teslacrypt | 2726d7000a2c36a93b6bf336314628b1a8571c2365b36cd8df899f2fc156975e

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
Size

251KB
MD5

e24753999a765babb180217ea49affa1
SHA1

7a5f87c0a78d6c20d7b7e35569eb30224b507908
SHA256

2726d7000a2c36a93b6bf336314628b1a8571c2365b36cd8df899f2fc156975e
SHA512

173de2f5afd1f5dfa376926bbe34ede5c06f3dc601e8b3fbbe7ba5612e3003f9747c5ab9d99bbb948cc270d03aa3b2ca520cd57af11e550e3a336180292d37df
SSDEEP

3072:yP36YQgDABWbDFp7yz5hwXZwnt+XOCGNjYQohl5ZieMhJP7p9ie3ESTRpA6:OZyTntxVYQE5ehJP7p9p3EcXA6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Recovery+vgxfx.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/32A7241F51FA1B9 2. http://tes543berda73i48fsdfsd.keratadze.at/32A7241F51FA1B9 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/32A7241F51FA1B9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/32A7241F51FA1B9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/32A7241F51FA1B9 http://tes543berda73i48fsdfsd.keratadze.at/32A7241F51FA1B9 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/32A7241F51FA1B9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/32A7241F51FA1B9

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/32A7241F51FA1B9

http://tes543berda73i48fsdfsd.keratadze.at/32A7241F51FA1B9

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/32A7241F51FA1B9

http://xlowfznrg4wf7dli.ONION/32A7241F51FA1B9

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (888) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	fiaggivjudpy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+vgxfx.txt	fiaggivjudpy.exe

Executes dropped EXE 1 IoCs

pid	Process
4640	fiaggivjudpy.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpkrhrfirsmc = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\fiaggivjudpy.exe\""	fiaggivjudpy.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-200.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Ringlesscalling_25more_360x120_2x.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.scale-200.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-200.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected]	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\MSBuild\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-black.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\7px.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe805.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-80.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.scale-200.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\Recovery+vgxfx.txt	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-200.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Bundle\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\Recovery+vgxfx.html	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\Recovery+vgxfx.png	fiaggivjudpy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Recovery+vgxfx.png	fiaggivjudpy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fiaggivjudpy.exe	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
File opened for modification	C:\Windows\fiaggivjudpy.exe	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fiaggivjudpy.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871058708477395"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	fiaggivjudpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{2DABD3FE-3525-4352-A59F-5D8D93B653A7}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3372	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe
4640	fiaggivjudpy.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
Token: SeDebugPrivilege	4640	fiaggivjudpy.exe
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemProfilePrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeProfSingleProcessPrivilege	4504	WMIC.exe
Token: SeIncBasePriorityPrivilege	4504	WMIC.exe
Token: SeCreatePagefilePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeDebugPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeRemoteShutdownPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 33	4504	WMIC.exe
Token: 34	4504	WMIC.exe
Token: 35	4504	WMIC.exe
Token: 36	4504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemProfilePrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeProfSingleProcessPrivilege	4504	WMIC.exe
Token: SeIncBasePriorityPrivilege	4504	WMIC.exe
Token: SeCreatePagefilePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeDebugPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeRemoteShutdownPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 33	4504	WMIC.exe
Token: 34	4504	WMIC.exe
Token: 35	4504	WMIC.exe
Token: 36	4504	WMIC.exe
Token: SeBackupPrivilege	5800	vssvc.exe
Token: SeRestorePrivilege	5800	vssvc.exe
Token: SeAuditPrivilege	5800	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4148	WMIC.exe
Token: SeSecurityPrivilege	4148	WMIC.exe
Token: SeTakeOwnershipPrivilege	4148	WMIC.exe
Token: SeLoadDriverPrivilege	4148	WMIC.exe
Token: SeSystemProfilePrivilege	4148	WMIC.exe
Token: SeSystemtimePrivilege	4148	WMIC.exe
Token: SeProfSingleProcessPrivilege	4148	WMIC.exe
Token: SeIncBasePriorityPrivilege	4148	WMIC.exe
Token: SeCreatePagefilePrivilege	4148	WMIC.exe
Token: SeBackupPrivilege	4148	WMIC.exe
Token: SeRestorePrivilege	4148	WMIC.exe
Token: SeShutdownPrivilege	4148	WMIC.exe
Token: SeDebugPrivilege	4148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4148	WMIC.exe
Token: SeRemoteShutdownPrivilege	4148	WMIC.exe
Token: SeUndockPrivilege	4148	WMIC.exe
Token: SeManageVolumePrivilege	4148	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4640	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe	89
PID 4368 wrote to memory of 4640	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe	89
PID 4368 wrote to memory of 4640	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe	89
PID 4368 wrote to memory of 3560	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe	90
PID 4368 wrote to memory of 3560	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe	90
PID 4368 wrote to memory of 3560	4368	2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe	90
PID 4640 wrote to memory of 4504	4640	fiaggivjudpy.exe	92
PID 4640 wrote to memory of 4504	4640	fiaggivjudpy.exe	92
PID 4640 wrote to memory of 3372	4640	fiaggivjudpy.exe	112
PID 4640 wrote to memory of 3372	4640	fiaggivjudpy.exe	112
PID 4640 wrote to memory of 3372	4640	fiaggivjudpy.exe	112
PID 4640 wrote to memory of 3888	4640	fiaggivjudpy.exe	113
PID 4640 wrote to memory of 3888	4640	fiaggivjudpy.exe	113
PID 4640 wrote to memory of 4148	4640	fiaggivjudpy.exe	114
PID 4640 wrote to memory of 4148	4640	fiaggivjudpy.exe	114
PID 3888 wrote to memory of 4080	3888	msedge.exe	116
PID 3888 wrote to memory of 4080	3888	msedge.exe	116
PID 3888 wrote to memory of 5976	3888	msedge.exe	117
PID 3888 wrote to memory of 5976	3888	msedge.exe	117
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118
PID 3888 wrote to memory of 3380	3888	msedge.exe	118

