Analysis

  • max time kernel
    139s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 00:43

General

  • Target

    27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe

  • Size

    388KB

  • MD5

    27e887aa14f3890a72f06ec5d0759f20

  • SHA1

    8bacf22533725fd98c254c8eb6852edbe225a0ef

  • SHA256

    91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

  • SHA512

    56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

  • SSDEEP

    12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+mbovf.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/3469FBB2D6B9F5 2. http://kkd47eh4hdjshb5t.angortra.at/3469FBB2D6B9F5 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/3469FBB2D6B9F5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/3469FBB2D6B9F5 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/3469FBB2D6B9F5 http://kkd47eh4hdjshb5t.angortra.at/3469FBB2D6B9F5 http://ytrest84y5i456hghadefdsd.pontogrot.com/3469FBB2D6B9F5 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/3469FBB2D6B9F5
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/3469FBB2D6B9F5

http://kkd47eh4hdjshb5t.angortra.at/3469FBB2D6B9F5

http://ytrest84y5i456hghadefdsd.pontogrot.com/3469FBB2D6B9F5

http://xlowfznrg4wf7dli.ONION/3469FBB2D6B9F5

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (871) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\hqqdstavuxui.exe
        C:\Windows\hqqdstavuxui.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\hqqdstavuxui.exe
          C:\Windows\hqqdstavuxui.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4236
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3812
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:3092
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1548
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe15e46f8,0x7fffe15e4708,0x7fffe15e4718
              6⤵
                PID:2608
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
                6⤵
                  PID:1088
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
                  6⤵
                    PID:4560
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
                    6⤵
                      PID:3284
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                      6⤵
                        PID:3024
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
                        6⤵
                          PID:1544
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
                          6⤵
                            PID:2956
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:8
                            6⤵
                              PID:4828
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                              6⤵
                                PID:1020
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
                                6⤵
                                  PID:312
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
                                  6⤵
                                    PID:2516
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
                                    6⤵
                                      PID:5016
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1020
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HQQDST~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2644
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\27E887~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:2432
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2752
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:5016

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\Recovery+mbovf.html

                                Filesize

                                9KB

                                MD5

                                c98c6ad2efc850a8b979f5b9b2e10363

                                SHA1

                                04cbe100397c3325d83d61a9b9dcf4c1e042939d

                                SHA256

                                98b858121d11b2cd7082c54a142b58727fda604e14a7ba4f68c78c0f511dc197

                                SHA512

                                c53a95d3b192bc45f102397a2c0a74ef0839396e5a916ed6ba8dc4ad86212cd9aec89ac9f091548583582baa63ccd09f5ad9c785c4955318f5f39681a8d8a2fa

                              • C:\Program Files\7-Zip\Lang\Recovery+mbovf.png

                                Filesize

                                62KB

                                MD5

                                2ff046217fc97d4e279d82323f2133bd

                                SHA1

                                3227d13418ef1fa6dbab509075ba5e8ca277e4c0

                                SHA256

                                79da2a0c3dd9258c19e4b3d5ba30e949a374bd5a2f89195047e74f07fe20f7d7

                                SHA512

                                ebdc8d78d67a9a6ae8b3e00960fbfdc3a6552f0e556ea8acb5f3bac05ff8acd72e71c03b912f74042a023e6c828676554ae92773a3b783264d925346edfaf1c4

                              • C:\Program Files\7-Zip\Lang\Recovery+mbovf.txt

                                Filesize

                                1KB

                                MD5

                                a0c006e361b1213c6ed6ff9aeefd2ff5

                                SHA1

                                d4aaf5c8f5e97cc1eebcbb12c1964c212424b544

                                SHA256

                                0444e04e53ded14d6aef009cc98a47dbdcbc35eefcdf66e97ca7b75df1e42086

                                SHA512

                                82af6a10c10045c9a4d1ca89e826fe9a3bbd61123d8c00556a5cce5d548a28b71d5794fb787642bd0d828a1aa5b6d886bd97aac208a7c12256c3908e59b30da2

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                264d2cf565ee69e80afebe36167fc21e

                                SHA1

                                92d1143361479037c06c709ddab3d1587d71aecb

                                SHA256

                                9ad24098ae925137dd39fa6771dbb99a305215053002a942ea57315c682931fd

                                SHA512

                                3e6c0ea0273f22271931d55ed25cde43bbbb7a8a2815b4d08708dbd68f21c9646feaab4e6915291b1dfd17177b2b91a84c3b3bc2fc87cf5dc412a63c9c2e5594

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                e8fdc412cc3a8c336fc2a2874352f89a

                                SHA1

                                41e23e0c5ded26de10c433ec0fef2b8e75fd924b

                                SHA256

                                02a560b271b8e75663cf67e682696ea254f611f83015a549686c74ed86896ffc

                                SHA512

                                da9cd29c02340a88669e5ee805d23c01043e91486957664a9821d251506c4ac0274a94486de51d3884ae19ba94c7659964819538495aaab5ee22c68a768550e7

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                fa7d3963e4627be19be1b3624f72bb56

