teslacrypt | 64453e36ad52ff908dc80a8e6e4c86be8e06f5a7ab4b844f26a616016d766ece

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe
Size

252KB
MD5

5dedf87db9e8a051c614cf8afbe4c1cf
SHA1

b132e085aa9067eb7e5f26989b7fb5aea9ccc390
SHA256

64453e36ad52ff908dc80a8e6e4c86be8e06f5a7ab4b844f26a616016d766ece
SHA512

907263d3631e5b72cec8f94238406d508aa440a2c4210cb76c1ab5fb5d1ee5f4401c097ba9f57f5a3aacb2554631d96d08177a7c2bdab3e8a9cf0ad03a38b86f
SSDEEP

3072:sM8SYgJAvWsDL2ToQz75W7VgiLXOSrNrQwk8rDDAoSloh0JsmpdFtzK20TRpAl:RJhipNrQqAsh0JsmC2+XAl

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\_ReCoVeRy_+rwapn.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2CCB261F9687D18E 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2CCB261F9687D18E 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/2CCB261F9687D18E If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/2CCB261F9687D18E 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2CCB261F9687D18E http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2CCB261F9687D18E http://yyre45dbvn2nhbefbmh.begumvelic.at/2CCB261F9687D18E Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/2CCB261F9687D18E

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2CCB261F9687D18E

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2CCB261F9687D18E

http://yyre45dbvn2nhbefbmh.begumvelic.at/2CCB261F9687D18E

http://xlowfznrg4wf7dli.ONION/2CCB261F9687D18E

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (911) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	qvgwcyguctor.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rwapn.png	qvgwcyguctor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rwapn.png	qvgwcyguctor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	qvgwcyguctor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsgfvih = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\qvgwcyguctor.exe"	qvgwcyguctor.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-63.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-400.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_ReCoVeRy_+rwapn.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_ReCoVeRy_+rwapn.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_ReCoVeRy_+rwapn.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-16.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dc.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-200.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Unipulator.mp4	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-200.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_48x48x32.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\edge_BITS_4548_1148497934\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CD770CB7-9E07-4D10-88E6-9B773B199C47\root\vfs\Windows\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Rainbow.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-200.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FR_Back_Landscape_Med_1920x1080.jpg	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_ReCoVeRy_+rwapn.txt	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\_ReCoVeRy_+rwapn.png	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\_ReCoVeRy_+rwapn.html	qvgwcyguctor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FlagToastQuickAction.scale-80.png	qvgwcyguctor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\qvgwcyguctor.exe	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe
File opened for modification	C:\Windows\qvgwcyguctor.exe	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qvgwcyguctor.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133881253421933691"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	qvgwcyguctor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{FECE4EC7-8C9B-4FDB-A07F-B0691C669912}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4680	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe
4992	qvgwcyguctor.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe
Token: SeDebugPrivilege	4992	qvgwcyguctor.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe
Token: SeBackupPrivilege	5892	vssvc.exe
Token: SeRestorePrivilege	5892	vssvc.exe
Token: SeAuditPrivilege	5892	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5412	WMIC.exe
Token: SeSecurityPrivilege	5412	WMIC.exe
Token: SeTakeOwnershipPrivilege	5412	WMIC.exe
Token: SeLoadDriverPrivilege	5412	WMIC.exe
Token: SeSystemProfilePrivilege	5412	WMIC.exe
Token: SeSystemtimePrivilege	5412	WMIC.exe
Token: SeProfSingleProcessPrivilege	5412	WMIC.exe
Token: SeIncBasePriorityPrivilege	5412	WMIC.exe
Token: SeCreatePagefilePrivilege	5412	WMIC.exe
Token: SeBackupPrivilege	5412	WMIC.exe
Token: SeRestorePrivilege	5412	WMIC.exe
Token: SeShutdownPrivilege	5412	WMIC.exe
Token: SeDebugPrivilege	5412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5412	WMIC.exe
Token: SeRemoteShutdownPrivilege	5412	WMIC.exe
Token: SeUndockPrivilege	5412	WMIC.exe
Token: SeManageVolumePrivilege	5412	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5264	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4992	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe	88
PID 3104 wrote to memory of 4992	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe	88
PID 3104 wrote to memory of 4992	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe	88
PID 3104 wrote to memory of 5112	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe	90
PID 3104 wrote to memory of 5112	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe	90
PID 3104 wrote to memory of 5112	3104	2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe	90
PID 4992 wrote to memory of 4692	4992	qvgwcyguctor.exe	94
PID 4992 wrote to memory of 4692	4992	qvgwcyguctor.exe	94
PID 4992 wrote to memory of 4680	4992	qvgwcyguctor.exe	114
PID 4992 wrote to memory of 4680	4992	qvgwcyguctor.exe	114
PID 4992 wrote to memory of 4680	4992	qvgwcyguctor.exe	114
PID 4992 wrote to memory of 5264	4992	qvgwcyguctor.exe	115
PID 4992 wrote to memory of 5264	4992	qvgwcyguctor.exe	115
PID 4992 wrote to memory of 5412	4992	qvgwcyguctor.exe	116
PID 4992 wrote to memory of 5412	4992	qvgwcyguctor.exe	116
PID 5264 wrote to memory of 4404	5264	msedge.exe	117
PID 5264 wrote to memory of 4404	5264	msedge.exe	117
PID 5264 wrote to memory of 548	5264	msedge.exe	119
PID 5264 wrote to memory of 548	5264	msedge.exe	119
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120
PID 5264 wrote to memory of 3924	5264	msedge.exe	120

