Resubmissions

20-10-2024 16:47

241020-vaj5ps1blj 10

19-10-2024 22:18

241019-172znsvajm 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 22:18

General

  • Target

    5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    5ef1fdd422951c153db8c39b87e84e5d

  • SHA1

    a89966004343653b2d20c06b373b1390ed0450d3

  • SHA256

    b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

  • SHA512

    94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

  • SSDEEP

    6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+hphte.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9C1E355595DD6A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9C1E355595DD6A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/9C1E355595DD6A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/9C1E355595DD6A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9C1E355595DD6A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9C1E355595DD6A http://yyre45dbvn2nhbefbmh.begumvelic.at/9C1E355595DD6A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9C1E355595DD6A
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9C1E355595DD6A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9C1E355595DD6A

http://yyre45dbvn2nhbefbmh.begumvelic.at/9C1E355595DD6A

http://xlowfznrg4wf7dli.ONION/9C1E355595DD6A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (879) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\stetcqlymbji.exe
        C:\Windows\stetcqlymbji.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\stetcqlymbji.exe
          C:\Windows\stetcqlymbji.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2728
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3080
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:3644
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffd361546f8,0x7ffd36154708,0x7ffd36154718
              6⤵
                PID:4992
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
                6⤵
                  PID:288
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
                  6⤵
                    PID:3840
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
                    6⤵
                      PID:208
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                      6⤵
                        PID:2804
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                        6⤵
                          PID:5104
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                          6⤵
                            PID:1708
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                            6⤵
                              PID:2592
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
                              6⤵
                                PID:548
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                                6⤵
                                  PID:292
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
                                  6⤵
                                    PID:4288
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                    6⤵
                                      PID:1840
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3556
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\STETCQ~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1716
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5EF1FD~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4356
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2972
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2208
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1668

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+hphte.html

                                Filesize

                                12KB

                                MD5

                                16498f5835d4e84e73e985136535fb6c

                                SHA1

                                080c38ee1abd20c6b5cd5af45b2b463676d81824

                                SHA256

                                595b888e93bd59741a495d5130c370ae62468e2155718226ac2c16dfa522bb63

                                SHA512

                                6aa595d87d91b00921bb4bbef4d0f977219445197cd1b8a5434d8aa94dfde56ac4f72c1f5d398d489ac7c5fdcbc2d322fce6dbd6c9debef49ad3e377abb91137

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+hphte.png

                                Filesize

                                64KB

                                MD5

                                5190c7e6b91aa8463cbfe26bd67ac155

                                SHA1

                                7ab8c93e96c35cefe126abe0d8e2dbef39667e01

                                SHA256

                                3cc5e0dee02c4f0c231284f255a2e914ab9c7b65c3a54cad3f6d1a891a6fe1fb

                                SHA512

                                186e1e28375985a966598354d09927f7bc1dab53da43c90b418482c9f870297109faec96a6fa9f52676b5420a87f6fe7b6d3bb54a6d1436a0c5ca9944fc0077e

                              • C:\Program Files\7-Zip\Lang\_ReCoVeRy_+hphte.txt

                                Filesize

                                1KB

                                MD5

                                a653901ac27d3a1f7cb35922df93b6c0

                                SHA1

                                abf30407845e01907cc8c4d4035ed39d4b52787e

                                SHA256

                                aaa82f49cc6788c02a55d26a38963dd8dd83722cb830e3aee16c20b7b37039a1

                                SHA512

                                37965fc17d3876e4968a4e4fe14bebf525748aee4aaca863409a59389f930022a710bbfd9d6da9b81c545a5d83dd2d783060b647f5b46526648219b7c661f9b6

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                5afdff6596fb94be517f4e030c75f0e0

                                SHA1

                                4ef608ec3bad82d3635848ffb180b213345c23e4

                                SHA256

                                5051e285f84f0a5c0db0430ef9af7352eb406fafd305c20ea6db9cf54aed5be9

                                SHA512

                                36312e6cf66427e145c4a6dc14e83fd0b2096c0ff0ec99990395e7966898179af61bf1e3e17b88f9e4ffa6793c3c6c4a6bc0f182d709630b9679ce1da65e34f5

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                57c3b0e0a51702ae3bc039e21236ffbb

                                SHA1

                                86f9e2989654cc4df9504c7227b4ed5566e6b9db

                                SHA256

                                0e3ab621e0fa7731094ef44349fd4a2c7a49d52abf3e1b6a8880b767d0335783

                                SHA512

                                c9ac6e3a6c2d670ec94d288526c0fad012f98401758b487c148dce212bc52bf364a30866da55554f0d8ec279bb0c2a8b201a2c325390bde668f20cd9c6c82e35

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                7fcb1e83fc8a96b6f16c6e6da500c2a3

