Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2024 21:56

General

  • Target

    1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe

  • Size

    352KB

  • MD5

    1e1def42d14365acdde0fab027ab4f73

  • SHA1

    076c52faa6c76610fca15b8533e81bf8ba8133a8

  • SHA256

    92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23

  • SHA512

    c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722

  • SSDEEP

    6144:5Meb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:5Tb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+jdyxi.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/27FDC1DB33910 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/27FDC1DB33910 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/27FDC1DB33910 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/27FDC1DB33910 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/27FDC1DB33910 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/27FDC1DB33910 http://yyre45dbvn2nhbefbmh.begumvelic.at/27FDC1DB33910 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/27FDC1DB33910
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/27FDC1DB33910

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/27FDC1DB33910

http://yyre45dbvn2nhbefbmh.begumvelic.at/27FDC1DB33910

http://xlowfznrg4wf7dli.ONION/27FDC1DB33910

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (856) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\iuawrbajtfmk.exe
      C:\Windows\iuawrbajtfmk.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1164
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2376
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd6f7046f8,0x7ffd6f704708,0x7ffd6f704718
          4⤵
            PID:4020
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
            4⤵
              PID:4672
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
              4⤵
                PID:3848
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
                4⤵
                  PID:4708
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:1
                  4⤵
                    PID:844
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
                    4⤵
                      PID:4804
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
                      4⤵
                        PID:3384
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
                        4⤵
                          PID:3276
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                          4⤵
                            PID:4496
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
                            4⤵
                              PID:1028
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
                              4⤵
                                PID:3516
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
                                4⤵
                                  PID:1444
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1960
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IUAWRB~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1448
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E1DEF~1.EXE
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2272
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3636
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4576
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1144

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+jdyxi.html

                                Filesize

                                11KB

                                MD5

                                d8217c1bd248393899b6119a0cb51adb

                                SHA1

                                32b7bf77df34699d65d76d558df116831c6cb696

                                SHA256

                                901c977940d1a709e09bde9f89456b0e453ef812989caaa1be10d355e65e0c46

                                SHA512

                                4b1eca843b51217f23cfd7304de4269eea4807b953e2fc2241ca8b40ccfa280f25d1052d06cab30d3cd0a8b139f9dacc7da7af9276a09b5625c5d34785ca1b31

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+jdyxi.png

                                Filesize

                                64KB

                                MD5

                                d833c664fdcd0575783d4d013e2ac4d6

                                SHA1

                                84321af272f0ef388d33551ce5ee12ce6d37f48f

                                SHA256

                                1fa15ebba0ce791c9452f8f4184ff00b99fb65d9ccac478cb5d2e1e4e419084f

                                SHA512

                                2c9813952abc49e2addc1a2479be738d10f26ce0f8978c6a83a3cf4cebe9a4b5b84ce4eb563a0916b9ddd1bb94c00b62e68dd0972b24a433aab65f67eaeab111

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+jdyxi.txt

                                Filesize

                                1KB

                                MD5

                                d3860d08e01f7f7f6c86a96d0e090116

                                SHA1

                                3bb7c7515829a559cee052e157e3c955c388a8f5

                                SHA256

                                57223983a68d73e83fdc82f8abb5c96a48d601ffe1eb86b5c7d70a6b57bf6f2c

                                SHA512

                                1428b3aefd3e4619449309cfec618cada1f9d7ba1df2b94dbecea7a59970d171e663834dff3e05e45c88896a60b3fa7c91f1a098d9b00c406d4c89bf2c5dc0a9

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                86ab66923869f479b9d2ee124e47a840

                                SHA1

                                a5c3ea930d55a438aa184234bcebbd2c9e176ea3

                                SHA256

                                b7589eb5cb9b68094accc1dbe85e600de68c75be1b7b5c8fd6049be3a4b351f9

                                SHA512

                                b6346acc5eebb7f39dd6ba520108d70302c3288abc04b5d245d1a2b127c5650cced9b925e5a3478c239dfb1a68512dfb70362ccad3e774efcd17e5d0523f3188

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                1bf5525b50f2455a1d7bca5ab65a05f9

                                SHA1

                                bc97cc6dfb7ada351ae4d20b41aedf1ea0df90df

                                SHA256

                                ad4dc82353389fa396b70da62bae56aca644c5961070f4ac2b8c1b6851045449

                                SHA512

                                1d6663d20631e4f8239795b912748bdde52fc19a30e9422a58dc515e5591fe21d06642339da439a70ba98fb6413a159d462a137a01d4841b00e37d1d973fa17d

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                df869f70aa5ce750bd09bd0354b27f1d

                                SHA1

                                115760f0659f23b52913f9dd253153c6f315288b

                                SHA256

                                e31150c3f75c6855936475060201256ce987edc27a194e0a9b7803b67facdab4

                                SHA512

                                011c3a3cd5aa7552d3c8e9487e6addcc82dd0091c731f4cae7771e932a47c021d8e362d35333db32ce86e024e258befc8a4ea63731a95654f4bb77d7545103f6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                34d2c4f40f47672ecdf6f66fea242f4a

