Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2024 21:33

General

  • Target

    1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    1e096e7c6ffb32332933f693d00c6795

  • SHA1

    28e7f909cbc28ca3af8af503111c5fc9f42502b7

  • SHA256

    963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256

  • SHA512

    8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c

  • SSDEEP

    6144:C94ZeMgE+D+G+33DpgPgRArNZltP8aLK9cdfdCWJATnKH92tIrWuZ/kE7eVmhgst:C94ZeMgE+D+G+33DpgPqArrltP839Yfj

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twvcj.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/31AA1B2BB87F998D 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/31AA1B2BB87F998D 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/31AA1B2BB87F998D If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/31AA1B2BB87F998D 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/31AA1B2BB87F998D http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/31AA1B2BB87F998D http://yyre45dbvn2nhbefbmh.begumvelic.at/31AA1B2BB87F998D Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/31AA1B2BB87F998D
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/31AA1B2BB87F998D

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/31AA1B2BB87F998D

http://yyre45dbvn2nhbefbmh.begumvelic.at/31AA1B2BB87F998D

http://xlowfznrg4wf7dli.ONION/31AA1B2BB87F998D

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (872) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Windows\cknnxfusdluq.exe
        C:\Windows\cknnxfusdluq.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\cknnxfusdluq.exe
          C:\Windows\cknnxfusdluq.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1180
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3944
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1524
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4432
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe261446f8,0x7ffe26144708,0x7ffe26144718
              6⤵
                PID:664
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
                6⤵
                  PID:2024
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
                  6⤵
                    PID:3212
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
                    6⤵
                      PID:3488
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                      6⤵
                        PID:4488
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                        6⤵
                          PID:2988
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
                          6⤵
                            PID:4848
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
                            6⤵
                              PID:4020
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
                              6⤵
                                PID:3196
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
                                6⤵
                                  PID:2832
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                                  6⤵
                                    PID:212
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
                                    6⤵
                                      PID:1228
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:720
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CKNNXF~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1948
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E096E~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:2988
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4868
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3972
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3472

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twvcj.html

                                Filesize

                                12KB

                                MD5

                                08da21c3705f679e8a03b4ac34def258

                                SHA1

                                25aed94c7159a206b43b17749db7e0855ec3b57a

                                SHA256

                                db2509f7ebd35fadc327568329225842331f8dfe722ad7793b1688e4394eb074

                                SHA512

                                2640eef5cae4489f3a97cce56f0b617d02f708919eefe8af1b46603f88a8979d00fd981ee8b18c12d6403d41e6cf0dbe4a34850e59af2a72c10b125b9603941b

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twvcj.png

                                Filesize

                                65KB

                                MD5

                                baa00fb75d9491574bd4470833121267

                                SHA1

                                a375c91092188dbc4e31ce27da86996aba3c1e88

                                SHA256

                                6a7faab97df6dd74e7ebcc74128878ab60b639c4c996ee44869b59077677b7c2

                                SHA512

                                55b6784a494bfef465f83aad8ea38903c74b6e18857e44422619c692d157850db315eb46ff596b12290a333119cf6d44d81b1b1072cb914156248ebc4a3409fc

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twvcj.txt

                                Filesize

                                1KB

                                MD5

                                a50317f8f74f8897e92397fe781c6da5

                                SHA1

                                913529a938c6e33dde968cf00d2234bf4ba881b6

                                SHA256

                                a58e8a498a7832d47ae0fdc064fd695086829294688152f3f81b38f21461773e

                                SHA512

                                e80989d6b6b0412f9dad68a0a1bc805b8d848c57cc6f6fd45cb8b6aac7c83a1c91321380c230c487006f7c39c6ed7c5d6f7d3e53f7ac2e9ade1d471c52608bac

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                a5d18b6561133987b50103a1789cca6f

                                SHA1

                                c8df61bc666a52c7900f34f486e00938709594db

                                SHA256

                                a3e7bd5677eaab13a8877e182ee4e2bfbeac760fa856857ed82d31337d5e7dfe

                                SHA512

                                b2c7189bceb7580c23edd4e98a0dc827edd3301fe7821ebe6eb65c1d66af5ed562fca0fc69baea41a4507f1732db4e7ebd94799c1f3b8bfab29aaa46cf7bfad3

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                0e308d6da91c8139494e0f4d7d98625f

                                SHA1

                                949e7219df1a66b05551c75459a1af1623e6ff70

                                SHA256

                                54dd433ca5e732d63f0b43a1abc9d11b4ef87dfc728769234729812bbfa09eee

                                SHA512

                                9e82b3d8c01da653134e71d7d5b5b6695bf049b5f26261c5f812ecfc5de733bf90773825bfc031cc7dded893414b6bada26f7b6420c6c34f6b7215a5d805f965

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                173e082c9ce3b9c9c2e81b3da1844f46

