Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 08:42 UTC

General

  • Target

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe

  • Size

    371KB

  • MD5

    c192a273a786b569df2056914faf8327

  • SHA1

    87f24f470d678deae2cade1d3fd12255e796c091

  • SHA256

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

  • SHA512

    8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/C0716909F59A9C3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/C0716909F59A9C3
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/C0716909F59A9C3

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C0716909F59A9C3

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C0716909F59A9C3

http://xlowfznrg4wf7dli.ONION/C0716909F59A9C3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (876) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
    "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
      "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\cdxnmauxndwm.exe
        C:\Windows\cdxnmauxndwm.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\cdxnmauxndwm.exe
          C:\Windows\cdxnmauxndwm.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5008
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3712
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:4360
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3796
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdd7e46f8,0x7fffdd7e4708,0x7fffdd7e4718
              6⤵
                PID:3632
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
                6⤵
                  PID:3652
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                  6⤵
                    PID:4804
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
                    6⤵
                      PID:4900
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
                      6⤵
                        PID:4936
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
                        6⤵
                          PID:3372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15045793499681320551,730266638985055113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
                          6⤵
                            PID:3232
                        • C:\Windows\System32\wbem\WMIC.exe
                          "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                          5⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:748
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CDXNMA~1.EXE
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:2256
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4432
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2112
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4792
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:3292