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	fiaggivjudpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fiaggivjudpy.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-22_e24753999a765babb180217ea49affa1_amadey_teslacrypt.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\fiaggivjudpy.exe
  C:\Windows\fiaggivjudpy.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4640
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:3372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f4,0x7ffd9c3df208,0x7ffd9c3df214,0x7ffd9c3df220
      4⤵
      PID:4080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=2876 /prefetch:3
      4⤵
      PID:5976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2840,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:2
      4⤵
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2188,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:1692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
      4⤵
      PID:3192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4940,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:8
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:8
      4⤵
      PID:3120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:8
      4⤵
      PID:5864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:8
      4⤵
      PID:3012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6172,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8
      4⤵
      PID:368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:8
      4⤵
      PID:2356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5944,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:8
      4⤵
      PID:3664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:8
      4⤵
      PID:5968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:8
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5724,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:8
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
      4⤵
      PID:2204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4772,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:8
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,5934931368126562446,10568366212729499608,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:8
      4⤵
      PID:6104
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FIAGGI~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
3db1292b8da093d45ade96f5473c4ce9

SHA1
032a87967e68f7abe855c7919c3122f4cccb8134

SHA256
64c5bfed5e9ca58bce21001afba9c374b616022f53d0fbeed128647ea09b368d

SHA512
79f1e2c195dee4a4ede21678dcc7474a9b696673e25df0e4a8408890831d878c2ba7e6c01dc7f3fc68ca5f8989f985ff1ee357d7dacf03ce82a12b98bd820726

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
d6d2efd3322dacf8a8939c8b5651f3ce

SHA1
e73758c9bc00e1497e49c5de303f27a7c99b9658

SHA256
aced7e85ae30ccbbff74706ea4b67554957d59548c826d862aa8ba8874c30811

SHA512
7cd51f7295ec24661c08ea0cafadcd897ac16b0f690fb6e0b6784c327fd34f9b345adaa1afe99218371a6e90df415b78c9ef827bec95f02fe5c95f7fe096db84

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5578ad22ebc7a19a519b5a14294f5e88

