368facd1446a78d2ae0

                                SHA1

                                6e6f6df8ef1a845e335995fbfa48dab3526cea29

                                SHA256

                                3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

                                SHA512

                                e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

                              • memory/640-16-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-10519-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-24-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-22-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-3077-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-3078-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-6198-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-10570-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-9755-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-966-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-10520-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-10528-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-10530-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/640-17-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/2376-11-0x0000000000400000-0x000000000056E000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/2860-0-0x00000000005D0000-0x00000000005D3000-memory.dmp

                                Filesize

                                12KB

                              • memory/2860-3-0x00000000005D0000-0x00000000005D3000-memory.dmp

                                Filesize

                                12KB

                              • memory/4896-12-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4896-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4896-4-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4896-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4896-1-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB