Analysis

  • max time kernel
    138s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 10:24

General

  • Target

    2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe

  • Size

    328KB

  • MD5

    2f69faa2bacccf5a61b7c7996c558f4c

  • SHA1

    172c3b8d22eb08f491d4c90cd86aaa21b95f5b95

  • SHA256

    ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585

  • SHA512

    712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578

  • SSDEEP

    6144:F4MKA86q6kcKPqCAOFPmvSNQgstAw/u5jp2hnU4ZcRdN1Sgg68:F9x1KNRmKN+/Mk3eBU

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/8893394541F7852A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/8893394541F7852A
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A

http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A

http://xlowfznrg4wf7dli.ONION/8893394541F7852A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (866) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\nlxqbdyodgqo.exe
      C:\Windows\nlxqbdyodgqo.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1052
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2452
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a25846f8,0x7ff9a2584708,0x7ff9a2584718
          4⤵
            PID:2176
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
            4⤵
              PID:4084
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
              4⤵
                PID:1416
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
                4⤵
                  PID:2344
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
                  4⤵
                    PID:2272
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
                    4⤵
                      PID:436
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
                      4⤵
                        PID:3832
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
                        4⤵
                          PID:4708
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
                          4⤵
                            PID:3564
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                            4⤵
                              PID:4496
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
                              4⤵
                                PID:3344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
                                4⤵
                                  PID:836
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3028
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NLXQBD~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1784
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2F69FA~1.EXE
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:1604
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3536
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1160
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2292

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.html

                                Filesize

                                12KB

                                MD5

                                e9381f7f94428c6c22352966495bfde3

                                SHA1

                                94ded40b350d5fddc6a25fc6c5672ba0cd9ec3cc

                                SHA256

                                40a217d73b85d8f763f3096a75ff333595c796120d5ac942084711e8c4ebde12

                                SHA512

                                bcc4b9e09f375df9d503a3c330ba8b1820750742239249fb574940c89e0572f72c7cb78d032f12b9493fef4b4f777cf8be1d4d1c9886dc8ff90c2cc53aad4971

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.png

                                Filesize

                                64KB

                                MD5

                                c98fd4f4e4111046da8570f59355525c

                                SHA1

                                6eaea70b862d88c0e0afef0164f60c5717becd59

                                SHA256

                                2374e41d44f37dbe8474697a3f85e9f2a1dc63cbf60357b82f76235d90a84b7e

                                SHA512

                                9449f611f28c10de95d671198b5a2978449dd277b5f9aeae559a80e4ad76c9c1bc0bd2a60827679154a7eb46b3c796dc65442641339e2a8dfe6324dcc20ea5ff

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.txt

                                Filesize

                                1KB

                                MD5

                                dea822b9e82378182fff8f6c6d271a5e

                                SHA1

                                db42ee8686e6e64f05b177473bbb7de1b1d060df

                                SHA256

                                45111c4d2dfd90feda0c38758668ecd73ec8f5f09f3bf41e16db52a64f79be9f

                                SHA512

                                b8e5667530ce34a427d4a6cf10b10ee1b409204238fe049e54ec3f89bc8691cd92188df7a1424451bd2db62e0f1ec0c4d4f8c61e5a52ee96afbb550600e60e0d

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                14e767c9c7a84fadb6a59d221d704b81

                                SHA1

                                bd43fb4a74131d025861aee6b5bc837b308ee10d

                                SHA256

                                9a93cc084a15692de91d5a284d90401b73a81c670c0e6f83d6697ed6e12b138d

                                SHA512

                                8f52c75d37fefe380cece5a46e3a7075a42fff63771782ad5fdcfe9a18bafc5b8e05f0b72411d04c787a72c9584e21745f750809fc1bcd99be375258c9ec8e54

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                7d97b92fc31e4b362c1a4c43ed61e374

                                SHA1

                                3486a15c609b3ee4ee6df500e37435a7ae1fce40

                                SHA256

                                20fcbc1175f557da31e9b1bbe5d0547ac1bac38533b906077fe1745341fbce4c

                                SHA512

                                ae7c202a89cceec15b5c25e48c61dda7ae0bc8fbb17013611e02913808e18c72bb5c4bca08a6e0b7c1593886e5302aad2867169a2737964afd9c153d98cde76f

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                8417ae8b3b10962284124bef418d9889