SHA1
6ce744c9c3df47f511be0001498ed042b3dc13d1

SHA256
c2c60f06597b9280e81d893fd93d6919d7c88cd77e31ac29b7e789a123f78a26

SHA512
7b6fd1e5b78a1c1e132d77d746414d26e88b33fb2cd7c82e3503e0c82f923a32c3464b728503d68332d47b973c63056f61c7912373c578d3f6cc287e1a73a0c5

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3888_820331975\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3888_820331975\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
135cfaa231e15526985eb2761d3f0812

SHA1
d94dc86e194e48d5dd81a32738fe5209df7f0ef5

SHA256
961067b875eaabcf03f7ada38c370fafb37fc25ae66245821d82a01abe052dff

SHA512
b4ec8660eff98679c9d9ac645adc7263eb8f3e7853a9db5f5a344f651aecb03b76a1cd85adef9e63e3a79ddecb5b5f4232d9505f3aa4277604a7bb6d50aa4773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
37c68a85ca57bf2a4eb97bc81e4ccb35

SHA1
231f99e99f00f2a223139bc07e3af49b3dc77d42

SHA256
e5845f49292c032537204b5a8d56e3f4b31eecdc65915424b1972d6eee27416d

SHA512
2b5c778d3dc4305e316bb36729e61a72376f9a2cff99babe8bccf0ed7c91aa3eebdfa9e43e6650b0812974114f36a78fa58729c09c956179ae874c50e214f0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
91976f68e9e10b48588b60ca0c1ad4a5

SHA1
bc77f8f50c7421aeeb568ffe0e8cefb94429bd91

SHA256
2654c9cab63d652482f0db473d29f15510226e275fb485145bb27738814cafa8

SHA512
e3ab9ec32a6a2368ea85fe10e5248efa2dfead74415e418b7e4c9abf1db2cf214ab766eaa69ec226ce770ecc52958240559eb1542ac3dee0b31b7d7650446582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
55a448e0acf60836e6e83c68b6e445d0

SHA1
ade777e86e74efbc7c16cc300a739627a9b5e9ee

SHA256
0c11fe8fbf60750f50e30b2a9eb1fcb20549cee8c447a3fd277c62a7a1f8a38f

SHA512
6b686c3c72b906126c8d3d3408471578c2cf272af5fbebf39727de1db15f89f2f4b9ac732d2f7f0a63a398fc34903c49de0d7467312935dc3f9af1dd2b88acfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.9\data.txt.mp3

Filesize
113KB

MD5
1261024cbc368627f5a8d811be0f5429

SHA1
ba2e91e14b22f255fca122184ded83d4ddcb2da6

SHA256
2227890adcd5afb9654156042f86e1d59edd9afb8c074d2efee07e6c2d7ea007

SHA512
0b0df95b0a7f24073d4eef335d2d9ee9ca7432ef1c5b8af574cb90a458c4df069e2b722d0e5c9d8630a6702bf1f9049301314c32b20d92e100b33d7c78d2abd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
463B

MD5
21c47b9dff0d3c49392cae6300a19b68

SHA1
53b45928b5f05367830d7d1fddc0bec83db429d8

SHA256
6691b581671bcfee6a479ba87f480b432d34b7e3320187d37d816de8d94e33a7

SHA512
42cea29a898c0a58be78e55f744ffdfc24d79330a7d2841a0784e257dca8125e5d8519b47fa023d1491e77d3fcb559a42136830e2ea95b9bc9f1abf312c30cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
892B

MD5
51d0ba7bf08fd3c56d2c92d733bc8c3e

SHA1
0f3e9d8fcd1e6eec0ffd4331dc56b6e05a8a4a04

SHA256
95d731771f9856d390d49f3afe02b181aa25f1496a3905a49aa330f1bdb9e11e

SHA512
f95196d2589d5ef4d31492447534b15a9565cbf194ea7bce0f530efb13921004989097d2dd727db1635980c655eb98b9a7b20f12cda28aa0e6de87643c8fb5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
bda18aa8fa0922bd7114401b6273b895