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qvgwcyguctor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qvgwcyguctor.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_5dedf87db9e8a051c614cf8afbe4c1cf_amadey_smoke-loader_teslacrypt.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\qvgwcyguctor.exe
  C:\Windows\qvgwcyguctor.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4992
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2e4,0x7ffd357ff208,0x7ffd357ff214,0x7ffd357ff220
      4⤵
      PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1696,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:3
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2416,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:2
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2180,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=2488 /prefetch:8
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3460,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4872,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:8
      4⤵
      PID:824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4812,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:8
      4⤵
      PID:6040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5036,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:8
      4⤵
      PID:4788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5660,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:8
      4⤵
      PID:5488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5660,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:8
      4⤵
      PID:3624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:8
      4⤵
      PID:3764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6140,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:8
      4⤵
      PID:792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
      4⤵
      PID:5860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=6000 /prefetch:8
      4⤵
      PID:2944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5780,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:8
      4⤵
      PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5764,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2196,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:8
      4⤵
      PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5224,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=5888 /prefetch:8
      4⤵
      PID:4060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5668,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:8
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2744,i,478892342771085323,17705062991028496409,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:8
      4⤵
      PID:5228
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\QVGWCY~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\CMD.EXE /c start C:\Windows\qvgwcyguctor.exe
1⤵
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
1ba5d4c841aaea38743cb9df51ffd619

SHA1
c6aa6ba6b5c6cf37268d51ff1fa727dad1d2c72d

SHA256
0b4ccc9db3c1f16f099a19bd5ffef39aa8357d6a4fd0738c6e4f2366b7deb653

SHA512
20da64ff56954962a691ed0807a07043d15aed7d1acaf1604fd96e354e89397c6052239f6b8ded996c4c18ee22558c4111cfb7525447fcff66d746bf62729b32

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
b624bb097c813b3b05ccd9cf08b5ffd3

SHA1
edf9b53a21c1375beac40dda1db2f2c54f93ce65

SHA256
93400d2e363baf8056b36b766249c2faaf60239f304145d241509d3ab40f44fa

SHA512
f9862810e3087cd35ea0d12c3bb3f25f0a882da8eabcfc289ba1ee271d5c207ba483af7db44fe4a627903fd29fd76147566c361f3c1fa00f84f00824cef7a585

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
c6acad043c867d69dd59cd0ecb0904e3

SHA1
0f0952820bb79bd66ab49dcf2d51f6097349dea8

SHA256
684f1f8b298ad9f0bb8ad07ff54bc6d39f4cfe3b55a04b827dca8435001ec32f

SHA512
0142ed14e325118c1ff956ad412501685071929c71b70a9e31466c07033871a82df137e78fc70e177e0f499f6f04175f39a4c6c3ee72842c3247cbe2b77d3fe1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5264_1877185602\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\92a2d45f-f828-4e75-bbe6-6a38de4ee1f3.tmp

Filesize
41KB

MD5
c2caf2c62e81da7a19e31482ac26b4f9

SHA1
e329b8737860546b3e06f28c9ceaf60bcab501ff

SHA256
44d126eadc872ab9449b1c1a00fd46256ddb03b04703e44e227eea5086ac3528

SHA512
0630e6146c1c0c11fd4395831976c9820bb579f17fed204c248512b1cef5dcff2f0519819ba30b31099b67fcf5d4c7ca88dc9a85f02b0197a30a1d59dc83eab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\eef98ee9-44a1-490a-9225-74005283c18c.tmp

Filesize
2KB

MD5
8efc3842c46a2d00adfe8e7d54cbefc9

SHA1
0b558e0dd6400d403cc8cd2a640c2e61dcdcd182

SHA256
1a0af37a64993a0575280e72cbcd4b8ca806f9f2b7214fae08b44e5331c91d28

SHA512
c5eb199371315e2088b7c3292029d1e3829ffa0dec68e027ffe03250089f0cdf02079ceb61e64e4e52ca5cc27560d26e4fb6ae762be51bc7d9fe94abc9a0a9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5a9d406be2183b9a3fca7e64ef1edcf1

