Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2025, 22:57

General

  • Target

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe

  • Size

    371KB

  • MD5

    76b0182e3dc2f368facd1446a78d2ae0

  • SHA1

    6e6f6df8ef1a845e335995fbfa48dab3526cea29

  • SHA256

    3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

  • SHA512

    e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+wmhei.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/E791D7B64ADADBCD 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E791D7B64ADADBCD 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E791D7B64ADADBCD If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E791D7B64ADADBCD 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/E791D7B64ADADBCD http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E791D7B64ADADBCD http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E791D7B64ADADBCD *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E791D7B64ADADBCD
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/E791D7B64ADADBCD

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E791D7B64ADADBCD

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E791D7B64ADADBCD

http://xlowfznrg4wf7dli.ONION/E791D7B64ADADBCD

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (886) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
    "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
      "C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\ekmglkvkasqr.exe
        C:\Windows\ekmglkvkasqr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\ekmglkvkasqr.exe
          C:\Windows\ekmglkvkasqr.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4076
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2936
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:5000
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2480
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbc4c46f8,0x7ffcbc4c4708,0x7ffcbc4c4718
              6⤵
                PID:3224
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
                6⤵
                  PID:1636
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
                  6⤵
                    PID:4492
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
                    6⤵
                      PID:2848
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
                      6⤵
                        PID:2012
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                        6⤵
                          PID:1720
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                          6⤵
                            PID:4352
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                            6⤵
                              PID:5088
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
                              6⤵
                                PID:3872
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
                                6⤵
                                  PID:4208
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                  6⤵
                                    PID:1432
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7016193954566379927,17526404458651551164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                                    6⤵
                                      PID:620
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2580
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\EKMGLK~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3836
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1044
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2688
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1904
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:852

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+wmhei.html

                                Filesize

                                9KB

                                MD5

                                283c3ba175a37bb1cf396cf8978db7f9

                                SHA1

                                fdd6ab098fe1d39785c5101ad3ee5fae01ddaddd

                                SHA256

                                562aeb1e1cd2e1093c33525634b771b6ecfbfc81a4a24e5f4b08ef880478ba12

                                SHA512

                                ec6e0864a1951ada72edec5fa3f61b6053cc79c914b6873b232746d562c3146cf379d5448e498c67632fb39eb399f7104fa3d14f1620af9a2b7843eb3fe13e49

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+wmhei.png

                                Filesize

                                63KB

                                MD5

                                c0a8be4bb16828b4ea48af66f6d5b7ff

                                SHA1

                                42b94d1c4573c2125a594f2a9317ae8c74bf72c8

                                SHA256

                                a571b9a423707017daf6701eed7708c363cd52c4f02945ab295cf935f259a5f3

                                SHA512

                                a6bb6f6e7e7f54c8017288f13895362b807c07472ee05155098b8b4fdec38d416b5cff742d15f8d3b4efa09e0dadafd09279ebdc79177409eec66c645af63230

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+wmhei.txt

                                Filesize

                                1KB

                                MD5

                                605e2c7956fe9b7cacd66fe97ee456c4

                                SHA1

                                da8faf7c61469b456fdd57c93122aa5a4e601f3b

                                SHA256

                                0413fc5e7bef52e058b4fab567b5936d19e4445f4bd978842634daaecb0ea3cd

                                SHA512

                                b08b57033600a3d515508f9844a129df0d5f9c7dc5b47ccca30027bc35c38e789a913b1be800abf1b7ea29ad494b05992ba428a10ba6a17461446aa94b4a85ff

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                25dd8a3af0f610707eaafca97411652c

                                SHA1

                                7fbd85c2e5cf853846a896d62bb6cd88f47fe0ed

                                SHA256

                                68ebe278ee0f7231566e06c8e4b40b2c828980594de8764ce5df9d1ed9a317d1

                                SHA512

                                4700225ee010bc61d6bd20625949b88fb188ebf3320ad63685ed31773899723ac54998b7825224c1cb51c567972b4dd8210b64dd241f8263d2c57471453110b9

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                082671eb7219e1859d4177e79dfc2df7