                                SHA1

                                2637ad6698309135abd54e4df285fd63634486bd

                                SHA256

                                4d17cf9fd3ab1988bbb019ae0a49337c959e3d84bcfef0d71edfc561757632f0

                                SHA512

                                1270ac5aabc2f3932033c0ffd77520018eb79a47a9068d431bef40f8f87a947bd643aa76c081f04dce1aeb8a369c22fd43e5454bc329b48b6f7d8ba42b664ef2

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                d22073dea53e79d9b824f27ac5e9813e

                                SHA1

                                6d8a7281241248431a1571e6ddc55798b01fa961

                                SHA256

                                86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                SHA512

                                97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                bffcefacce25cd03f3d5c9446ddb903d

                                SHA1

                                8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                SHA256

                                23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                SHA512

                                761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                da0bb20a73ca1628692baf50b163cc90

                                SHA1

                                e19477aaac2031d3a79ff7b35ef846fde2c69431

                                SHA256

                                0ca74c45155e1b7d2d9285fc046496803c21858d912024e0fa15c2b9acebe9cf

                                SHA512

                                b4acbea73711759e4dbb26372d32e85825429c6fdfa57f85c5216cc90c2a1a21e9a4a55fe416c216adaa26eaeeb664aa4cede2015e5f54e8da11704ae90e1ef9

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                f4aee8ccecc11944f58d239ac57450ed

                                SHA1

                                f460159c092e58cfc12cc76838e7b619644da73a

                                SHA256

                                ca32cbd8ebc3a401126e4daa7b29b59c92b0fba7c4f0774eb52dd59d20758b63

                                SHA512

                                a14072b8feaa795bfa8b6f9689d8266e0bd47e9b50bf1d9b215bbc3aedd0e8b832e711eb16fb1343cdb537bd5c0993fc1b2e81fda5e72db36ec1117fb4dfa802

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                4990acdd93bb4198bb05f75983db046c

                                SHA1

                                d3631623414fc950a595e2d90af675dcd1fe9a86

                                SHA256

                                11a530661cd643bd8f8e41d982a30471c3467890879afde38bee012691febf72

                                SHA512

                                610ed27e30cd51f03afe34eed050a35a63a063152325ba8aca2a9cfbe9740a4d87d09a52eef6e184e083ee15c3bb86f199504b8bd88c7c952ff5ce37f7b74b0c

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

                                Filesize

                                77KB

                                MD5

                                0cda444361d0e78ce7eaf17a79c6099a

                                SHA1

                                6058bc4231b4ca965f7a984504559239e732b433

                                SHA256

                                5917424e97b0b93aaf404a976ff5222a7098e6fa83ef1f1598f80920b94d7d44

                                SHA512

                                127644caf5b73d8ac350a0f6cc67e3c1feb6ab18cbecf8ec665a605edc15a39d1f6894a5122aa8e80f31e38a8501b28a21310fdd6e148b2df7c1de324880b65d

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

                                Filesize

                                47KB

                                MD5

                                250646e00251ddd08dd4c948bf9ba553

                                SHA1

                                60b6da18f49a2d3109e80842adf6a70663fde7c9

                                SHA256

                                36d534a22d660e6b1267c574a0378135419154393d79de8ff919c14cb0b5050a

                                SHA512

                                816b324aaf25e444632a3fc633a926b3109512434abb7b1c15912573a9db5f3431adb20215d14275153ee3b7935c1bd759e8eb6dfc42d31b186875ee79b06c1e

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

                                Filesize

                                74KB

                                MD5

                                fff803db53fe7c05c929ea2eb78a17cb

                                SHA1

                                76c813e72b1d70ebfa167bbd6cf48b81fc32dce6

                                SHA256

                                38f609f10b9544c64a347688ad292264141fa724dff1e6e8752aaa2faee14a1f

                                SHA512

                                46f457197ab708b1aa5c1d8a29070bb4e1f116c019c918f7db8d16ba055a674a3a02e178c3cdef0da5ef1aaf8f906bee6fb04aa3220eff6dc88dece0b9e73ab0

                              • C:\Windows\stetcqlymbji.exe

                                Filesize

                                356KB

                                MD5

                                5ef1fdd422951c153db8c39b87e84e5d

                                SHA1

                                a89966004343653b2d20c06b373b1390ed0450d3

                                SHA256

                                b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e

                                SHA512

                                94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871

                              • \??\pipe\LOCAL\crashpad_2348_CHBSRXJYKLSUJPYD

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/2728-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-10592-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-24-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-2562-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-2563-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-5299-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-19-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-10666-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-8830-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-10591-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-622-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-10600-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/2728-10602-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-13-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-6-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-3-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3044-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3396-4-0x0000000000740000-0x0000000000744000-memory.dmp

                                Filesize

                                16KB

                              • memory/3396-0-0x0000000000740000-0x0000000000744000-memory.dmp

                                Filesize

                                16KB

                              • memory/3396-1-0x0000000000740000-0x0000000000744000-memory.dmp

                                Filesize

                                16KB

                              • memory/4924-12-0x0000000000400000-0x00000000004DF000-memory.dmp

                                Filesize

                                892KB