Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:36

General

  • Target

    764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe

  • Size

    364KB

  • MD5

    764a3a6827e4d04ebbb801e8f5b95f8b

  • SHA1

    6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb

  • SHA256

    091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1

  • SHA512

    2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2

  • SSDEEP

    6144:3M3Ia4g7E/Rd1WjfqMsSW9ZgsQ6LEme81Ip8/V+9jeOLzZXcIwXHX:qIt4EELq7p9ZgeLDc8/VkphcI

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\how_recover+ydr.txt

Ransom Note
________________________1234____________________________________- What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? ________________________1234____________________________________ Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. ________________________1234____________________________________ For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gfhshhf.home7dfg4.com/54F9E2C5EB85E45E 2. http://td63hftt.buwve5ton2.com/54F9E2C5EB85E45E 3. https://tw7kaqthui5ojcez.onion.to/54F9E2C5EB85E45E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: tw7kaqthui5ojcez.onion/54F9E2C5EB85E45E 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://gfhshhf.home7dfg4.com/54F9E2C5EB85E45E http://td63hftt.buwve5ton2.com/54F9E2C5EB85E45E https://tw7kaqthui5ojcez.onion.to/54F9E2C5EB85E45E Your personal page (using TOR-Browser): tw7kaqthui5ojcez.onion/54F9E2C5EB85E45E Your personal identification number (if you open the site (or TOR-Browser's) directly): 54F9E2C5EB85E45E
URLs

http://gfhshhf.home7dfg4.com/54F9E2C5EB85E45E

http://td63hftt.buwve5ton2.com/54F9E2C5EB85E45E

https://tw7kaqthui5ojcez.onion.to/54F9E2C5EB85E45E

http://tw7kaqthui5ojcez.onion/54F9E2C5EB85E45E

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
  • Renames multiple (881) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
        C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
          C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1896
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} bootems off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1104
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} advancedoptions off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:4532
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} optionsedit off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3012
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3976
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {current} recoveryenabled off
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:4852
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:2224
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2108
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4032
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd84da46f8,0x7ffd84da4708,0x7ffd84da4718
              6⤵
                PID:2852
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
                6⤵
                  PID:4292
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
                  6⤵
                    PID:4084
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
                    6⤵
                      PID:4896
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                      6⤵
                        PID:540
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                        6⤵
                          PID:3712
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
                          6⤵
                            PID:3448
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
                            6⤵
                              PID:4432
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                              6⤵
                                PID:4664
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                                6⤵
                                  PID:4944
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                  6⤵
                                    PID:5156
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
                                    6⤵
                                      PID:5164
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:284
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\vqlwm-a.exe
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:312
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\764A3A~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3900
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2656
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3268
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1660

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\how_recover+ydr.html

                                Filesize

                                6KB

                                MD5

                                e934986609c30d84b918f37e5925c09a

                                SHA1

                                e2c0686a863654ca010077db5bfed22a1bb7dd6b

                                SHA256

                                c00caa3fdf946ff2b9a462f8a1d85e0b2ffaf08b9dbb35fbb24decccd1b885ca

                                SHA512

                                c0200d1c88013168c3bda2bc8cb231302f8ea4bde4fca2380fedca56d72156971b883ef3fc5076e136ed10078bcd7ac02a30bc5667b0caf77524f2b400a9cd75

                              • C:\Program Files\7-Zip\Lang\how_recover+ydr.txt

                                Filesize

                                2KB

                                MD5

                                d0cfeb6d19154ee1eef1daf8bb6fbae3

                                SHA1

                                936b633553b5964d23f1905f73c13aa0d387d3db

                                SHA256

                                9cb5bf9a51266d33d068dd97e9d06b68ce1eb32502f75835851ff141d64350a5

                                SHA512

                                8b87c80eeb3b676e36880ffa6dd851c0cb0a0326d303da573efc51cb55ee5bf5002284cb307962778374a82ab1115ec45ac165f61e84bb153c725930d1a2e75d

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                606B

                                MD5

                                58b77e10cefff64c2e08ff74a1972b30

                                SHA1

                                cfeb2f4d98f4b99caecf83a1e9e4711ba84b97a4

                                SHA256

                                0aea1491c7638da7694ba7b19514b6c7998b77847009cb4cffd246e6ad6dca95

                                SHA512

                                6fbd84347a90550c59225d1b2f29aa94974128596e147ba397bfeaa06d91583df49157e1fc1a081debd15c9ca7f16352472179dc9e675a7324f37be24ac58480

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                606B

                                MD5

                                88e0c500f512d0d7e65890f2891b65e6

                                SHA1

                                21d1541b7966d41f0b5a70388a078b49169fbe25

                                SHA256

                                08f0b4107437be884b9f9a832a610f0f34ff0e518104d72abc3760fa3c7c0f9a

                                SHA512

                                facea6da5f86459f0491a33599fea633270dffb936c80a7117f41567663ae2641fe98606746cfb4fd8cf0d07af370cbe87e8c5068276ae3a60dd03e894c8d0ea

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                462B

                                MD5

                                03669f320795483d8f30933e764e6703

                                SHA1

                                769552fc813bd5fc1b89cab14d53c60fd15e236f

                                SHA256

                                dfb31012fb3ad46ec55cec1a4771534db0b5c37fec54dd7b64170d672a316768

                                SHA512

                                3d7b6da74056929d230eaf10c17be9043a7b4377a53bc1121daa6445961e8010e4635b7b80cea09bf568d97b8b369a0a5a427d638851beb1383b00a2fc5ae5a6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                34d2c4f40f47672ecdf6f66fea242f4a