                                SHA1

                                8fb226ec3bc08acfaf817826704023fa46626da6

                                SHA256

                                5edfd14bf947cb139d44de7fc1361993d09fac0794f0c0abb41e58b2e45b9013

                                SHA512

                                dafcb19f09ed479426ffe2ba2f17ff1a8c418ab0d7c8559970a627a4abe9f67f60fa6d532426b80d9e38ad2176d4a1e62e66283f67cc7a4225e1d5770a74068b

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                945068f129954cdadcc8c07c446ab0e1

                                SHA1

                                0fd0e6085f4bbf8de28ddf7ea85de7b805f65e7f

                                SHA256

                                286fa44de14bd5cb77e5a6eb582b33caea386a0107d6699d1f35caa0af7783b1

                                SHA512

                                019fc73bf771c30d637e5d8e5be57ccf389e72dcf2574b9cb5bd472a570fdd25c49231ea20dfd8abd8136624aa13f1cc39bb22b7005c30388128636411e07594

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                61cef8e38cd95bf003f5fdd1dc37dae1

                                SHA1

                                11f2f79ecb349344c143eea9a0fed41891a3467f

                                SHA256

                                ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                SHA512

                                6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                0a9dc42e4013fc47438e96d24beb8eff

                                SHA1

                                806ab26d7eae031a58484188a7eb1adab06457fc

                                SHA256

                                58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                SHA512

                                868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                3d1b66acd843b940eb7c6eee1de8d8e6

                                SHA1

                                02bb819121e650ac01c2b3e86cc3a9e39cdfde59

                                SHA256

                                21827dc47fc307d14932c11622a4668d0fdfac99d53b79bdf4a32c303e3d5001

                                SHA512

                                3756a9f3ce3697aca5c434f40d060034542e2ea24b7096afeb35a0090e97be0e0e5383a5eae3fb53aeeb9f13330de362a37928d13f8693d864508a608106a221

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                9bdda116724c165207b22f6b6626bed9

                                SHA1

                                e5b47bb748714565d75fa2c7fe9bc2b66e51e248

                                SHA256

                                df4bf33977fb1cd92301928156101219b8492cdb022dac27020f1f7cf21a7895

                                SHA512

                                af783467d369e1e47f513230ccde7c1e6193705d83e7165495a55b83dbf5589ad2daf2953f86c9d625bf4fbdd1d46b267b387811879acd8c562841fb587d7cd9

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                fbf9319700d3cbaf3cbd68a412451b35

                                SHA1

                                81c3e898a85c6c0a64d8e7a634c8ba3a4ba239f5

                                SHA256

                                717c54390b494b70d557a564b41da0fd630cd06d1ba81c3bf2ddb18c4ba74d99

                                SHA512

                                ceef6210a8e92b0b184c5eea0d58c465518fd865880f1d2baa20ba5710372200c8845b5cb1a1f317ebade5db4d27c2c1fe0617ee3b6b03f083fcf67a19c91031

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt

                                Filesize

                                74KB

                                MD5

                                db8a0cb56c8eebc6166b108c9d0392b1

                                SHA1

                                43d09d0ad68e9f281e5e31e868378fd4fe1a4198

                                SHA256

                                54243988cfb9dd5357cda1a92d76d4ff21de146c198bb7ae890d9a1c8a905283

                                SHA512

                                da70378797cfcd4994f828b83bbbdc43b9e130097b9a70db0814683849a1773971e0ad1f278831b4d62ef0b78a0bcc9433e7626c4f3955f01b0dcab4db91eeaf

                              • C:\Windows\ekmglkvkasqr.exe

                                Filesize

                                371KB

                                MD5

                                76b0182e3dc2f368facd1446a78d2ae0

                                SHA1

                                6e6f6df8ef1a845e335995fbfa48dab3526cea29

                                SHA256

                                3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f

                                SHA512

                                e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a

                              • memory/1104-11-0x0000000000400000-0x000000000056E000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/3264-0-0x0000000000730000-0x0000000000733000-memory.dmp

                                Filesize

                                12KB

                              • memory/3264-3-0x0000000000730000-0x0000000000733000-memory.dmp

                                Filesize

                                12KB

                              • memory/4076-17-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-10787-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-21-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-2432-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-3243-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-6502-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-10084-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-10786-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-23-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-10795-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-10796-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-16-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4076-10837-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4876-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4876-12-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4876-4-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4876-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4876-1-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB