teslacrypt | 505d66bbcc6926ba3f5c2393e2556ea8256b6e7f2ec63ac29a4596fbe594403b

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe
Size

251KB
MD5

489136e46e31d5be5c1dcfefd7dbb221
SHA1

48145bfb513ab5559612b92250dd9ec03b9da733
SHA256

505d66bbcc6926ba3f5c2393e2556ea8256b6e7f2ec63ac29a4596fbe594403b
SHA512

0626a84ec57f16912cab610875746956b38d0ccb46e56de06216e32db4749af81c22838f094968085b53e4451f60e0a7ad2894efa1ae09955c42f310a191903a
SSDEEP

3072:yP36YQgDABWbDFp7yz5hwXZwnt+XOCGNjYQohl5ZieMhJP7p9ne3ESTRpA6:OZyTntxVYQE5ehJP7p9e3EcXA6

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Recovery+hsweh.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/91D61240964C59F 2. http://tes543berda73i48fsdfsd.keratadze.at/91D61240964C59F 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/91D61240964C59F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/91D61240964C59F 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/91D61240964C59F http://tes543berda73i48fsdfsd.keratadze.at/91D61240964C59F http://tt54rfdjhb34rfbnknaerg.milerteddy.com/91D61240964C59F *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/91D61240964C59F

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/91D61240964C59F

http://tes543berda73i48fsdfsd.keratadze.at/91D61240964C59F

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/91D61240964C59F

http://xlowfznrg4wf7dli.ONION/91D61240964C59F

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (900) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wofnanrceqgq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hsweh.png	wofnanrceqgq.exe

Executes dropped EXE 1 IoCs

pid	Process
5656	wofnanrceqgq.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synineygxeda = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\wofnanrceqgq.exe\""	wofnanrceqgq.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-100.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-white.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\161.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-100.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-black.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppValueProp.svg	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W7.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-100.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-200.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-200.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar150x150.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\en-US.pak	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-100.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-125.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-200.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\AppPowerPoint32x32.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-72.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-125.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96_altform-unplated.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\OutOpen.csv	wofnanrceqgq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_scale-200.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\Recovery+hsweh.html	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-100.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-125.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-72_altform-unplated.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32_altform-unplated.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\Recovery+hsweh.txt	wofnanrceqgq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\Recovery+hsweh.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16_altform-lightunplated.png	wofnanrceqgq.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Recovery+hsweh.png	wofnanrceqgq.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wofnanrceqgq.exe	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe
File opened for modification	C:\Windows\wofnanrceqgq.exe	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wofnanrceqgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133881209214137107"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wofnanrceqgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{13874924-FFE7-4728-B51E-03C67D8E9666}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe
5656	wofnanrceqgq.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5552	msedge.exe
5552	msedge.exe
5552	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe
Token: SeDebugPrivilege	5656	wofnanrceqgq.exe
Token: SeIncreaseQuotaPrivilege	4436	WMIC.exe
Token: SeSecurityPrivilege	4436	WMIC.exe
Token: SeTakeOwnershipPrivilege	4436	WMIC.exe
Token: SeLoadDriverPrivilege	4436	WMIC.exe
Token: SeSystemProfilePrivilege	4436	WMIC.exe
Token: SeSystemtimePrivilege	4436	WMIC.exe
Token: SeProfSingleProcessPrivilege	4436	WMIC.exe
Token: SeIncBasePriorityPrivilege	4436	WMIC.exe
Token: SeCreatePagefilePrivilege	4436	WMIC.exe
Token: SeBackupPrivilege	4436	WMIC.exe
Token: SeRestorePrivilege	4436	WMIC.exe
Token: SeShutdownPrivilege	4436	WMIC.exe
Token: SeDebugPrivilege	4436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4436	WMIC.exe
Token: SeRemoteShutdownPrivilege	4436	WMIC.exe
Token: SeUndockPrivilege	4436	WMIC.exe
Token: SeManageVolumePrivilege	4436	WMIC.exe
Token: 33	4436	WMIC.exe
Token: 34	4436	WMIC.exe
Token: 35	4436	WMIC.exe
Token: 36	4436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4436	WMIC.exe
Token: SeSecurityPrivilege	4436	WMIC.exe
Token: SeTakeOwnershipPrivilege	4436	WMIC.exe
Token: SeLoadDriverPrivilege	4436	WMIC.exe
Token: SeSystemProfilePrivilege	4436	WMIC.exe
Token: SeSystemtimePrivilege	4436	WMIC.exe
Token: SeProfSingleProcessPrivilege	4436	WMIC.exe
Token: SeIncBasePriorityPrivilege	4436	WMIC.exe
Token: SeCreatePagefilePrivilege	4436	WMIC.exe
Token: SeBackupPrivilege	4436	WMIC.exe
Token: SeRestorePrivilege	4436	WMIC.exe
Token: SeShutdownPrivilege	4436	WMIC.exe
Token: SeDebugPrivilege	4436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4436	WMIC.exe
Token: SeRemoteShutdownPrivilege	4436	WMIC.exe
Token: SeUndockPrivilege	4436	WMIC.exe
Token: SeManageVolumePrivilege	4436	WMIC.exe
Token: 33	4436	WMIC.exe
Token: 34	4436	WMIC.exe
Token: 35	4436	WMIC.exe
Token: 36	4436	WMIC.exe
Token: SeBackupPrivilege	4852	vssvc.exe
Token: SeRestorePrivilege	4852	vssvc.exe
Token: SeAuditPrivilege	4852	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 5656	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe	88
PID 3088 wrote to memory of 5656	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe	88
PID 3088 wrote to memory of 5656	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe	88
PID 3088 wrote to memory of 1700	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe	89
PID 3088 wrote to memory of 1700	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe	89
PID 3088 wrote to memory of 1700	3088	2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe	89
PID 5656 wrote to memory of 4436	5656	wofnanrceqgq.exe	93
PID 5656 wrote to memory of 4436	5656	wofnanrceqgq.exe	93
PID 5656 wrote to memory of 4112	5656	wofnanrceqgq.exe	116
PID 5656 wrote to memory of 4112	5656	wofnanrceqgq.exe	116
PID 5656 wrote to memory of 4112	5656	wofnanrceqgq.exe	116
PID 5656 wrote to memory of 5552	5656	wofnanrceqgq.exe	117
PID 5656 wrote to memory of 5552	5656	wofnanrceqgq.exe	117
PID 5656 wrote to memory of 1928	5656	wofnanrceqgq.exe	118
PID 5656 wrote to memory of 1928	5656	wofnanrceqgq.exe	118
PID 5552 wrote to memory of 4336	5552	msedge.exe	120
PID 5552 wrote to memory of 4336	5552	msedge.exe	120
PID 5552 wrote to memory of 2180	5552	msedge.exe	121
PID 5552 wrote to memory of 2180	5552	msedge.exe	121
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 6136	5552	msedge.exe	123
PID 5552 wrote to memory of 6136	5552	msedge.exe	123
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122
PID 5552 wrote to memory of 1104	5552	msedge.exe	122

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wofnanrceqgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wofnanrceqgq.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_489136e46e31d5be5c1dcfefd7dbb221_amadey_smoke-loader_teslacrypt.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\wofnanrceqgq.exe
  C:\Windows\wofnanrceqgq.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5656
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ff90c4ef208,0x7ff90c4ef214,0x7ff90c4ef220
      4⤵
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1716,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:3
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2536,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:2
      4⤵
      PID:1104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2220,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
      4⤵
      PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:2352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      PID:2348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4952,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:8
      4⤵
      PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4820,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:8
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3452,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:8
      4⤵
      PID:5556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5612,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5612,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
      4⤵
      PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5864,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:8
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8
      4⤵
      PID:5324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
      4⤵
      PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:8
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5652,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:8
      4⤵
      PID:2256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8
      4⤵
      PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4300,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:8
      4⤵
      PID:5916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5204 /prefetch:8
      4⤵
      PID:220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5132,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:8
      4⤵
      PID:5740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6640,i,3463526818627654492,7182949164287694218,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:8
      4⤵
      PID:1444
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WOFNAN~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c start "" "C:\Windows\wofnanrceqgq.exe"
1⤵
PID:4204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8d04e2641061d23bbb3e761a61671c45

