Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2024, 13:35

General

  • Target

    d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe

  • Size

    428KB

  • MD5

    d74daee515bd5a77f299151a568cb57a

  • SHA1

    68555ccb11104b0bb9243ba3f5f464de8bb701e6

  • SHA256

    1d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0

  • SHA512

    62dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646

  • SSDEEP

    12288:oYV6HO69joWO8UD8KHCeAJlkMAUhX+cblCJxfS6:oYh8UD8cCEtUhXvOR1

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+ljtik.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1CCC4C5498A79C 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1CCC4C5498A79C 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1CCC4C5498A79C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/1CCC4C5498A79C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1CCC4C5498A79C http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1CCC4C5498A79C http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1CCC4C5498A79C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/1CCC4C5498A79C
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1CCC4C5498A79C

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1CCC4C5498A79C

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1CCC4C5498A79C

http://xlowfznrg4wf7dli.ONION/1CCC4C5498A79C

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (876) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Windows\dyohfxwqsyaq.exe
      C:\Windows\dyohfxwqsyaq.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4292
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4808
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:4012
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff908f546f8,0x7ff908f54708,0x7ff908f54718
          4⤵
            PID:2212
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
            4⤵
              PID:1336
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
              4⤵
                PID:1132
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
                4⤵
                  PID:4788
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                  4⤵
                    PID:3412
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
                    4⤵
                      PID:4404
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                      4⤵
                        PID:2140
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                        4⤵
                          PID:3192
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
                          4⤵
                            PID:4232
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                            4⤵
                              PID:1976
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                              4⤵
                                PID:3616
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                                4⤵
                                  PID:3712
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:468
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DYOHFX~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3948
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D74DAE~1.EXE
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2876
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1124
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1564
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:5008

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+ljtik.html

                                Filesize

                                11KB

                                MD5

                                2f069f6570af8835dbce5a6a8ddeb4be

                                SHA1

                                7729f526fbbdc7aa76d3eccab26fdbd326c869e6

                                SHA256

                                11698f79806189332a4864d7c7420f098ec9da4e83d48e5ac7dabc09f39031a7

                                SHA512

                                23456d8b0029e28833a3d0fd943b388e5341589e0c1be60dce210d729b86eaa367f3c065a5822552e024011f39dc9923e850afa21ce22ec466b27b6cf37c57c4

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+ljtik.png

                                Filesize

                                63KB

                                MD5

                                ee855490cf9c73d4bc3ffc96637862b4

                                SHA1

                                05765aa2f6c19a50911cac811a8a1c04252f62c0

                                SHA256

                                982631aaa4d669c3023c4ca57d702591da55750b4af3b8ea12439a3cda440e26

                                SHA512

                                f88d609bab34b54d3802dbb9423c6ae339f4f5296afa55d5eb8ac0a217442350482f7c910ab0416df7084b2fb2039c3acec99add64667d9a44a6c9354f9ae97c

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+ljtik.txt

                                Filesize

                                1KB

                                MD5

                                18884933f5158f0d646e18cf19fb8d1e

                                SHA1

                                d94b3adc51496d20b62606911747ce479f0d1917

                                SHA256

                                48e6a23a016d55058ce0a16a73d1db0f1f9d3a55628445147699dfdecf6b05c9

                                SHA512

                                d74b1a08b081c88eeb3623bbf86a748b5159c77bcb38e03e0674f0fc0547bf160aa8d4be9f28230fa3a2d57079c32c7cfe4e5940cf00f629ef31f788da6efc2e

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                372dce838d54b34b66c67b22bb8af32c

                                SHA1

                                ae363b81894e23c419404c40ebb02b8f4e534327

                                SHA256

                                225d5a88dae90e60c479d20bb61d91ca236c2a7d19717abebca777d3285acd99

                                SHA512

                                fb848ebcbf5a17b56da8c8d0512ef56ca3ed32f65d8e4394eb3c319833bcb06b70195b5670a75960b6d401ed9e2f6ec486c6354fdeaea44f025e72fe205a477a

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                916b75b90fca066b9f1e9e729c2dd9d1

                                SHA1

                                f52c659a57b649cbcc16ba1adfe29c3400f04867

                                SHA256

                                e138db9000844580c5e69edffda3d886fa596d4d95d2a11e632f189425ed2286

                                SHA512

                                1528a4a69fd14be803692fd1257107c84b1b2d07fde5513bd088c46579a0fe1d85dd30d3e3722f885a0c9598cf01eb45ff34baadea2f9ca6a065083817632fa4

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                3128bf59d45623e4fd2731e85df2992d

                                SHA1

                                28c6c5eab192c394cb47c74cdf62adda19f0095c

                                SHA256

                                578d475094e1cbac4100333a1b1058e359307a6c6dafbe042d07850ed67f8d35

                                SHA512

                                c8b1ed42cac17e686b3de7d49f6f33ceb2f34e983ee4709fe251141203b27e01b2841a388710506a9faccfb60a3c83f2cd70684de45dd7c961c5d2388ec5bef9