                                SHA1

                                3b73cdd3caec44af7aa862482d8918aefc5ad397

                                SHA256

                                eeb4e2c9dbfdc805538baa8bcded6c7cad14c4a91e640363be83050947f969f8

                                SHA512

                                1fd27f3847f548a974c7a8c099354e417418161201c970d343ba6c96dce786085b427e168d8ded57ed47ec8ae256285c6dfec79f8ecc205d01427a4f822c56c7

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                37f660dd4b6ddf23bc37f5c823d1c33a

                                SHA1

                                1c35538aa307a3e09d15519df6ace99674ae428b

                                SHA256

                                4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                SHA512

                                807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                d7cb450b1315c63b1d5d89d98ba22da5

                                SHA1

                                694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                SHA256

                                38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                SHA512

                                df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                022085245f3c85686bf17bfc97a50464

                                SHA1

                                646ac9e0d28250feccfcf609abd1b44df74d2fb5

                                SHA256

                                8962d69d2205df80533c06833172e94fec5cb0a04fdf6b640487161944f94b9b

                                SHA512

                                49a79cdf4b8858b2b22bf408d432db18ef1fcf1e474af0db3335359f8a03d308336bbd9c0d5dde383acbc11a84c143018e1802d47fcb13b45ebda876c661ea6a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                1477ea3b6152f6c9476b59d508cda116

                                SHA1

                                c401e2aaa84d8ac2247a4ac5504b0fa69aab2254

                                SHA256

                                f87d9067ee7c003114217a2cb7f91797c8de2a86c568b99a504bffc620eb4386

                                SHA512

                                f014d50c64815f26d8e1da9defa35065a20e99e3c6d0517b9506d6c8e4f781eb63450035de6362e63afb60f084118c3ff10c920b4627bd4af56a802fee10d8b7

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                67ca0b4d4e80b1d556cbe31a202171c2

                                SHA1

                                21940dd7a087ab9ba5c33d372b69021651a56533

                                SHA256

                                cb5f4c6e8ab9bbfaa593404b761c806ba111fa830921fa22dfc029686885cd43

                                SHA512

                                a838267ff11d63453eccf64d8e1dcd7147d6b306e7aae7a4028e69d69c09aa0d02d691f7b749a578ced5ca14cf49e58d4043fff62c52adbbac51877e005760df

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

                                Filesize

                                77KB

                                MD5

                                ce879ac914f9d6a416102e319db4dcc5

                                SHA1

                                5ee641bc21612151682a3f480cb38641bfcdab94

                                SHA256

                                46d219a89e67b3d8a1d06fe788773d183d1511bdb48b0fd3894a0fcb7e3ada56

                                SHA512

                                7220100d701265aec27caf71257766448e44327ccd1afc0cfaf8da2d6bac79a874ea0c7cd1fc23426e03160c35af9b2ae457f98c8b3a8b67072cf85d162718f7

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

                                Filesize

                                47KB

                                MD5

                                8bbd94c93d47f40ade7225f396ee5c1a

                                SHA1

                                f39435ae26e91d591875eccd6cffb1298dc9f134

                                SHA256

                                839c5f464d01636b4fc1c83731722acd1a36ec49ad1ed3263d2d91710a013304

                                SHA512

                                784cec555e95f2a9e9aa8b0e31b2d349c909047654beaf315ea58845143d5b7594f4ff07a4a46943cd2f5f873ee397f4e366356ed3fb90d0b1f91a0641ce0df8

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

                                Filesize

                                74KB

                                MD5

                                31c713c5f882f3a6fdb25127a6ce4ffe

                                SHA1

                                648941512af20e5b342507682ea161f3d50ad3ef

                                SHA256

                                4791d511043ce681ffb6d33688b04e51d1f1a0047df40530b9692e055d17a381

                                SHA512

                                9849bc926064149b4f8ad066c30103cf4ba3bbe17e1eee2ba6043defa08159f58f0854c8bd7b1293a214f2828fefcb01ec975cfd5aaaae3e9b0b3fab33ee0123

                              • C:\Windows\cknnxfusdluq.exe

                                Filesize

                                356KB

                                MD5

                                1e096e7c6ffb32332933f693d00c6795

                                SHA1

                                28e7f909cbc28ca3af8af503111c5fc9f42502b7

                                SHA256

                                963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256

                                SHA512

                                8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c

                              • \??\pipe\LOCAL\crashpad_4432_QVBGWDTCAMMAMSTT

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/1008-0-0x0000000000630000-0x0000000000634000-memory.dmp

                                Filesize

                                16KB

                              • memory/1008-3-0x0000000000630000-0x0000000000634000-memory.dmp

                                Filesize

                                16KB

                              • memory/1008-1-0x0000000000630000-0x0000000000634000-memory.dmp

                                Filesize

                                16KB

                              • memory/1180-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-10537-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-2561-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-2562-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-5213-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-21-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-8551-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-10536-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-952-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-10545-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-10547-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1180-10602-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3216-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3216-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3216-15-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3216-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3216-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/5004-12-0x0000000000400000-0x00000000004DF000-memory.dmp

                                Filesize

                                892KB