SHA1
5f63cc342c6d8a669b3c858650cf25be41b708ca

SHA256
218dbe9331719d600f6c1ad72e0e6f977e63ee746bf37d9136758ab31ab2f5ec

SHA512
ab6cba95bd5101319531f4d7adb5e0ecf56012ec8fcc52da6c87002a0e1a560dc0a65896b70f5651fb4bb677db4dd0b7275227c1cd27a52ffa02146d77619d82

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
f2fb79306dca809684cd7b3f7be84c7c

SHA1
3b541e9fee9c3e91fef6fda124a60ebe410a6901

SHA256
f9bbd98c1a18b527446ff151542c41e73eac78908fd7256d1e4b433e31872b83

SHA512
24be43bb652b10a4a480f98fd215463a97b1c341502f4090057126452080414c816b98eff61cbb4ad0fa1c17a597fd1230d13d8b036ea38e4b78c72afb3af747

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
5a7830863aab1782b1fa7e258aef202c

SHA1
eb019aab058f4582d63e44fad501c5a49e6add16

SHA256
cd393591c47cc3ed4251dee8c9bb804bacae576c10d9cf78fb99a3711d1dedb1

SHA512
77d2afcf8a455b6401b4e20ea0525800aa1dfb35fb7a35bcc62ed006a9527f1161e92f273f2cc497c57e29c916ce88a263ed19d3069d19dc0d8a133e75172a6d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5552_182116765\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\128.png.mp3

Filesize
5KB

MD5
c6a2be5eef8413168ef06c94e77048a1

SHA1
73c65bc3f5b26450fb4745d285caef3b26ffaf1e

SHA256
d3d248403f602d9e42fcdaefa2e7b04b2fa70ee95e113b949c3c8b4419eabb08

SHA512
907d75f3b50ce20094375a70d84646ad4d410f590fdc54c62d2039380f00eacf99463aa4c017d4daef41acf9ee6fd55a8e4fef831d137b8edcfe77b18a620c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\offscreendocument_main.js.mp3

Filesize
119KB

MD5
365567839f9ba3f0a20fb63d869e50e6

SHA1
6f456bd2c439c535edd9f79fbf4aa07c58819d5a

SHA256
80f16fc6751fb53cf027394fc12fc359da7753aebafcc97bc83a61cfa1883446

SHA512
fc41d1ff87c84ad093ce77aab5c670d2aeb1137f1ce48de3995c27c0434e00d35596462b0965ab392a86a15a86c0242a3f6d4b91673f8068d507d19efd238237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
36aa5730f133ab1345f660e08ca1cdc6

SHA1
40024446e2b8874ee04e4207634351dd95a89325

SHA256
7eea25fb6f962634a269d87d47cf29d1b7c082d654ea373239395f88aa5a7c60

SHA512
d217f570bb35bbf46e3b762d8ae490461ecd342e2c3098e6e97d0b36b852bde6a36ec3d3ba0270e5354b017dd476a02d45e864f17ea014c88074b79d473aa0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
0a044a77f2789a670cdae36a4eb66826

SHA1
d72b1c42d8f2361e6de3c3b6fcc1194609f950ee

SHA256
d48ea13770fd6c3bfad759a2ecafc2c1a6bc8a06c3900991dd6af8574b35c9d9

SHA512
9d408700ed92142f42464b14d93ea2105a7da2123ec5be75d3e88a044b65145ba2d70c44e336c9eafbc7a27902f7c230e0897fc6121ea1f34da99acf9cadfe23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
1536da54ac69c2702dc4720c7dfdf0d3