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                d22073dea53e79d9b824f27ac5e9813e

                                SHA1

                                6d8a7281241248431a1571e6ddc55798b01fa961

                                SHA256

                                86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                SHA512

                                97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                bffcefacce25cd03f3d5c9446ddb903d

                                SHA1

                                8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                SHA256

                                23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                SHA512

                                761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                b6322c14b0f6d0369a63496f754e9655

                                SHA1

                                cab077f964b24d766310523c05dc047cfa45c602

                                SHA256

                                dd4d1151d92857347dd44ec53ad3dd8efdf4c60f994c3fd614e0a2b108616442

                                SHA512

                                4910127f01b38cd8a2fa576e296d7b32ba1f57a6013f3bee0ccdf7bfe2fb60805715cbcb00dda058b46bf4fed8bf0972201e13844623e7f97d1b8d9f42356e3c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                1d282454a3f8476f9f105ea61640e7f5

                                SHA1

                                c2cb5e8293ae4a7ce10c24717e751e87d13f38c7

                                SHA256

                                40c07a7b57ae462761ec3d3c151bf46d2aa40a2c7de5b4b7615eb7474cb41f2f

                                SHA512

                                8d0cfbfa404e0393f9bbe4f3c5fc4b67ae03918c59466fc0d606e790333c5f5f75e25c8a0b419a4d5f191593772aed88b2723098156e8d0560f2c6e7c9e1daf5

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                78af99c27022108864c712730f5ccbd8

                                SHA1

                                e3c29da341f4e5ceff9ba989a9025b7c0d1fa2ef

                                SHA256

                                b7c6b99ee7a19aa01a112dc345c8ad2f82160f980e538572cbdc27437398fa66

                                SHA512

                                eac56174876a65c17acc678eb51a26fa4106d8263283f48a40608559e0cadf65667469bea2dd61b5fcafeb4d7807208891aa450349e5e4766204f6bf0d02f8f3

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

                                Filesize

                                77KB

                                MD5

                                da2397d2f33dbcf6e8598c42287bd378

                                SHA1

                                d038571ab0adc5dd03b21fb79de92d2149f69261

                                SHA256

                                c9fbb2d2ef35e6b532ee5f69a880154dab0b36c27cb1b5f67e689d1c264fe1e3

                                SHA512

                                080b56e25dc0376b6479b7d52dd4248e2d0466a7dd8d7b7f71121b2b33e2ee4cd9eec6380209722dee182c9e4ce313fce16b5735688beb14ce8cdd0ddb2c4124

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

                                Filesize

                                47KB

                                MD5

                                2ee3a9b5f58f776fc78a8996cf2edff4

                                SHA1

                                7888d1180ad15d05b6b8a70964d75fa803cfecbe

                                SHA256

                                8ff71fb7fd4b5b356e8d89a8e204b04dd1f6703578e3ea7a58edd11d7fe1a34c

                                SHA512

                                624059be8e7bf13a6b557c29095cf2c8614f06159132446b89f295cffaead0902316ca681bf952d4b3dca4128f279d4dac0f8d05f78b2ab62ba8eb000fba36e1

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

                                Filesize

                                74KB

                                MD5

                                300a376f93297fe35b846dc1f6769aaf

                                SHA1

                                afa89cc4ff7b49a15e90d07c4b647b64f01bdf81

                                SHA256

                                86988f70529fcbb0a687f807b9323a508046274b7d76f7717bfec2ef512983d0

                                SHA512

                                fd7a72620930b7a5a5c3d1c53167ce28428257da5a46e9be46769e2694bcffccc8a44b0e7c90806dbde425a495d5b1b9e172b8b14d1520ef9c38b4bff1bf3986

                              • C:\Windows\dyohfxwqsyaq.exe

                                Filesize

                                428KB

                                MD5

                                d74daee515bd5a77f299151a568cb57a

                                SHA1

                                68555ccb11104b0bb9243ba3f5f464de8bb701e6

                                SHA256

                                1d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0

                                SHA512

                                62dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646

                              • memory/3972-9-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/3972-10-0x0000000000AE0000-0x0000000000B65000-memory.dmp

                                Filesize

                                532KB

                              • memory/3972-0-0x0000000000AE0000-0x0000000000B65000-memory.dmp

                                Filesize

                                532KB

                              • memory/3972-2-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/4292-2556-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/4292-10744-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/4292-10791-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/4292-8505-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/4292-5119-0x0000000000400000-0x00000000004AE000-memory.dmp

                                Filesize

                                696KB

                              • memory/4292-14-0x0000000000990000-0x0000000000A15000-memory.dmp

                                Filesize

                                532KB