                    Network

                    • flag-us
                      DNS
                      8.8.8.8.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      8.8.8.8.in-addr.arpa
                      IN PTR
                      Response
                      8.8.8.8.in-addr.arpa
                      IN PTR
                      dnsgoogle
                    • flag-us
                      DNS
                      13.86.106.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      13.86.106.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      172.214.232.199.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      172.214.232.199.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      0.159.190.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      0.159.190.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      167.173.78.104.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      167.173.78.104.in-addr.arpa
                      IN PTR
                      Response
                      167.173.78.104.in-addr.arpa
                      IN PTR
                      a104-78-173-167deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      241.150.49.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      241.150.49.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      56.163.245.4.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      56.163.245.4.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      241.42.69.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      241.42.69.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      172.210.232.199.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      172.210.232.199.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      21.49.80.91.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      21.49.80.91.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      biocarbon.com.ec
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      biocarbon.com.ec
                      IN A
                      Response
                      biocarbon.com.ec
                      IN A
                      162.241.224.203
                    • flag-us
                      POST
                      http://biocarbon.com.ec/wp-content/uploads/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      162.241.224.203:80
                      Request
                      POST /wp-content/uploads/bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: biocarbon.com.ec
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 301 Moved Permanently
                      Date: Tue, 21 Jan 2025 10:25:39 GMT
                      Server: nginx/1.25.5
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 242
                      Location: https://biocarbon.com.ec/403.shtml
                      X-Server-Cache: false
                      host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                    • flag-us
                      DNS
                      203.224.241.162.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      203.224.241.162.in-addr.arpa
                      IN PTR
                      Response
                      203.224.241.162.in-addr.arpa
                      IN PTR
                      box5210bluehostcom
                    • flag-us
                      GET
                      https://biocarbon.com.ec/403.shtml
                      cdxnmauxndwm.exe
                      Remote address:
                      162.241.224.203:443
                      Request
                      GET /403.shtml HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Cache-Control: no-cache
                      Host: biocarbon.com.ec
                      Connection: Keep-Alive
                      Response
                      HTTP/1.1 404 Not Found
                      Date: Tue, 21 Jan 2025 10:25:42 GMT
                      Server: nginx/1.25.5
                      Content-Type: text/html; charset=UTF-8
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <https://biocarbon.com.ec/wp-json/>; rel="https://api.w.org/"
                      Vary: Accept-Encoding
                      host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                      Transfer-Encoding: chunked
                    • flag-us
                      DNS
                      r10.o.lencr.org
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      r10.o.lencr.org
                      IN A
                      Response
                      r10.o.lencr.org
                      IN CNAME
                      o.lencr.edgesuite.net
                      o.lencr.edgesuite.net
                      IN CNAME
                      a1887.dscq.akamai.net
                      a1887.dscq.akamai.net
                      IN A
                      88.221.135.105
                      a1887.dscq.akamai.net
                      IN A
                      88.221.134.89
                    • flag-gb
                      GET
                      http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D
                      cdxnmauxndwm.exe
                      Remote address:
                      88.221.135.105:80
                      Request
                      GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D HTTP/1.1
                      Connection: Keep-Alive
                      Accept: */*
                      User-Agent: Microsoft-CryptoAPI/10.0
                      Host: r10.o.lencr.org
                      Response
                      HTTP/1.1 200 OK
                      Server: nginx
                      Content-Type: application/ocsp-response
                      Content-Length: 504
                      ETag: "EDBF6B39418DCF40055F1049DB26A0AAFD7B045BC5FBEB2E9E7D81474DBA565F"
                      Last-Modified: Tue, 21 Jan 2025 10:25:00 UTC
                      Cache-Control: public, no-transform, must-revalidate, max-age=21566
                      Expires: Tue, 21 Jan 2025 16:25:06 GMT
                      Date: Tue, 21 Jan 2025 10:25:40 GMT
                      Connection: keep-alive
                    • flag-us
                      DNS
                      168.245.100.95.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      168.245.100.95.in-addr.arpa
                      IN PTR
                      Response
                      168.245.100.95.in-addr.arpa
                      IN PTR
                      a95-100-245-168deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      105.135.221.88.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      105.135.221.88.in-addr.arpa
                      IN PTR
                      Response
                      105.135.221.88.in-addr.arpa
                      IN PTR
                      a88-221-135-105deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      imagescroll.com
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      imagescroll.com
                      IN A
                      Response
                    • flag-us
                      DNS
                      music.mbsaeger.com
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      music.mbsaeger.com
                      IN A
                      Response
                    • flag-us
                      DNS
                      stacon.eu
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      stacon.eu
                      IN A
                      Response
                      stacon.eu
                      IN A
                      85.128.128.104
                    • flag-pl
                      POST
                      http://stacon.eu/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      85.128.128.104:80
                      Request
                      POST /bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: stacon.eu
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Date: Tue, 21 Jan 2025 10:25:42 GMT
                      Content-Type: text/html
                      Content-Length: 162
                      Connection: keep-alive
                      X-CDN-nazwa.pl-location: AMS
                      X-CDN-nazwa.pl-policyused: cdn=1209600
                      Server: Apache/2
                    • flag-us
                      DNS
                      surrogacyandadoption.com
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      surrogacyandadoption.com
                      IN A
                      Response
                      surrogacyandadoption.com
                      IN CNAME
                      comingsoon.namebright.com
                      comingsoon.namebright.com
                      IN CNAME
                      cdl-lb-1356093980.us-east-1.elb.amazonaws.com
                      cdl-lb-1356093980.us-east-1.elb.amazonaws.com
                      IN A
                      54.85.129.208
                      cdl-lb-1356093980.us-east-1.elb.amazonaws.com
                      IN A
                      34.193.158.132
                    • flag-us
                      POST
                      http://surrogacyandadoption.com/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      54.85.129.208:80
                      Request
                      POST /bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: surrogacyandadoption.com
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Date: Tue, 21 Jan 2025 10:25:43 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: keep-alive
                    • flag-us
                      DNS
                      worldisonefamily.info
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      worldisonefamily.info
                      IN A
                      Response
                      worldisonefamily.info
                      IN A
                      104.155.138.21
                      worldisonefamily.info
                      IN A
                      107.178.223.183
                    • flag-us
                      DNS
                      104.128.128.85.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      104.128.128.85.in-addr.arpa
                      IN PTR
                      Response
                      104.128.128.85.in-addr.arpa
                      IN PTR
                      static-ajw104revnazwapl
                    • flag-us
                      DNS
                      208.129.85.54.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      208.129.85.54.in-addr.arpa
                      IN PTR
                      Response
                      208.129.85.54.in-addr.arpa
                      IN PTR
                      ec2-54-85-129-208 compute-1 amazonawscom
                    • flag-us
                      POST
                      http://worldisonefamily.info/zz/libraries/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      104.155.138.21:80
                      Request
                      POST /zz/libraries/bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: worldisonefamily.info
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Content-Length: 0
                    • flag-us
                      DNS
                      21.138.155.104.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      21.138.155.104.in-addr.arpa
                      IN PTR
                      Response
                      21.138.155.104.in-addr.arpa
                      IN PTR
                      21138155104bcgoogleusercontentcom
                    • flag-us
                      DNS
                      60.153.16.2.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      60.153.16.2.in-addr.arpa
                      IN PTR
                      Response
                      60.153.16.2.in-addr.arpa
                      IN PTR
                      a2-16-153-60deploystaticakamaitechnologiescom
                    • flag-us
                      POST
                      http://biocarbon.com.ec/wp-content/uploads/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      162.241.224.203:80
                      Request
                      POST /wp-content/uploads/bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: biocarbon.com.ec
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 301 Moved Permanently
                      Date: Tue, 21 Jan 2025 10:26:31 GMT
                      Server: nginx/1.25.5
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 242
                      Location: https://biocarbon.com.ec/403.shtml
                      X-Server-Cache: false
                      host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                    • flag-us
                      GET
                      https://biocarbon.com.ec/403.shtml
                      cdxnmauxndwm.exe
                      Remote address:
                      162.241.224.203:443
                      Request
                      GET /403.shtml HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Cache-Control: no-cache
                      Host: biocarbon.com.ec
                      Connection: Keep-Alive
                      Response
                      HTTP/1.1 404 Not Found
                      Date: Tue, 21 Jan 2025 10:26:33 GMT
                      Server: nginx/1.25.5
                      Content-Type: text/html; charset=UTF-8
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <https://biocarbon.com.ec/wp-json/>; rel="https://api.w.org/"
                      Vary: Accept-Encoding
                      host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                      Transfer-Encoding: chunked
                    • flag-us
                      DNS
                      14.160.190.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      14.160.190.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      imagescroll.com
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      imagescroll.com
                      IN A
                      Response
                    • flag-us
                      DNS
                      music.mbsaeger.com
                      cdxnmauxndwm.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      music.mbsaeger.com
                      IN A
                      Response
                    • flag-pl
                      POST
                      http://stacon.eu/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      85.128.128.104:80
                      Request
                      POST /bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: stacon.eu
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Date: Tue, 21 Jan 2025 10:26:33 GMT
                      Content-Type: text/html
                      Content-Length: 162
                      Connection: keep-alive
                      X-CDN-nazwa.pl-location: AMS
                      X-CDN-nazwa.pl-policyused: cdn=1209600
                      Server: Apache/2
                    • flag-us
                      POST
                      http://surrogacyandadoption.com/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      54.85.129.208:80
                      Request
                      POST /bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: surrogacyandadoption.com
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Date: Tue, 21 Jan 2025 10:26:34 GMT
                      Content-Type: text/html; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: keep-alive
                    • flag-us
                      POST
                      http://worldisonefamily.info/zz/libraries/bstr.php
                      cdxnmauxndwm.exe
                      Remote address:
                      104.155.138.21:80
                      Request
                      POST /zz/libraries/bstr.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
                      Host: worldisonefamily.info
                      Content-Length: 645
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Content-Length: 0
                    • 162.241.224.203:80
                      http://biocarbon.com.ec/wp-content/uploads/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.2kB
                      725 B
                      6
                      5

                      HTTP Request

                      POST http://biocarbon.com.ec/wp-content/uploads/bstr.php

                      HTTP Response

                      301
                    • 162.241.224.203:443
                      https://biocarbon.com.ec/403.shtml
                      tls, http
                      cdxnmauxndwm.exe
                      2.4kB
                      44.4kB
                      41
                      37

                      HTTP Request

                      GET https://biocarbon.com.ec/403.shtml

                      HTTP Response

                      404
                    • 88.221.135.105:80
                      http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D
                      http
                      cdxnmauxndwm.exe
                      470 B
                      1.0kB
                      5
                      3

                      HTTP Request

                      GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D

                      HTTP Response

                      200
                    • 85.128.128.104:80
                      http://stacon.eu/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.1kB
                      588 B
                      6
                      5

                      HTTP Request

                      POST http://stacon.eu/bstr.php

                      HTTP Response

                      200
                    • 54.85.129.208:80
                      http://surrogacyandadoption.com/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.6kB
                      13.3kB
                      16
                      13

                      HTTP Request

                      POST http://surrogacyandadoption.com/bstr.php

                      HTTP Response

                      200
                    • 104.155.138.21:80
                      http://worldisonefamily.info/zz/libraries/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.2kB
                      250 B
                      6
                      5

                      HTTP Request

                      POST http://worldisonefamily.info/zz/libraries/bstr.php

                      HTTP Response

                      200
                    • 162.241.224.203:80
                      http://biocarbon.com.ec/wp-content/uploads/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.1kB
                      645 B
                      5
                      3

                      HTTP Request

                      POST http://biocarbon.com.ec/wp-content/uploads/bstr.php

                      HTTP Response

                      301
                    • 162.241.224.203:443
                      https://biocarbon.com.ec/403.shtml
                      tls, http
                      cdxnmauxndwm.exe
                      2.4kB
                      40.9kB
                      38
                      34

                      HTTP Request

                      GET https://biocarbon.com.ec/403.shtml

                      HTTP Response

                      404
                    • 85.128.128.104:80
                      http://stacon.eu/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.1kB
                      508 B
                      5
                      3

                      HTTP Request

                      POST http://stacon.eu/bstr.php

                      HTTP Response

                      200
                    • 54.85.129.208:80
                      http://surrogacyandadoption.com/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.6kB
                      13.3kB
                      16
                      13

                      HTTP Request

                      POST http://surrogacyandadoption.com/bstr.php

                      HTTP Response

                      200
                    • 104.155.138.21:80
                      http://worldisonefamily.info/zz/libraries/bstr.php
                      http
                      cdxnmauxndwm.exe
                      1.2kB
                      250 B
                      7
                      5

                      HTTP Request

                      POST http://worldisonefamily.info/zz/libraries/bstr.php

                      HTTP Response

                      200
                    • 8.8.8.8:53
                      8.8.8.8.in-addr.arpa
                      dns
                      66 B
                      90 B
                      1
                      1

                      DNS Request

                      8.8.8.8.in-addr.arpa

                    • 8.8.8.8:53
                      13.86.106.20.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      13.86.106.20.in-addr.arpa

                    • 8.8.8.8:53
                      172.214.232.199.in-addr.arpa
                      dns
                      74 B
                      128 B
                      1
                      1

                      DNS Request

                      172.214.232.199.in-addr.arpa

                    • 8.8.8.8:53
                      0.159.190.20.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      0.159.190.20.in-addr.arpa

                    • 8.8.8.8:53
                      167.173.78.104.in-addr.arpa
                      dns
                      73 B
                      139 B
                      1
                      1

                      DNS Request

                      167.173.78.104.in-addr.arpa

                    • 8.8.8.8:53
                      241.150.49.20.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      241.150.49.20.in-addr.arpa

                    • 8.8.8.8:53
                      56.163.245.4.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      56.163.245.4.in-addr.arpa

                    • 8.8.8.8:53
                      241.42.69.40.in-addr.arpa
                      dns
                      71 B
                      145 B
                      1
                      1

                      DNS Request

                      241.42.69.40.in-addr.arpa

                    • 8.8.8.8:53
                      172.210.232.199.in-addr.arpa
                      dns
                      74 B
                      128 B
                      1
                      1

                      DNS Request

                      172.210.232.199.in-addr.arpa

                    • 8.8.8.8:53
                      21.49.80.91.in-addr.arpa
                      dns
                      70 B
                      145 B
                      1
                      1

                      DNS Request

                      21.49.80.91.in-addr.arpa

                    • 8.8.8.8:53
                      biocarbon.com.ec
                      dns
                      cdxnmauxndwm.exe
                      62 B
                      78 B
                      1
                      1

                      DNS Request

                      biocarbon.com.ec

                      DNS Response

                      162.241.224.203

                    • 8.8.8.8:53
                      203.224.241.162.in-addr.arpa
                      dns
                      74 B
                      108 B
                      1
                      1

                      DNS Request

                      203.224.241.162.in-addr.arpa

                    • 8.8.8.8:53
                      r10.o.lencr.org
                      dns
                      cdxnmauxndwm.exe
                      61 B
                      160 B
                      1
                      1

                      DNS Request

                      r10.o.lencr.org

                      DNS Response

                      88.221.135.105
                      88.221.134.89

                    • 8.8.8.8:53
                      168.245.100.95.in-addr.arpa
                      dns
                      73 B
                      139 B
                      1
                      1

                      DNS Request

                      168.245.100.95.in-addr.arpa

                    • 8.8.8.8:53
                      105.135.221.88.in-addr.arpa
                      dns
                      73 B
                      139 B
                      1
                      1

                      DNS Request

                      105.135.221.88.in-addr.arpa

                    • 8.8.8.8:53
                      imagescroll.com
                      dns
                      cdxnmauxndwm.exe
                      61 B
                      134 B
                      1
                      1

                      DNS Request

                      imagescroll.com

                    • 8.8.8.8:53
                      music.mbsaeger.com
                      dns
                      cdxnmauxndwm.exe
                      64 B
                      145 B
                      1
                      1

                      DNS Request

                      music.mbsaeger.com

                    • 8.8.8.8:53
                      stacon.eu
                      dns
                      cdxnmauxndwm.exe
                      55 B
                      71 B
                      1
                      1

                      DNS Request

                      stacon.eu

                      DNS Response

                      85.128.128.104

                    • 8.8.8.8:53
                      surrogacyandadoption.com
                      dns
                      cdxnmauxndwm.exe
                      70 B
                      194 B
                      1
                      1

                      DNS Request

                      surrogacyandadoption.com

                      DNS Response

                      54.85.129.208
                      34.193.158.132

                    • 8.8.8.8:53
                      worldisonefamily.info
                      dns
                      cdxnmauxndwm.exe
                      67 B
                      99 B
                      1
                      1

                      DNS Request

                      worldisonefamily.info

                      DNS Response

                      104.155.138.21
                      107.178.223.183

                    • 8.8.8.8:53
                      104.128.128.85.in-addr.arpa
                      dns
                      73 B
                      113 B
                      1
                      1

                      DNS Request

                      104.128.128.85.in-addr.arpa

                    • 8.8.8.8:53
                      208.129.85.54.in-addr.arpa
                      dns
                      72 B
                      127 B
                      1
                      1

                      DNS Request

                      208.129.85.54.in-addr.arpa

                    • 8.8.8.8:53
                      21.138.155.104.in-addr.arpa
                      dns
                      73 B
                      126 B
                      1
                      1

                      DNS Request

                      21.138.155.104.in-addr.arpa

                    • 8.8.8.8:53
                      60.153.16.2.in-addr.arpa
                      dns
                      70 B
                      133 B
                      1
                      1

                      DNS Request

                      60.153.16.2.in-addr.arpa

                    • 8.8.8.8:53
                      14.160.190.20.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      14.160.190.20.in-addr.arpa

                    • 8.8.8.8:53
                      imagescroll.com
                      dns
                      cdxnmauxndwm.exe
                      61 B
                      134 B
                      1
                      1

                      DNS Request

                      imagescroll.com

                    • 8.8.8.8:53
                      music.mbsaeger.com
                      dns
                      cdxnmauxndwm.exe
                      64 B
                      145 B
                      1
                      1

                      DNS Request

                      music.mbsaeger.com

                    • 224.0.0.251:5353
                      msedge.exe

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.html

                      Filesize

                      9KB

                      MD5

                      1b78b85e42aed2f4e8159decab1ec819

                      SHA1

                      479f4d30be894ba9495d270094290f7bcff94f84

                      SHA256

                      b1bdc33175adff6089400d64922e47808f9b59181a6fe69504a48e9e71ab83ef

                      SHA512

                      c3f30a3e21d0c7cccf8e123774caef96b2328eda6e99bb37c84f8a9652ecc20ab96124f69b214dd29c9801a0c2ca3cb53662f2f93d68fa102a45a5b927f9c7d8

                    • C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.png

                      Filesize

                      63KB

                      MD5

                      14b1317ab0dc245f3d4442c108ddaaf1

                      SHA1

                      07a562b5b2db6be1d282e17c7b3d5d1077542572

                      SHA256

                      f0eb1c3c0f67119764d8fa98a355b934ef015e78e075bc56975a5d72be2faa60

                      SHA512

                      24ef58d032cb9ad974eaab240554ce815cd27b59f07ee6d4a6fbdce6b2fff4d87fa7c74b686a0bfe999a675a1974b988af01fa3450460427fda915f43031b67b

                    • C:\Program Files\7-Zip\Lang\_RECoVERY_+hrehg.txt

                      Filesize

                      1KB

                      MD5

                      bfc580ab1e9f663c55ce4c0d6ac785fc

                      SHA1

                      559d268a13a5b6b1f484323685fac4e58d8b5a65

                      SHA256

                      f05afa6bd494fe218279450670b5007cefa3d4a3ce34818d9551f6e80f8c9efb

                      SHA512

                      d2c18e8e8a9a649352e87edb23edede5ea9c2bea03acad3cc8e88dd23d6b9ebdf912a6f19ddf86dcf9702250aab6288d7fdb325cd619553f8a297aa23034a086

                    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                      Filesize

                      560B

                      MD5

                      dfea4a0ebadf07521723b12dbe809df7

                      SHA1

                      68b95f34bc8666bca44c695ce596625b82b0e05e

                      SHA256

                      9d4fbf692ebc6f8f204e0f3ea4943cde541c012e9308adf7db29202912394e8e

                      SHA512

                      1441c86b03e1ffbf19ada0b5f961a2df814f75c11589a82066cd03878b5a6f4015f07c7c6aeafcf0720aba0e4dee9dc13c8b38d453914b9c37eaacd6488bd4f1

                    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                      Filesize

                      560B

                      MD5

                      5c00129a490f1c59b3aa9d45674fa9d6

                      SHA1

                      b74981401059188e80a62c59ab9ad2fcad912aff

                      SHA256

                      e7eead0d6a49c89331d20302cb5e13fd6975f95c8dc489590101bd13bb8ba1bc

                      SHA512

                      4e5f5177520a9d1e6b3c8dda960c9d0f6b706d99a35cc27296d232a7675d81fd9387f1f10ced245e7b4e4cf1ae679d3fb24086a0f2da3638e64afd7a0325d9b3

                    • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                      Filesize

                      416B

                      MD5

                      611993ae6f2843abe00011331578c44a

                      SHA1

                      8c211e333b508badb8f2ca4845adae2af25f5bca

                      SHA256

                      792e259bb12f658e3d041659de1112df4fece3a535235b6d475973096905e2be

                      SHA512

                      f739552c80b4bdbb8ece99917657d00c26ed880904aaec2c9a852aec952e4ac59de62076bc60e97986e1ca69aa298c815a68794e152b4e6eec901ce838104fb0