SHA1
cde3c4b921d9950d88422b0817f86ccb006ab0fa

SHA256
d154dc38d67273302f36c75866d3e54494a4caa47f56531469e72260e5822b2f

SHA512
cc19fcfc373e40981597a402ed8a435cf8cfdde7e6ed6159aba48c5b7189ea8d301720eb3d8c43878b64f416fc984ccc655cb5134f3300c9bfa589745e78c402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Notifications\0.0.0.46\arbitration_metadata.txt.mp3

Filesize
344KB

MD5
43cedc2c662f076f35b5ec0e899a56a3

SHA1
bf97213a70adc9fe9cedb241d9c1d9e2168c5258

SHA256
ee32c7fa574b5f54f9aa110a3a5d61fac35034a622035d443c023a73692560ef

SHA512
27d321a20e4fc3905c779fb05ab35f87225f07380da8fe5a3bfb68abcdc876be8fb9bd3b0b120f7540b461983bde0e97f46a39a923b1b6aac427ef043064a088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
62bd332105d6b7abe1c6ed7ab24f8eec

SHA1
4a8c6b80cd186d9e0844a1951584b21845bc56b6

SHA256
d0606a2786ccf2c49034dabdde1ea40370d43670fabcae01920d39a22a1d7eae

SHA512
7e04f244d1331cca26da3d83ee2c97df09c7db4f2d3712f5a9dcc728914d4799ffc25719f946f792a604c7a8a7a52aff68edb29ea878baa46c3dd900c92c46f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
8f972c256ead1c8ad9b956fd4b7732dd

SHA1
1fca656e2e598c19931e9692d38aba4c66f8ae28

SHA256
70f784daefc8d87cbe816774f9a3131300853438568f760c2d3cbdb375c1b7b7

SHA512
b8d5580742e0a881998d8d66acd607c0b4093b92a0980fdefea2d24846559bebccc07c4715c5bd778e80694ecbf892bc736574f1092e97d09e676f9993494a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a74d1e032045ab8477b2f6cca5f259e5

SHA1
cadf7c7e5e1f8f58a6f88be92caa81ca4e59d563

SHA256
45ea2ec883339c3e979572554226b0be22a62f5117ad6fe3da63bd6cdef89a64

SHA512
995a8fb9cc4dd32c7e9c2b719b948bf34b73206c67b2d1932265bcf5d0ac99b7892776fcd048c2e83fa41d4b8e782b713bd7c1de4d7e43b2cdcca369c4b7a749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
a777ffed1b57d1145f92e6e7374bd9bb

SHA1
a1ed110a0738f99901a4a05552a0bb12d4048038

SHA256
5bdaa3fa86277b931e49b46456ff9978876ee1c4f4a67aaa9607708da5655475

SHA512
f6545e53785b29bb33924a024e4ad4c45ef683d43c5b3f433e36fe50d42c841766373438f789f9e9fccb90c581966b22ad0346365000812a38c1698bfc0eca21

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133864126132050660.txt

Filesize
87KB

MD5
5a722688140cee7533aa6bf564f01ed2

SHA1
46d39b193278e08a8661f811a5ae0b6cc0348cbd

SHA256
63368d2d789951544fa8ff405958114b7eb1c83890947439bb44c70b8b7b89c8

SHA512
28722c72b7bc275adbc1fb723b3f536961877351dea379beb216a485081d50758ab4dd2510dddde3b034e06ba8e36eda5308ac3f46b9808d61ad5848e832faa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3888_92766765\4349baf6-2a57-43c0-bfb8-693add345d09.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4916_319883562\CRX_INSTALL\128.png

Filesize
5KB

MD5
4ccd46c141b03093ed5971d5b331490b

SHA1
5bb2c8e11b48a5fa7aa2f5eb57f06778da5ba67a

SHA256
42f25f37e2928c3466a6abea8d57ab0d6acf17e143299e18846c171eaddb5815

SHA512
a69aeb00c1b270ef1ef3c292431361bc61b94a988702a91b738e23b7750be29a76ef9b5bf86f02eebec6bbb4ec8f9693075ac31af320507cc6e0e93d03f9ad8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4916_319883562\CRX_INSTALL\offscreendocument_main.js