                                SHA1

                                4bcad62542aeb44cae38a907d8b5a8604115ada2

                                SHA256

                                b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                                SHA512

                                50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                8749e21d9d0a17dac32d5aa2027f7a75

                                SHA1

                                a5d555f8b035c7938a4a864e89218c0402ab7cde

                                SHA256

                                915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                                SHA512

                                c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                9f5fd46c0a733b3c000359d2f00f91b5

                                SHA1

                                3cb1dcf11a67567bcc1bff9ba84d200f1c085b33

                                SHA256

                                8ca168c94de045ab25be399675493bd338338a8840c8559f1b6d1ffd11d4491e

                                SHA512

                                31f9febe078aded689fea00b07bc81d5dda87d41478d86da44d7b1ebda3ab1f77828684e221d67129cd388fb4d10222d31804253a47f1839e495f9b69758792e

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                73342c502950c6f3df6279b9a3ba3dc3

                                SHA1

                                d147e1f242855027c14ae881aba7bb39c6b43f0d

                                SHA256

                                a9daed248a760830f080a4fcf60b5dfd51b18a6059b60ba1c1230641ffce9c48

                                SHA512

                                8bcf949a174a6e64bf130a5c15c6aad8af8fb3cbf2cc62d3637cd455dbda409c0f5cc61b06301c99f9061a94d18513ba07541a41bb882d67d3faf9a0281cf2bd

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                b1f59c366dbb9ca6b5c37176e3c34fd9

                                SHA1

                                fe92f008b27b008a0738b54da9e6debcfa9384a1

                                SHA256

                                2f880003903f79865692fee451b60da47f22a64c4d9d9226eb3704c8cc4d0b86

                                SHA512

                                420ad83f218f2518649583d40eb81426585c5d89fc45ac9a4dcae0de3f6499e0ee08bc56fce210b0dae549ea743145e09c4f61fe18dde55e2c5cb40f65dff094

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt

                                Filesize

                                77KB

                                MD5

                                ef28fe027687100ff4b20f252421b7d3

                                SHA1

                                fb69109a13423fc47878c8e246732fc1b0da2a81

                                SHA256

                                a691c8bf5d00cc442dfc7e6736f55089427da32c0103cb0524df31df70d71be9

                                SHA512

                                fc723646663c948968729768af9c82aba2cfe0a225631c9a146fc5d55b2699aa75faedf0c7030f706d6eb16d166c22161ebd9cb9513990b6f6fd34864a7171e1

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt

                                Filesize

                                47KB

                                MD5

                                85f0252102664d6407a1f12016bd8d2d

                                SHA1

                                0dc2ac38c47c403821cfa6007782bfb38e4d7bc2

                                SHA256

                                0cb7fba553d7580b139fd62370e059e913593d9c4e443741b268c3de07008ce4

                                SHA512

                                7faaf2c3704c9d96481d691b99359553e30d7f4b6578acc6c716640b43f0cd0734463bd26b4bf6f6d886ef6842d9650ed8a6a4a7b5dbac0332b265c61ec112d1

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt

                                Filesize

                                74KB

                                MD5

                                f0d121798a0cc14addb4b779cd98dafc

                                SHA1

                                13ba5323f6d6705079d1c63eef17488f13f5ab0f

                                SHA256

                                e8457fcb652efe77dd1912a631bf7981c51dcebab263b6d595dcfc34c33fdf4b

                                SHA512

                                4df2ed84bd1180a24ecfc4f901d977a5286400f00494b3fb88158db11f91a91388c93ce402e8a1f081de676a06d31d8c84dcc2b955e805ca70a8e0a3f23df1b9

                              • C:\Windows\iuawrbajtfmk.exe

                                Filesize

                                352KB

                                MD5

                                1e1def42d14365acdde0fab027ab4f73

                                SHA1

                                076c52faa6c76610fca15b8533e81bf8ba8133a8

                                SHA256

                                92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23

                                SHA512

                                c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722

                              • \??\pipe\LOCAL\crashpad_5040_SYPVFPYKOVLTBNZN

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/1164-2408-0x0000000002180000-0x0000000002206000-memory.dmp

                                Filesize

                                536KB

                              • memory/1164-10480-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB

                              • memory/1164-8589-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB

                              • memory/1164-5162-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB

                              • memory/1164-10524-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB

                              • memory/1164-11-0x0000000002180000-0x0000000002206000-memory.dmp

                                Filesize

                                536KB

                              • memory/1164-2401-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB

                              • memory/3044-1-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB

                              • memory/3044-0-0x00000000007C0000-0x0000000000846000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-10-0x00000000007C0000-0x0000000000846000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-9-0x0000000000400000-0x000000000049C000-memory.dmp

                                Filesize

                                624KB