Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 05:11

General

  • Target

    2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    2b70ed1d47f2a5d626d16ab5f355c34b

  • SHA1

    cc903de26a6f4dccfb7e216e84c79c0039ea7492

  • SHA256

    055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1

  • SHA512

    696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db

  • SSDEEP

    6144:q/VDu6UsyDUOxfDiyQhbw4tRN7eD7Lct/jG2kOREwMunfHAbxwcLNT:6Du6UsibiPbNt370Lcta9OSCnfPuNT

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/7069B3352A0BFCA 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/7069B3352A0BFCA
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7069B3352A0BFCA

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7069B3352A0BFCA

http://yyre45dbvn2nhbefbmh.begumvelic.at/7069B3352A0BFCA

http://xlowfznrg4wf7dli.ONION/7069B3352A0BFCA

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (876) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b70ed1d47f2a5d626d16ab5f355c34b_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\mdokemaxugas.exe
        C:\Windows\mdokemaxugas.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\mdokemaxugas.exe
          C:\Windows\mdokemaxugas.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1136
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3596
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:764
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:528
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffff93046f8,0x7ffff9304708,0x7ffff9304718
              6⤵
                PID:2336
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
                6⤵
                  PID:804
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
                  6⤵
                    PID:1192
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
                    6⤵
                      PID:4140
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
                      6⤵
                        PID:2320
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
                        6⤵
                          PID:2456
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                          6⤵
                            PID:3476
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                            6⤵
                              PID:2716
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
                              6⤵
                                PID:1476
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
                                6⤵
                                  PID:2344
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                                  6⤵
                                    PID:1952
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1972990264228393930,4680949110612064062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
                                    6⤵
                                      PID:3660
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2608
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MDOKEM~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3420
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B70ED~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4008
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2872
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1160
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3168

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.html

                                Filesize

                                12KB

                                MD5

                                fe0557b804c30ae74e0da398c273ef99

                                SHA1

                                593aa35a3017039e0d12f128ee7ef9b4cebcd5c3

                                SHA256

                                fe422dfe1b328e735858842c05249ce9316d848745c0b760f7900ccbaf9b8e0a

                                SHA512

                                51b3b9653715a37a04c2dadb685e1cc5574c29cb95c75c5250255d3ff50c3f0959a359a938e37eb5862811052cdebe3ffd48539da174632ad1129320d9735ab6

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.png

                                Filesize

                                64KB

                                MD5

                                5d47a95adc3ba122ba1515dd8ec829db

                                SHA1

                                fb031625e960a50c1b49f231726756be88f6213f

                                SHA256

                                de36a0007fc577516175880166eb370d48bcf492b26d19f693606825662fda44

                                SHA512

                                c310566dbad2ee10b3bd176b1819c169d413f72f180a73727423ae569957675c3a0486381884e79c333e6ca41f1f2baf8d50b62f6f44ff72dc1d1a05eb1509fb

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+xxexf.txt

                                Filesize

                                1KB

                                MD5

                                cbf17f5270f00906b8dc02400ed1d1b7

                                SHA1

                                d967ac75f75194a4a79a8e8ce4ba68cef50792e9

                                SHA256

                                9e917c2ca2ae632dd3c78b020ce72a452ecc3eb5ec6c00aafee86dc0cbdcd2d4

                                SHA512

                                3cca34f07472a3fe21415286dc8c21cf37854b883582cf9f724679ec78f726292d8aa867f2bc56de151cefb251175c8e46de8c1b2e4f4025cf70c301e3c366d1

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                1f21bf9a6607a2bfd427bf2fae603ef0

                                SHA1

                                b48a189d8c63a0f5fa4e2d19c00928e88e134f69

                                SHA256

                                d4707ae82c1bcdfc218691f77ca2fee4cdad27e319ac970586187951664acc7f

                                SHA512

                                da18e4812aba7425bdca3257ac3786120fd86038de752028dd294fc981499a73b348415c8cba9555335dc05b201b8459f2e87cb4b8f299564f875a67f1efa095

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                f0d997b32eee79011cb69c756caaabdb

                                SHA1

                                6b348e63bfa624c5c3c9656d8c2c94a3da3ddc00

                                SHA256

                                ad75fb28fec7f702830a7854aa8e85462f38190ea26cc1a0cc7e849b00b62cef

                                SHA512

                                ab586d99aafb6e1819767e9accf733ae050effe6e4441732f14eaaa879d68d90faf92cef5d8cd2eb5c231299609c301ce2b5b8e7420ec66991a68a46a9da156a

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                56f2e9dad2d21172782d0e65e1600670