SHA1
1e775cf865c9cb675f67e6e05575c67f826a0685

SHA256
ff81b9b5c43b71c0bfeea603a043dfb14debe24ce8597149640e2c6b82818023

SHA512
9bfeaf6b9004244fa5feabb9afcc7447f24903d606594fbbcb16b4ed6444cb5f91a11cc00808b2ba1991690a1b9e8917039b3344cd51a9616547b59dfc7a309b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
cbca863c3d84c07045799de58525515e

SHA1
d47849a1cc8e687a62c8aa4cbc78c80ef6822eb5

SHA256
300731b7502c8dc93d3d5807c43b73c975a17f4ff52a0b26b7fbeef1703698a6

SHA512
b11c24e9324e48a6335dfa3854374bfdedb0bc2c6c31baf55b1de913e8612eb72f68bc6b1e3d6c0fb7e1b64d9910db57b43ffc05d467c24470d1507552114e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
9d2750c1bc680ad645f831a11fe42594

SHA1
84d7a86e64fd12fe8991ac395973264d9036cc3d

SHA256
828de091dba5d6d95c5f9eb37d76dbdb66abb8bca866c7f50455051b6d15e584

SHA512
8f59c5801a04a1ea448e992a134eabe0b0a8646b26c69227d8511f385ce9ee6bfa6d7fdd6d5ec56dc56474107a24e7f9e67d1968851f132ec837a681a5441c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
4be42b19d427e8ab0d4ac32093baa453

SHA1
533f938397bf9be5aacdeb1918c0e0b4c2259cd7

SHA256
12c8280ad8f088e2ca3e0ef712d838042e1c8b4ef1434b13ac216500c07812c7

SHA512
f52d3c1760d964a1953719f371c3edab9e1bd727e66d386eb537b5db528e9d192b7a07c8e2de160028c88a62f946b67a00d76b229915304516368318527297fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
0cb4b597154425308bd795fb0e97b48a

SHA1
17a6f0afac1670bc550a5d368b5f1688afb3e123

SHA256
fd4f6b9dedf926acca52d09a74df46c3b97314d49e39bddcf259541b2b226c52

SHA512
d818117f50df014154012a019649c7644590fe46feeb31273cbb42285b2fd2c318335302658e7f0ff0cb832f1b90fd3de4ba977e20a9037484548b8af787a5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Notifications\0.0.0.46\arbitration_metadata.txt.mp3

Filesize
344KB

MD5
d150661fd1e105fc450852c405d4422e

SHA1
1357e474fea46c93e931706500b509bddcbfc7fb

SHA256
68aa5e0df977f2ee92f2b1a60b78a4f870005c863fceabd16a500d30d3fd8b59

SHA512
0234b08d80bf7c8cb9a9d85f50266243a857a886a8488ee6a5875bf1474146afd667a5181f062d250455658858eecfd05450dd59c2d424c394396467e72c64fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
b6ffff15b9657f06558664f3bfbbd8f8

SHA1
b2d797d79ea906ddd68a7ef7d8bc7b619620d508

SHA256
133e818d72830890dc5dc28bdcf3e2f41974da1d742032293f7c3154aeea0834

SHA512
9c5d113463b25399beaad6abd01fa3c5421478baa81afd11d19e86bee3df27764389aca4b0560837406d467391dcab3e37718e4832d6330a21965456ba35a0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
63866fce4b35de6dc5c559182e2cfadc

SHA1
28a8ad6c200f8c342b2e9014a6855f93a007a15f

SHA256
63b2d58251722614fd5aa5e5ef189e3116305e84d336a025714339c41d6533f5

SHA512
c2b0a6d9ecbe1226fbe92ef59d1032b74ef28da4bd6c3641cb29160ec25f3061ab9308a42904706277d2f38aaa9d5459f522217d3eb7a4e3a526dcaa34dd5fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
169382b4833bbb14e25d25a95c14dcec