SHA1
03c3f8ed82d2eb86665df3dc4f9d17aeec0042f2

SHA256
bfa3f524025f1b2ed2b0c913939af942b23ef102eb60b6c2a29df6b9ec57e534

SHA512
f3594f84b8d26d238066f8141e41335873a064b88909543377e5219d9104f0174e8f66c8af8977190217f7c99b0812e359bf5b4d3f7439c611c14e49a0cb2b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
126be976120e32c34ff721e2d36b29c2

SHA1
ac112a442cb879353e2799b455cd9bfda8c9f0ff

SHA256
3b22c791b076e92cbad8bdb7c2919de3d464b16a07dc75e9eccd6b6dd383a9c0

SHA512
8ac29d0794b2ed48a28bb33d79c5cc61cbbe056a74a034eb09d065f8a5fc532aa6b8f9c0020cac81e520007841712fbac119529f1830b86b642c9bbb85a8d845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
6619f3ee8951ee5c3f3431ea306f3e11

SHA1
a451d52158e7973494f2b433c9231d3f86d417ae

SHA256
e8b04eebf88b91b44eb92b251f192a8f5c9e1d8e4e061640619c015cafc6f1bc

SHA512
ab088e6cacfcb2bb8b73d3b527998e642d424a41f0d121ba49e9be1e18c43ea84227b3071488a5dd0cc0904f7d2ca10ae28df0e3557cd65bd81e39cefdca1004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.9\data.txt.mp3

Filesize
113KB

MD5
73ee97e5cca0329b9224d0a55135b547

SHA1
1a608e2108b9b2138d6ff1886c3d2eb428e6b5f8

SHA256
c4d7688d450d0fa1c441d9c95382171d148f4e0c46a52b2b2ec4f8742e9604a0

SHA512
5322680248c249d25cde16bec6795b8871f98e62f88c81de22d7b20b1853657ae2553c18cb6ead7d0706c8f7075537194c7ac3b80c052300e5d0f42479384312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
50c13dc3077dd9c5eb5333e9df0cd031

SHA1
ea4dcd115a276870ff34fbaed33b237409e3406d

SHA256
76335c593e3aa52cc56df5ebddd969c432fa6624a4d669fea981a82a696847dc

SHA512
e1db5f30fb5eaff7f829260c66cce6cf10ab7f025b21e8f296f5be1c75cee174fd13a5b78f568e86bc25185c6d1b309384e17cf2cbca750824b03810188eb495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
084a3629532244e8fa50a82ba44e5ef7

SHA1
e0d2016fd03f3683178c789d33507101a683392e

SHA256
78c30a3a25a84918fe4c5699faa60f89ced882fa93b208f455b16fbef5018cc2

SHA512
b82d66f2b77a9523ebe8b47a984ed6bc29add47c71bfe60b2d670f7ac3ffd4293dddfa0f1d2da8b7bd004443aa1eff0d67bae2bde1d975dcc5d5eb412b2c6219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
ce7c5d7ceaeafab28d7f070c98ee9ede

SHA1
06adfdc36ef5c1acef40daec985ca57176f094de

SHA256
4989144f0055762c299d4bec0dbc6d5a04d2b65ef8254d2c48800837efeacc28

SHA512
bc8e4ed9faa960f219e093994dcd20bb72c977ebdd0e5b4a7280eb5b1b60f71a99d281ab3a7df3afd22e74e5ff236541260ef4d907c4a0d993edb5b9d419f5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Notifications\0.0.0.46\arbitration_metadata.txt.mp3

Filesize
344KB

MD5
05c7e75a086a6de203f5ecf69cec0cd0

SHA1
102623baf902b8b04d5d82422bba7944daa61fd2

SHA256
372d10b23c57f52b904482370a5422a834e310fa8a7dfa840288876e04b52549

SHA512
69fcbc0c568c8e19f9c48cb446416d99036515e6446ab2a0410ffc27c7c3b072f379d3fa9b3e14323a50d877aeeac3919307af190661e0ec013b2ec681b22eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d9d085a37e99ede23fe8aa9779776256

SHA1
a67cdfdbbd5a25709c691cf4066d0f6159c22a66

SHA256
7e59ad6c3b8b1763de101d8630caa888584c34bf7334c98f569952439f52c30f

SHA512
6939ea517999a3c08086386e7737306359e5eb039fc0fc43f927b69a8a0feb299a5a24e331a0fd36bd8a5eb0f914dfaf67404065486f8b0f9a4f2d05146f8e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
3ac61e85cba37983746b26af6ac196a4