                                SHA1

                                8f9f935fb2420ca1a1ae6be5ad7c2a65f73d19c5

                                SHA256

                                521751980847077af26cd37092ab877bdf1c39b7cc827ab38b8e8aebe9d80af8

                                SHA512

                                55f0cae360162859fc0b855e72156359ead4c799720b4df4106597f5a31fbbb92d3ecb1330958446454ea20caad06b2eb91240349c63f57251e888ab516f41a4

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                7de1bbdc1f9cf1a58ae1de4951ce8cb9

                                SHA1

                                010da169e15457c25bd80ef02d76a940c1210301

                                SHA256

                                6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

                                SHA512

                                e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                85ba073d7015b6ce7da19235a275f6da

                                SHA1

                                a23c8c2125e45a0788bac14423ae1f3eab92cf00

                                SHA256

                                5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

                                SHA512

                                eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                971e1646ce9d8c805bc6d0eb48b3662b

                                SHA1

                                f97bfbbc7248c7b716b14a80c2a10ac4e15d4265

                                SHA256

                                13bd8f1f103efc5fe78096fd354195bafd11c419f476194453a91661075c8c93

                                SHA512

                                0e1b3bbc47d94d39c7fda24a5044bf305fb41a7a1eb8afd82327c3149c2fe29514c0bd884c18fede5e147624fcff578fccd4f09ba983683e3ad5eeb3a25c4045

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                35a16c0dcdaa9bf10227bf1a9b857f50

                                SHA1

                                347ca4d95454f78d874778d0d303a0b4865fb14b

                                SHA256

                                ca3241fd418b4a945bdd8d3df72029a32b6dedece8851d68af617ff902898043

                                SHA512

                                4d8da2f03daa58a2490eef9897ff1e7ff9e1837e9094e6c336becd24b2ef995a329f8915829cc02addc3b392506c86bfc457c7ecc065c3bf9e70f789f48feec2

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                7479a1bb955d46a73c8f004651e9936f

                                SHA1

                                3dcb15a02a4dfc6e92fd2d081a70a1bfa6a51632

                                SHA256

                                b80f3eec3efe7ef187e97461ee3d24a87b22c893b70033cb491d1cbf8890c34c

                                SHA512

                                d63a347c263e54144b0691cde309b04bb043000ef2ade17e8e8d0555261e5ad96ace9a184309050e72c6c57c5908c5d17cd273963440d0162c5b99104fbc67a4

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

                                Filesize

                                77KB

                                MD5

                                ee53721a8b720f1fe444def7d29c3bee

                                SHA1

                                2d6d641db56d689555afa8d2e33e545321c7c25a

                                SHA256

                                a52c562d81dc6e283302010223d890334b298ded534f0ca6ccdd883e33c717b7

                                SHA512

                                f325cbd12b205f8664247f752dfbfb2dfe8512f0b1bb6093f2acd57b6c3aa07a9eb3fc1d82239aff6c158fafed93a4f1eb890c53a175afe61ce96cd6d2a69d37

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

                                Filesize

                                47KB

                                MD5

                                fc578ea49c8081e4b208aa9b6c4aa3a0

                                SHA1

                                85fca7dc0c14f632c121ddc642db44d31320df53

                                SHA256

                                c4048f9b391fdc962bbf705f2df3e79e5f4120ecb1c31c2c9faecf13a24f7c94

                                SHA512

                                043614237755ead7e352643c0ecc0c53899095b25c49fca2b320638e9112133bf94dc706fbfef58d93e08c613641c3b3d5467e3d210b4e00720f00f25099743c

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

                                Filesize

                                74KB

                                MD5

                                d603c18d2cbc50635f5590202c96ab16

                                SHA1

                                f96fa315cb7ab5173c5e550e32ddecb237bb3dff

                                SHA256

                                85f41bf54c33c1c786f834ca7bdc375fab0a1e6710f27087ff91722fe6060fa0

                                SHA512

                                c68ef3e947d121622ea1c3432c8553626a37f37a665277b16d942f97bdfc50b45ec35e62077a75dea5f21061ccb997abe970747cb053be5e480b1ab8e7ebac7d

                              • C:\Windows\hqqdstavuxui.exe

                                Filesize

                                388KB

                                MD5

                                27e887aa14f3890a72f06ec5d0759f20

                                SHA1

                                8bacf22533725fd98c254c8eb6852edbe225a0ef

                                SHA256

                                91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

                                SHA512

                                56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

                              • \??\pipe\LOCAL\crashpad_1548_PNQKVFQZTZXQXNQL

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/1044-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1044-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1044-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1044-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1044-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-10734-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-5156-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-2612-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-389-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-8598-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-10725-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-10726-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-2625-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-10735-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4236-10775-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4380-12-0x0000000000400000-0x0000000000633000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/4888-0-0x0000000000910000-0x0000000000913000-memory.dmp

                                Filesize

                                12KB

                              • memory/4888-4-0x0000000000910000-0x0000000000913000-memory.dmp

                                Filesize

                                12KB

                              • memory/4888-1-0x0000000000910000-0x0000000000913000-memory.dmp

                                Filesize

                                12KB