Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 00:01

General

  • Target

    e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe

  • Size

    396KB

  • MD5

    e3c7a712d0aa4db4b62ca2a2abc3af89

  • SHA1

    80ebc294329a7d40e6ac13feedf0b5554fdf8a38

  • SHA256

    c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3

  • SHA512

    814df1437244043bfd5a7803b208695badc87b3a862f24f25b838b8eaee82c91314d5fdd2f52286494fd2499da48a1efb4738235eddc94bd04b7dc14d4cde8fb

  • SSDEEP

    6144:Z0sTdSkul5CpfZsu43jx0HdEouuj5axxn7JCpIKxZU/bc92A6mJOl:qG7pfZsu43d0HdEFuj5EpNbWAcsoOl

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/519F19C117E8F74A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/519F19C117E8F74A
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A

http://xlowfznrg4wf7dli.ONION/519F19C117E8F74A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (873) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\kxbvfewsldpm.exe
      C:\Windows\kxbvfewsldpm.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2892
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4156
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:3536
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe65446f8,0x7fffe6544708,0x7fffe6544718
          4⤵
            PID:840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
            4⤵
              PID:3668
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
              4⤵
                PID:2924
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
                4⤵
                  PID:4872
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                  4⤵
                    PID:4976
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                    4⤵
                      PID:280
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
                      4⤵
                        PID:4472
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
                        4⤵
                          PID:1684
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                          4⤵
                            PID:2172
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
                            4⤵
                              PID:2684
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                              4⤵
                                PID:2904
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                                4⤵
                                  PID:4248
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2276
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KXBVFE~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3304
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3C7A7~1.EXE
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2024
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:648
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:5040
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3300

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.html

                                Filesize

                                8KB

                                MD5

                                5526518097fb4c37172c8bfd60631d52

                                SHA1

                                c27020e1e2cf36f4c30aae1288895b8060bed0ca

                                SHA256

                                d2677bee62cda024ca1d9a87c51842143c8eb40739ac6fe2435de4b5d086f734

                                SHA512

                                3b93645f26cfbe9d282bd38abab75298ca63ba08edc9003cf09030114983c4a104d9a78490fb71ba41306b0930a9ac5773bb99015be28d000e460e6ac19f135a

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.png

                                Filesize

                                65KB

                                MD5

                                5c0d0b7131cd9dfbe2fdc31139c611a2

                                SHA1

                                a5941ed896792d1afa06e476e26ec325246cce35

                                SHA256

                                c869b6841fa46301f37200b229f71ec2200ab1a57d5811ddde626c80844418ec

                                SHA512

                                dc4aa2aab65ff67f3ce3d8b52a4a3bddef90a0665ec5c63ac18ac5f05e8502cce66de3ea338da8de8fc7881a00fa45379aea4219f58c0b4d6a18fa03b5d6502f

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.txt

                                Filesize

                                1KB

                                MD5

                                a3e1492405b0b13b2ee7d9e9647bd557

                                SHA1

                                34869b026d2205f255082783cccfea8a0bd7322c

                                SHA256

                                c2e10a3f56f92ef9ca45dcff70444c279a3df80ad8dc55b22aa4f5b8de0f180d

                                SHA512

                                2bae67cf3b5356b4eff0853885f02ba7b777ac2e8595b73cb9070514f49300ab6cde378411624901fb2199fc68b08beab99429be2a13827e685503527b9c2d9d

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                a164c0b92db93aa19e218a4de9b3c966

                                SHA1

                                b913c168866c616a8d7a75b7ba7f84ca0b87a747

                                SHA256

                                24c883261cc699a855d9d0f9c42f26ba72650a9027366db5e09b5bb6dd9865b3

                                SHA512

                                0b58a2f90e54605db0d88cfe5e2fb01e8d87d58af00c7af3e62b24fc09f711cf7661df32bdaf3691fb78a4d9bf2e52bb069c51efc7d5819c1112bdf0210d375f

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                4a4141afc1193c020da61782de9eead2

                                SHA1

                                cd1ed30da95a313aecd33430695890c40fc87a99

                                SHA256

                                e4a501dea357a6554bbc8225476bc02522444534aaa25a2ebfe5d10e3c00ca12

                                SHA512

                                48a4b97d153028bc5cf898cbc9de640c31b6c56317179645f34a098c253f61c270fd9265c7ccd7ccbee4612cda4924ccc67dcef0115b9cdc61b78e64e5f27b09

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                907616b1a33a1fb3f6030bcc5f0ec37d

                                SHA1

                                4612f912f5c762c232202d2d25cc62d11f0174e2

                                SHA256

                                789a9e35bf63c1aa7f6acec5bdccddba04b9f1785ecc685cf50584fb7512df76

                                SHA512

                                5189317b1c66a813dd1b45b5be3bba95a58e100efecc981302fe59138ec652540e7467f798c57d3b065937f4f424b1c71cb36324c86b80e79fc3f5f1e05e0974

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                7de1bbdc1f9cf1a58ae1de4951ce8cb9