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      d22073dea53e79d9b824f27ac5e9813e

                      SHA1

                      6d8a7281241248431a1571e6ddc55798b01fa961

                      SHA256

                      86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                      SHA512

                      97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      bffcefacce25cd03f3d5c9446ddb903d

                      SHA1

                      8923f84aa86db316d2f5c122fe3874bbe26f3bab

                      SHA256

                      23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                      SHA512

                      761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      e8adf384a640023017e67ce46b96cf5e

                      SHA1

                      9be592237283c3f115d8482a83bcdc22e33a6b85

                      SHA256

                      e309d7d151000a1c0659050408809186159f6055d72363d18b23a270aa36ca36

                      SHA512

                      e18d234c8346c0d9b319c1a07be528e168b46b27b913ae40eea0b7c4b371f973cde5dbc09814786b99eef06c07840441227ae2dd49dc566bd3877c3cf7fc0ac0

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                      Filesize

                      16B

                      MD5

                      6752a1d65b201c13b62ea44016eb221f

                      SHA1

                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                      SHA256

                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                      SHA512

                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

                      Filesize

                      77KB

                      MD5

                      0089a10fcb5c08347469b9ff8736d05b

                      SHA1

                      969d1e17cd9812c0bb6063f584d61ca4a0567126

                      SHA256

                      236b55b1d09b2bfe5d42685ba0b6c307fe07edb13a28c5f06184221245a2b7aa

                      SHA512

                      07314b52068012e8e5bb52a7ca8c3c7158259b85f4fc6fe689fe850f0258ecdfac398befcd81e90a2d97d952e859452680bc3a7ab6a99e556f55d6d4e24cdb7c

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

                      Filesize

                      47KB

                      MD5

                      a8ebbc8426d2a55cb7e6ba84d986bd7d

                      SHA1

                      336fd816759f420b530b60aa9f85fa97f894c4f9

                      SHA256

                      bbf141633400dc69c1314839522cc9fbbfefa235cf6e7ab33d7ab23c9964ad15

                      SHA512

                      3235f5bc5c7469ec83f47b2d0cd1a0a8e4fd418f1059862b5d74b1f649ee314f3f32a526a50cf02c0f1984eaf34b533b4e2e2bc23146d8b5d8c1908b86b9c0a8

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

                      Filesize

                      74KB

                      MD5

                      ca7ac5999ce50bb1bcbed911ef3351ed

                      SHA1

                      f3ba96187e6669e8e83d7fb5d501492c7e43dbbb

                      SHA256

                      58d9231755940e78c409c53c46a3ae92409478bb8d4a2458129f1bbf3d8354b0

                      SHA512

                      52bcdfccf3040e8723ae5288d11962a25ba5722ccbc8530f9917d3468f50d55674b3bc03d3dee0daf761e1a19da175c1c7869b59ac263776b4cdf4cf6ec6bd45

                    • C:\Windows\cdxnmauxndwm.exe

                      Filesize

                      371KB

                      MD5

                      c192a273a786b569df2056914faf8327

                      SHA1

                      87f24f470d678deae2cade1d3fd12255e796c091

                      SHA256

                      e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

                      SHA512

                      8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

                    • memory/1132-4-0x0000000000620000-0x0000000000623000-memory.dmp

                      Filesize

                      12KB

                    • memory/1132-1-0x0000000000620000-0x0000000000623000-memory.dmp

                      Filesize

                      12KB

                    • memory/1132-0-0x0000000000620000-0x0000000000623000-memory.dmp

                      Filesize

                      12KB

                    • memory/1312-15-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-6-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-5-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-3-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/1312-2-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/3172-12-0x0000000000400000-0x000000000056E000-memory.dmp

                      Filesize

                      1.4MB

                    • memory/5008-19-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-4305-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-7309-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-2212-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-2201-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-995-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10321-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10545-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10546-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10556-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10554-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-25-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-23-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-21-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-18-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-10596-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    • memory/5008-20-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.