Filesize
119KB

MD5
49b77343cd01791be6b9fd5e10c0d5ba

SHA1
c196fc949937d864072733d265b3647c7b99865d

SHA256
e17cb18b4ad4a7097ccd7ec0c501db59e663f1f4a699675e55173aca2f629960

SHA512
4421eb1bd1132e67438ff6fda5a8466d0ee1f64e4b5617117d58564d2a6380be323dfb707c6f9305ac616efc378b394a3aa4ba18009db17a9e00a7cfb0ad5a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4916_319883562\CRX_INSTALL\page_embed_script.js

Filesize
720B

MD5
3f68c4d92f11a1f3cddb208199512df1

SHA1
94486bbabd8b5f54dacdce7f14331f96eb3f4508

SHA256
8effdf1b872faa052d7f1bbd9150ec2dafadb632bdd91753efa59827479b4c69

SHA512
6b9aa73183579b28fab70017030d912e43a4d4cb0064150d6c80eb40a89c9ed9f1ecc9ff21dd9bd4a8b26d6ac90e1a831155d145798d6ef7568510419c470b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4916_319883562\CRX_INSTALL\service_worker_bin_prod.js

Filesize
128KB

MD5
6ae5a308ff9bcf901d9a1453c9f92fcc

SHA1
b7de75e4f5c942653fbce5a5ed8c89109af842a8

SHA256
0326e2a26f34b4c6a6bd129499423f03e833057294ad3264b4451af11f06a8e1

SHA512
bbe4cb1fe4a60104a504e61b3a011f00abf0bd8b7cbc6f0d60a82d3b8ee05eff7b8a76e4601ece6707aceb0f1eb89f4d6bf57545ff8eb6715e7a63a62dffa4f1

Download Submit
C:\Users\Recovery+vgxfx.html

Filesize
11KB

MD5
62604cdf7cc4184d1b01753c50132088

SHA1
d846fd74ac55b5c0bb7c1af8bf71c8a718d2c518

SHA256
85f305ddebcd596e10d86ac3e200ff2591d891fd83f21cf2fd3cc86976df4a02

SHA512
7f0ede5e6d8a1362c9921152d44bd2a9911fdf9fe1f99d92429df63cb8f88376dd1426e9cdbce777a5068d26ee623dade395e4ee61f4fd09f4c82e7db4bc4843

Download Submit
C:\Users\Recovery+vgxfx.png

Filesize
63KB

MD5
f04e070c7fc50647a7b13240cc55742c

SHA1
887042ab97e756fe4eebf360fe1900d9cabb0d72

SHA256
bbd60d1a96166d8dcea60fa997ac95729c07881676fe4ee83da618b4a53a888e

SHA512
f46848369a77b4410d636837acc4a6b49a850a0eb4cfdd8aedc59f663b1c0ae00975c0bc90ab40d5d70ac66586089ec1ab940306eb746d50959806f3a13246df

Download Submit
C:\Users\Recovery+vgxfx.txt

Filesize
1KB

MD5
456faf0a97d43f0efdfe2707ea5dc1b1

SHA1
d4a8aec5283639398538aee7395dfec4b19b0100

SHA256
df1baac4f6445fe1e3c90f9bae2e7d37715560c38414682067ae096d6d9c8a62

SHA512
6dea83c7a6778df6d9bcf3563505a4846d00b4dff240fe9633e53dd7a26466cd3539991097c622bc02915c062454a297463c3b413ece004b88fe2e2c35fc5100

Download Submit
C:\Windows\fiaggivjudpy.exe

Filesize
251KB

MD5
e24753999a765babb180217ea49affa1

SHA1
7a5f87c0a78d6c20d7b7e35569eb30224b507908

SHA256
2726d7000a2c36a93b6bf336314628b1a8571c2365b36cd8df899f2fc156975e

SHA512
173de2f5afd1f5dfa376926bbe34ede5c06f3dc601e8b3fbbe7ba5612e3003f9747c5ab9d99bbb948cc270d03aa3b2ca520cd57af11e550e3a336180292d37df

Download Submit