                                SHA1

                                b34551e7f2d68554dab8f646cee9abfe4ede0a33

                                SHA256

                                49a06359ac9f920da3d69462fb42a81c002223be970444f0d69ba27910806dd6

                                SHA512

                                0438271eff6a7a0645eb4cfc83fde3193013841d4b92350ba6baa8cd910ea93a38e5af4b413c76227fcbf3ca2060b92a5b81e7a14796a7955ee5b402f1681df2

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                a0486d6f8406d852dd805b66ff467692

                                SHA1

                                77ba1f63142e86b21c951b808f4bc5d8ed89b571

                                SHA256

                                c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                                SHA512

                                065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                dc058ebc0f8181946a312f0be99ed79c

                                SHA1

                                0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                                SHA256

                                378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                                SHA512

                                36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                3fe28b95045da726ddd9b9ed4d2a9691

                                SHA1

                                fc3a5157e6b920872efec1b9ddebfc40654b6c3f

                                SHA256

                                cd0915a96cd0f2c9982284eea0045bbedb5e9370d0552238e32a23b1d29939ea

                                SHA512

                                6c4878129439b4fe5cc506a819db848d657d53b468a4e0b25637eace3f8a04aa21ddcf46cf32ba1cb3c502ee0877af6ef17f131bc73a0d5d65821f71fc31f5c3

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                5fce19b261c20aea782fd89bd1e1f301

                                SHA1

                                741cc43988b75cbf22a0d0465acb4a45ade9f6b9

                                SHA256

                                c1fb85dc1cfedd6b99503f4107e82809d9e318155e4c4c35adbe3e073065d3cc

                                SHA512

                                a02276c11e5a0c99b4c84e60837657b0b0366152f4d3ae3808d2befa6f330eeb187f70aecfa8813cfdaef7e141129324c84a3e96519d59e9e3adc6f7809d26d4

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                7eaf175597ace8b20b6f791811429761

                                SHA1

                                f8196235c3843a36a00c9ba760698deb8bc79355

                                SHA256

                                52743360209c3b7d6981d6872ba0286cd7cf394ce9c4df040b174363859eb2f5

                                SHA512

                                ac064c2892c07d0ee61cf74b6664010cbf132ee1f5f99d63c61ed0dc42d9e7435a639f48152189ec7bd6feaf724ce4ff30c96ed4c82a8d7ed75caa47b000bb55

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt

                                Filesize

                                77KB

                                MD5

                                33eb4a0806aeb92bcf01db84c4970f89

                                SHA1

                                8ac16eb26666e828209ad790a9196ae68eb6e4bd

                                SHA256

                                49b60f1111c45c3bffcb8691fdb4352dedd4c1eb25f9a2c317cbeb1d3b1b6eeb

                                SHA512

                                7b7fd96824fd0bd26d6bd3bb0b9d2aa4024f3b17f6c89a0aa582f7e436b3d98864d61f8fbf492bbb8ef55aad88206de1558f49ce22c69b1c836f2c9d640a8823

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt

                                Filesize

                                74KB

                                MD5

                                19079ec7db523e2d57f8a71427231662

                                SHA1

                                e3474beb8041f3ee2e28c0151e9bd49fee948f94

                                SHA256

                                a64e28d0c82e8fc0383bf510daabedd6c80f77da02d2161e4e0b7044a94b5aa7

                                SHA512

                                d011b13dc4ba503b85ded771bbc0fc8cb95288407c7ad18c2b712252e37fda4b8ddc2808c813012d770ea5bc7d6e0a6b17730a543ffe1f0251386f9616ee5ed5

                              • C:\Windows\mdokemaxugas.exe

                                Filesize

                                368KB

                                MD5

                                2b70ed1d47f2a5d626d16ab5f355c34b

                                SHA1

                                cc903de26a6f4dccfb7e216e84c79c0039ea7492

                                SHA256

                                055f455f632bf72f2694befec51708ebfb909f25d59c388e0775af15e86459d1

                                SHA512

                                696fdbe87bc478cf85717c4952787a1c4ea0302fd8270b5f04167fed9dcc9c81dc967422c8093870a67ff1ec69ae5bd3506573e1ea680930ec0d165117ef70db

                              • \??\pipe\LOCAL\crashpad_528_RSKSIGJYPCZZXLIT

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/1136-1012-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-10543-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-10592-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-2871-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-2872-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-5726-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-10553-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-9225-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-25-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-10544-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1136-10552-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3164-0-0x0000000000690000-0x0000000000695000-memory.dmp

                                Filesize

                                20KB

                              • memory/3164-3-0x0000000000690000-0x0000000000695000-memory.dmp

                                Filesize

                                20KB

                              • memory/3164-1-0x0000000000690000-0x0000000000695000-memory.dmp

                                Filesize

                                20KB

                              • memory/3228-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3228-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3228-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3228-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3228-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4228-12-0x0000000000400000-0x00000000004E2000-memory.dmp

                                Filesize

                                904KB