                                SHA1

                                4bcad62542aeb44cae38a907d8b5a8604115ada2

                                SHA256

                                b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                                SHA512

                                50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                8749e21d9d0a17dac32d5aa2027f7a75

                                SHA1

                                a5d555f8b035c7938a4a864e89218c0402ab7cde

                                SHA256

                                915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                                SHA512

                                c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                1aa60db21ba6dbe54d236c37ad8fd474

                                SHA1

                                59c5f36158d550460dd136b414fd7e19ae8da900

                                SHA256

                                2dd66d26137aac03b8b1db05ae6692cc28e331d254b672cad6b5df26f9da0689

                                SHA512

                                3105ea0b7bed5801e7500149033e429bb97a9bbb2fb4ae4daf65bda2ea079011aec0217752dbb404656537fb8967e9e78556c10d9a490944797b7e102be08a98

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                4a2ae1d3a20337aa41aab2e1f44b2f92

                                SHA1

                                35306963eb3be97abafb175518e25af22a83ab44

                                SHA256

                                6263c5f226317c4aabb8b0c0214b94bb6c75ed5b509f32cbd873e28f6ae0e957

                                SHA512

                                a0336b0c63e678a3089eb36ddc88d5685f15870f17516770c1c56c3139191ac80647af1fa010b771de037b7460df63547711fc989125bbf63249721878a9084f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                d7ed0d08ea84f2729a66e06869868636

                                SHA1

                                9e4e8a25a2c27dbcc6e6cc7097ca5dba47171226

                                SHA256

                                1e014fa399544bcffc9ef0abd8f8441c812a7d1ec1a632a82b9653961955fca1

                                SHA512

                                2c7a3a0953dff7e71b968c500d6de233cd1afe8e64b1a020b13b4081e6347a353e033b92ae221350cbce52253cef33c03e308a1663f40a9627063c254a1397dd

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.1.filtertrie.intermediate.txt

                                Filesize

                                430B

                                MD5

                                03d49acccff15a594047682135359e25

                                SHA1

                                5d1665c3293c60ce4c1dcbef5e46784e3df4c4d1

                                SHA256

                                be4c647022e56511052dfbb15a086f864a5aa7a525e229c58456357c6550e533

                                SHA512

                                03b48871eec8467b61e3b12db3fadd33167ca6068bc6a6ef46597c52a000bb958534067dbacbb0ed17f138b451cd39843226adc2c6986bc3b535990e1c0f03f6

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.2.filtertrie.intermediate.txt

                                Filesize

                                430B

                                MD5

                                62697800f1937f996ff42cd8e847b629

                                SHA1

                                69f7be8d3822009924b420413aafc55288be589a

                                SHA256

                                099caff0fbc1d47f6c47d67b0a32276ff57b7fa9d66c92786768d26f4d393cb5

                                SHA512

                                b77770e6da1cd11d0e6ee4180e698983a1e86668e02108ffd82c666664345226f70b6bb70abb418a4a0113f6b41a57903df2c1236f59a5e519182aae52a6df0d

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt

                                Filesize

                                77KB

                                MD5

                                5ca3861453b5273f15488ede3be82409

                                SHA1

                                4e94e11082e1414150fea560f18151e15fcb96a3

                                SHA256

                                97819e17bcbf823923abefa0667f96f4487f4a6f284a1770256d9814fb3f01d2

                                SHA512

                                54258af21c8a7b30a1433fb31907abef9716f836befa1e8aac83b6304b31758763f24e213419af1a04ab0825802ca1dbdbe2c51bc208ff9b62bec3a6f7c9294b

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt

                                Filesize

                                47KB

                                MD5

                                c955122d5cd2abba7748e219d6364163

                                SHA1

                                ba9f155f9ae2e5bb2b591709f15e48cda5d9f802

                                SHA256

                                179449e7243e6e42087887a7a9b9399cf0a8c04e5a92bb958d36dc1af8224905

                                SHA512

                                c766a4168643b1d35ba78c0c112142fa09123972e7021e81612c855d0e1e4777919bbc6055b5e05d8a0313356340689f95fdd9a549b9b6dfb7bf8892cda20728

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt

                                Filesize

                                74KB

                                MD5

                                aa3f9c5ca79c1fc57aed819e3c60f657

                                SHA1

                                96076a04d840c1904aa319211dcf74ec3005cfff

                                SHA256

                                33cba2b71f439b9ddca3ccc5a68f2b7298ba57d2fcd94fc3c5e27a95609b0811

                                SHA512

                                f5008b4985657598b5046baa17f966d522ac00d47b09b909faaac811d83128519f9e5f25c709de388f718e0a69c134f6246645266080418b96d8cc6d0bc3d75b

                              • C:\Users\Admin\AppData\Roaming\vqlwm-a.exe

                                Filesize

                                364KB

                                MD5

                                764a3a6827e4d04ebbb801e8f5b95f8b

                                SHA1

                                6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb

                                SHA256

                                091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1

                                SHA512

                                2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2

                              • memory/1248-0-0x0000000002310000-0x0000000002313000-memory.dmp

                                Filesize

                                12KB

                              • memory/1248-3-0x0000000002310000-0x0000000002313000-memory.dmp

                                Filesize

                                12KB

                              • memory/1896-16-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-7790-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-960-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-1050-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-4576-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-23-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-21-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-20-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-18-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-17-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-7789-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-940-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-7799-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-7800-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-15-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/1896-7842-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/3780-10-0x0000000000400000-0x00000000005C0000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/4392-4-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4392-11-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4392-5-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4392-1-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB

                              • memory/4392-2-0x0000000000400000-0x0000000000486000-memory.dmp

                                Filesize

                                536KB