SHA1
dcd9aeeefdb60df6908210106d75153a70edb173

SHA256
960d2118fb5b9aa89518d0c4aadb5ed0abd0348200b02c3296c3ceba392bc5b6

SHA512
5004e9839f96ff527fb048f1529c67ed5546a37e9deaff912ce88331f8e918f17000769b9025e15975907844e96ec5b88dc7bdf146f722703278980fa99ed066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
c07b9bdc6f5604b59f6388d62afbd6e6

SHA1
32434b5a9644fd19692b00c2cf5acb5aa3dec880

SHA256
c9a23386eeab8d97c393eaea325b7e13464efbef48619b7d7643b7d06c2bd512

SHA512
1340b1e70993c8a7d101fdbee8ed79f2871d72bdc8196005c94b1b24ced0e82c1d6769abea8221ed466f3afe32d1d8f515d3309dcda840372ce47a5730f3a9df

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133864073124899436.txt

Filesize
77KB

MD5
5ba9a5dd9d04726be06e07c57f3bef89

SHA1
88894ba4b69d53fe9a21175fe36c5a800cfb5099

SHA256
069a153c46d40eb624b4c21adbaf2aa2c0ec8438bd3036f6a240729c85105fac

SHA512
c3bac676a5dd5af086c6d507b28f7d89097acdf757d405c936abc1144ff3347add3477f2dcb8f896340534f2b452596fec9d4d66e0dee4e3dc1f37a9d84a4aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3863fd21-2090-43c6-a329-47cb84d6f22f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5552_1235743354\98e93311-dead-4a5a-a9cb-cec8f7615fb9.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Recovery+hsweh.html

Filesize
11KB

MD5
1466bb1bda6355b21769a941a529c340

SHA1
0efee085019b98aa450cbd91d53e3098ac1bcd66

SHA256
8f9f72aae2735275954b60a6292b3cee6c53a7a81754876d72aff43edd7c6342

SHA512
2faa122ea7e07d7f98bb71a7d66d34236779d6d7670df875f8564e12590483de778981f834d6fdff7e4aaef6aeb48f164e60dd51753183d008d1936becdb1ffc

Download Submit
C:\Users\Recovery+hsweh.png

Filesize
63KB

MD5
6637b52cf0ca4befffa6d6a5346a14b2

SHA1
f9cd694ca317a71be0ab6aa49f2c15014fc9e25a

SHA256
285e1aa5db0ebd5f246d6d936416696239c9b7a8f4881722a0da942faa1265f2

SHA512
9cb5d3400023e49b3dc6e15a5503e77985b4ee0d7dff7b20af06488e9c08d51f40f1f2d781c98f21ecdc8c6a3b6c99c7bb60676e7aa6bb3aa77bd8a2703d9cef

Download Submit
C:\Users\Recovery+hsweh.txt

Filesize
1KB

MD5
c82e59e53796a7423307d530327c707e

SHA1
ba1e6f1d305f189dcec46381663a2a47bdca7f12

SHA256
13f89424d0837d4f0f51bf84a6d04155f51372ca75f8c0cd068bf40cf439adb8

SHA512
78f12670b93614ef78a31a7af9ce00fbad6582be66e0ec460d073383073916eebbe43792bd7415f816da4c4eaf50220b91c9147d9202ca90dd77ee6289c0a241

Download Submit
C:\Windows\wofnanrceqgq.exe

Filesize
251KB

MD5
489136e46e31d5be5c1dcfefd7dbb221

SHA1
48145bfb513ab5559612b92250dd9ec03b9da733

SHA256
505d66bbcc6926ba3f5c2393e2556ea8256b6e7f2ec63ac29a4596fbe594403b

SHA512
0626a84ec57f16912cab610875746956b38d0ccb46e56de06216e32db4749af81c22838f094968085b53e4451f60e0a7ad2894efa1ae09955c42f310a191903a

Download Submit