SHA1
2fe5986430a57d07860247887dc300ffc97b8ecd

SHA256
a3270d85f817ece4da8c8a1c9fcd4aac7be8ef2eedec4358dbe75dee8890c301

SHA512
c1ebe259f8c1dab97ea4af339b7aa05e3a7eb690e51d41c4d6db53b1bec068ee1b17e0be5142c9aaea864a4dc283dbb9afaf92416f6b9fa7a543b4585a5c1134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
60d9ca4fe4d861254bb6af3435ca3442

SHA1
e23e0b2f3be51aee831497aeaf9aed2951da8e00

SHA256
0e39a4d43d13dbc7ff19ba3163e0c75be4b38f1be4294dc15b9639ba44e0219e

SHA512
dea2149a7d7d01d95e8d18db8cea33c470ece592c9526bd18633756ea0f8e397c2e43eb4084b3ced9fefd5db9456f1b35c7d5709d04b35d2de0f48968728ba66

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133864073409921483.txt

Filesize
77KB

MD5
bbb21cd90bce9c5417ab32713dc0f076

SHA1
35d25b6c616712f744cc6aa607ebdfbee33a826f

SHA256
c681e221e987b165cbbfb8d2dd34db83147cf320b35f2ae28fd7d4e986f4b75b

SHA512
a3683191c073d1c7bc569cfa8c56fdcf5b6fae93c32620e74a41be2f256ae366e86de004b5efd43afd05cfcc0b3c741184412d3ae99ef6787c3294afc25dbd3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133864091773929558.txt

Filesize
87KB

MD5
3d36fe6cbcb766a9774a115d52068cb7

SHA1
33cb5c4ce20798987a813a50fc9d0e76df5dfaa9

SHA256
fcd3c753873350d2c1ad6e9f830a941d657b00f7b5310ba5b081349e33035cd0

SHA512
44b87743f5d5dfb71e70ffb15a38dac34c551719bfa03cad38d7ad296c0a5fa8f9ab0422ad69d1f2393fe5201519241a811eaf5747868200ffce1d077fdb451c

Download Submit
C:\Users\Admin\AppData\Local\Temp\de057f5d-cc49-4156-9431-8a15c9b59263.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5264_1239153101\0951a2e5-8fbc-4663-82aa-309e7e094cbe.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\_ReCoVeRy_+rwapn.html

Filesize
12KB

MD5
eed4ddc54c8abf3317ea97e4aa734ef0

SHA1
c7201a8de06a3995d65db26a9be6571970d9055e

SHA256
16798b7bf19d891dbc2289e44b79b8ab3a4b660d2015616a0e8c475beef08b8d

SHA512
e7a46c5997f67a77f812df946d09afc937d393873478634733de86a100d11e9ffddb696510472cc6e5631796f51a57899a55c39d27078e89e8335d7aad29ef0a

Download Submit
C:\Users\_ReCoVeRy_+rwapn.png

Filesize
65KB

MD5
bf9930b283491a132f7fd0277e895faa

SHA1
054ce29139d68a1e6c57bb9921f0c1cdc19b70bc

SHA256
0c3620c21a6fe7694840763a144635b8708c4b0631a347ce175ba796561c84ea

SHA512
053aac8028259529b8d093b2d125bfb876d16be713bc57db59956e2354923f423ab19e14d71f3e55a27814d2cb86822ff9e68a5cf757dc57e0863dfaaaeaac93

Download Submit
C:\Users\_ReCoVeRy_+rwapn.txt

Filesize
1KB

MD5
0362c43ccb32004fc160471b1aa7e3d8

SHA1
15efd221ef0917407c128b4d3c04f9aad5e1b384

SHA256
936c4f5edfccfb5d72ba926a2e27233dd19c655305457243554a7cce1af62a69

SHA512
a7a3584b369cee0c39d3709ab3c1a1dcd72263d9403f2c2573211889a22e4b7772155fae89d43e4efea3a399c4f8d48cea92d6ac58b8ebee332d1e031780a0dc

Download Submit
C:\Windows\qvgwcyguctor.exe

Filesize
252KB

MD5
5dedf87db9e8a051c614cf8afbe4c1cf

SHA1
b132e085aa9067eb7e5f26989b7fb5aea9ccc390

SHA256
64453e36ad52ff908dc80a8e6e4c86be8e06f5a7ab4b844f26a616016d766ece

SHA512
907263d3631e5b72cec8f94238406d508aa440a2c4210cb76c1ab5fb5d1ee5f4401c097ba9f57f5a3aacb2554631d96d08177a7c2bdab3e8a9cf0ad03a38b86f

Download Submit