                                SHA1

                                af5c651153c972ead6f8300f948bd70a4e0eddd1

                                SHA256

                                c800c8d0c73b31c1e0815fe57dea00bac6da80be498f34f8a08116955f81bfe2

                                SHA512

                                3d0b48790bebc52dc884e15810938bd97c6da7a831b563f7e528917ca0e640aab6e8bd752b72c4abd76f3175e12b363d18c6d40edafd841dbab458be947b5e89

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                a0486d6f8406d852dd805b66ff467692

                                SHA1

                                77ba1f63142e86b21c951b808f4bc5d8ed89b571

                                SHA256

                                c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                                SHA512

                                065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                dc058ebc0f8181946a312f0be99ed79c

                                SHA1

                                0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                                SHA256

                                378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                                SHA512

                                36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                4939e9a8a729bf4d93775fa15a82a597

                                SHA1

                                01bb0ff60bc1dccff62bd73e53c092d849b2b396

                                SHA256

                                377bdc2f23fc48f0a04026b13949bb5c821a7d297dbb2040e85fe15ef8b8d17d

                                SHA512

                                d56304aa0dfa56883c623fe27e6f3f768fa5a0138176751023dcffa0ff908fda6f65574230cc31467144c997e232525f378e359f233a5c9887a0c7d152a6aa6f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                3d1337a0393a40fc0bc481d31170d571

                                SHA1

                                d8705ede88d40122a43828b89138069a623f776a

                                SHA256

                                9a7e55acfbf5d31a595a4f8a41307db31784fb502d6eea6ca998783bc09f3c5d

                                SHA512

                                0da4fce5baaea89994214c7bf52eb4e90de5828138d3f7e8b912d452c95a32c5074bbb22f46886893ef419b254b3f459cad428568b99f97a4df849f9b5ee09ce

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                25f981a5c7a8f7b5e7907196fce6de05

                                SHA1

                                36d08919aa6a22604c1e5c55cb98f9ffcc9ba3de

                                SHA256

                                3d04428b174f5b9b0dc3786d4b0c6546f53456ca0c929e533a361de1513be792

                                SHA512

                                e175890354d3dc8c2d5dcd89eda4617ecea67fc26244a15ef11c7408017665fd5bcaf65536d88177f0db3963a7d8d255e6cc110a817e1764521feb7b3b952816

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt

                                Filesize

                                77KB

                                MD5

                                c863f246d5b4d8c4efe409651482db9a

                                SHA1

                                ac3feb42cca0af75f94690cd038662090e5b4dd4

                                SHA256

                                4268361429015ba2365befa116d5533ddb8749a8bf23ae1f841f77f819a6f192

                                SHA512

                                d9b356fa9f7d7c6db18a8ebfee0daa3412edcdd248a4fb80b74004b505ac452c01fd1e2da9e885a056e5999761c15e42df3094224b30b1379fd369c8156dd8f5

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt

                                Filesize

                                74KB

                                MD5

                                496f47746a8edc8f70f1aecd00348ace

                                SHA1

                                0fa82769427a978bb34bf874d5386f3890ade55b

                                SHA256

                                dd0bdc083cacf1c1061d5ff6a872704be2576355ab0a60a0052c115973d60758

                                SHA512

                                d94afc7f9e518d3d688263a8c16dc45367475961b3bb6f4c52fbfcb6f6c7763f0e921ac9d8e8e1922e4b6a1287fe25e9a720429824a3fc92c3372a32be53edd3

                              • C:\Windows\nlxqbdyodgqo.exe

                                Filesize

                                328KB

                                MD5

                                2f69faa2bacccf5a61b7c7996c558f4c

                                SHA1

                                172c3b8d22eb08f491d4c90cd86aaa21b95f5b95

                                SHA256

                                ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585

                                SHA512

                                712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578

                              • \??\pipe\LOCAL\crashpad_3224_EBOYFLIYHRSPGAOI

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/1052-5575-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB

                              • memory/1052-9054-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB

                              • memory/1052-10505-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB

                              • memory/1052-2641-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB

                              • memory/1052-10551-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB

                              • memory/1052-12-0x00000000021D0000-0x0000000002255000-memory.dmp

                                Filesize

                                532KB

                              • memory/2848-14-0x00000000022A0000-0x0000000002325000-memory.dmp

                                Filesize

                                532KB

                              • memory/2848-0-0x00000000022A0000-0x0000000002325000-memory.dmp

                                Filesize

                                532KB

                              • memory/2848-2-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB

                              • memory/2848-13-0x0000000000400000-0x0000000000495000-memory.dmp

                                Filesize

                                596KB