                                SHA1

                                010da169e15457c25bd80ef02d76a940c1210301

                                SHA256

                                6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

                                SHA512

                                e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                85ba073d7015b6ce7da19235a275f6da

                                SHA1

                                a23c8c2125e45a0788bac14423ae1f3eab92cf00

                                SHA256

                                5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

                                SHA512

                                eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\34898354-9cb3-479e-923e-7710636763fa.tmp

                                Filesize

                                6KB

                                MD5

                                d644e9836d37014940bd36ca3308ce1e

                                SHA1

                                94b904e6d823425a71bd585679191a93843139bf

                                SHA256

                                46c9a6f33495f51fabcea0b574db8c52b06b283d55172dcd272d80f1cd34a58e

                                SHA512

                                63316a410daed1448c3fe499803e4b5e4437dbe9a9f947f06fb0baa0e34c8fd81c3e0e9de7ef97cbf345675971d61ee48c5196c02f68e7d23ce4bb6f40fe98cf

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                a4d65491cb40e5be3a5cc9a79889b669

                                SHA1

                                ba9e3684534bfa784f1abeec4b946cf9bcfc12f1

                                SHA256

                                198259b796f741594faad22d312b903a329e02d4201818f155cbc9285b938419

                                SHA512

                                1cd15e4ae8991a0eb22cc7482b9efc698448b44cdb6c26e50b6ff2751c96f2b001a6092f708b00a4c47cdb7b2befec83fd7bb5bd02aa611d97e839710a3a475a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                28eb49bad3024d2a5a5ae4cf55bcd31f

                                SHA1

                                3b96a10162c2b7b9a9cad7643dc9d67bf20d6639

                                SHA256

                                01aeee9df3183c8d9d05f1db88dd7500fedff0f87815cda452738b1cb5513714

                                SHA512

                                27de0673e5757e9abe2e823d17f66631e13f83e60044665ef81305f234c5b2bb24e42df48534f43f6467a7afec337d4d4a47307b96f2196a5f436ac782ce8068

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt

                                Filesize

                                77KB

                                MD5

                                4c76e2b5c33ce72e57b00a33f4155b8d

                                SHA1

                                4cfae7c32cbbf22bec68adcd847ed20386b30038

                                SHA256

                                fb65e123a57bc95fc03727bbed4dd58c66079af027be288add9f0e63c7596924

                                SHA512

                                88f66ec095b2533efbc474aec0b6e00fd24af14bb8380c4dcc3e6813b6422487e919ca66e03baa8f4c8c3e9a1108e5965c0c52f2a279114e01b9f9a10d738fbe

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt

                                Filesize

                                47KB

                                MD5

                                8d45b9f660869bd519893e3f87f55099

                                SHA1

                                9bb0025227722bfbdfee296faf02bfb97cdae143

                                SHA256

                                bd10e327fce62984d1bf79b2d3f6cbd80dca872e60ac237cfac0c4fc16f48cd5

                                SHA512

                                a54a04f07cd41fb567e26fc91c23cb1e0f783747f1101915c26571994148500a42d3a9dc494751928300ff98324448d567de4bee841e2e3b0370c3e7bf33de35

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt

                                Filesize

                                74KB

                                MD5

                                917dbf7bc198672e7a31ce3d05627288

                                SHA1

                                297a36af17dc41d6761c59b18693c0c098778e69

                                SHA256

                                05270637e06376724e788a7108690f2f984cf7bb61de6344b18de3bd1e3e4316

                                SHA512

                                defd733ae0e3932b2c80145563ea73f8ec8535106f18587cb36ab18ca526f3493f8abf1ec1c428f4437aff92a9c573480f19a0da8f6560effef95f17a63b941f

                              • C:\Windows\kxbvfewsldpm.exe

                                Filesize

                                396KB

                                MD5

                                e3c7a712d0aa4db4b62ca2a2abc3af89

                                SHA1

                                80ebc294329a7d40e6ac13feedf0b5554fdf8a38

                                SHA256

                                c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3

                                SHA512

                                814df1437244043bfd5a7803b208695badc87b3a862f24f25b838b8eaee82c91314d5fdd2f52286494fd2499da48a1efb4738235eddc94bd04b7dc14d4cde8fb

                              • memory/2892-5126-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/2892-8349-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/2892-10739-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/2892-10741-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/2892-11-0x00000000021C0000-0x0000000002244000-memory.dmp

                                Filesize

                                528KB

                              • memory/2892-2532-0x00000000021C0000-0x0000000002244000-memory.dmp

                                Filesize

                                528KB

                              • memory/2892-2519-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/2892-10786-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/5068-0-0x0000000002240000-0x00000000022C4000-memory.dmp

                                Filesize

                                528KB

                              • memory/5068-1-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB

                              • memory/5068-10-0x0000000002240000-0x00000000022C4000-memory.dmp

                                Filesize

                                528KB

                              • memory/5068-9-0x0000000000400000-0x00000000004A6000-memory.dmp

                                Filesize

                                664KB