Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 21:08

General

  • Target

    fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe

  • Size

    328KB

  • MD5

    fd1f075a3d1e23355b3d11eee0033a4a

  • SHA1

    de2fc8f931ee4807cfe33fe21423818d38480f49

  • SHA256

    36732c7840d2cff5a1759b97f63777493f4b5a43304ab9cd0cb21c94806832a2

  • SHA512

    6724ca14ae693b782f27417c43a1a0d39654fc52ff16461c6bd6faf68c99cf611f80106e1831402af5c668b0f2b9ca2220f5a07e0a982d329ffcdf3585f84dbf

  • SSDEEP

    6144:bTZlzC2Ena1wjOud9vy9672m/kkI1Nf7fbBL0pjnthRKUFQjX31kAeKv1:/XzC2Ca1wjOh967x/7I1F9K1AX3HeK9

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+oepex.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9262D41CD58223C 2. http://kkd47eh4hdjshb5t.angortra.at/9262D41CD58223C 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/9262D41CD58223C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9262D41CD58223C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9262D41CD58223C http://kkd47eh4hdjshb5t.angortra.at/9262D41CD58223C http://ytrest84y5i456hghadefdsd.pontogrot.com/9262D41CD58223C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9262D41CD58223C
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9262D41CD58223C

http://kkd47eh4hdjshb5t.angortra.at/9262D41CD58223C

http://ytrest84y5i456hghadefdsd.pontogrot.com/9262D41CD58223C

http://xlowfznrg4wf7dli.ONION/9262D41CD58223C

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (868) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\gtvjudpyjxit.exe
      C:\Windows\gtvjudpyjxit.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4220
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:556
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2f9146f8,0x7ffe2f914708,0x7ffe2f914718
          4⤵
            PID:2400
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
            4⤵
              PID:4796
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
              4⤵
                PID:2800
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
                4⤵
                  PID:2628
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
                  4⤵
                    PID:1368
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                    4⤵
                      PID:2868
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
                      4⤵
                        PID:3096
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
                        4⤵
                          PID:3780
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                          4⤵
                            PID:1868
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
                            4⤵
                              PID:1052
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
                              4⤵
                                PID:3708
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
                                4⤵
                                  PID:1360
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4700
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GTVJUD~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3132
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\FD1F07~1.EXE
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2904
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1052
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4408

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\Recovery+oepex.html

                                Filesize

                                7KB

                                MD5

                                04787b0ac612852a9b1161e697660e43

                                SHA1

                                04fd11e32389563a1bee12f27bc6a06aa13d12b1

                                SHA256

                                637a2919d6643293c37430f91295596290e826c2763cebc1ecb46fa3f12e4100

                                SHA512

                                ad3f3f8ddea8e5907cc3a383cbbc7d283937cf74a4d88cddc1377904c7e01c1e4ae14c5f139e9872191c5e1ccf5e46313aa144645f205ba9a4c2d94ffe59ca26

                              • C:\Program Files\7-Zip\Lang\Recovery+oepex.png

                                Filesize

                                63KB

                                MD5

                                a1271667f73ae34194a7d4c2608bc6e9

                                SHA1

                                a62faca6782ef66a8e9aa2cae5b96bbe744ba43b

                                SHA256

                                c8a0c44fc37fd378ee1f55bfc0eddb3aa4267bc4e6d1e550825827f41abcc023

                                SHA512

                                08a72d0bc44703fc2c58d2f33a111289b491db5262630acd72f516f3719d0991de3ac1dcee7cc8cd6bc7c3fa9ac99a6e6b90da1b861a5aca900d35e4a959d808

                              • C:\Program Files\7-Zip\Lang\Recovery+oepex.txt

                                Filesize

                                1KB

                                MD5

                                4c7775c8e42c3b032df201b6b2d0d146

                                SHA1

                                fac179a3bd2a1be9cf3831cc50e506b075534318

                                SHA256

                                43789a1cc811e400883d188030491befab61a7d53d09e2b400c4b06338aac587

                                SHA512

                                fc6c767629a5030b452dbf309cb0fc0ea02bdbf0ffa2ea24c1fca3f2a5628e3b3f5217d5159f62b686c55edd36a889bf00a51fe816912fffd22c20fb11a4109a

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                09538b5ace0109cfe1f2b7e642a1c6d5

                                SHA1

                                4698ed1c9d3d8d522d9a0206305bc1486b9449a4

                                SHA256

                                6c9651340d051297b7ff9e7d4fa6a8ea23546143675cb063e1d2c185940220cc

                                SHA512

                                1bd564ec20b5f83435eed87a060f0e1ca753396b34ff1162d9f3d4b2905063d954ac4ca3093fed78d19a877a4d5c00051afd00499b5951003ea8a560d620e824

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                fa59b374c7ce8eb2a7b6eb0237a5945c

                                SHA1

                                dce862615b7c6879b1e48c72d69b482c8ca985fe

                                SHA256

                                4b615139d3e4755d5a7ddade0450f425da39b9ca1917ccaf21677601780a6f20

                                SHA512

                                2649f0f6ed1039ff3233212826c5a519e94b51af872acea7d3a8321d75e457f3100008e66b8a504874b24e80d3f3a20289af57b9edeb6c0c3812645b7dbd45be

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                7dfa04f52b5d59d9d32e1e5900913839

                                SHA1

                                7887716e0617df191bdc330a448d4e4db89129a4

                                SHA256

                                592b6009664f39ba07d5c2178e58503cdf27970e225f3c71c2db6ff7944c3cc5

                                SHA512

                                0ed799f020fa9d3e324961434c9e6b2470dbc2dca45b9daea8d4c9ff2019d4fcc0b38722f95b57aac713039504ee1011c65188911fdabc7706c6fd6b7e89c08a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                c2d9eeb3fdd75834f0ac3f9767de8d6f

                                SHA1

                                4d16a7e82190f8490a00008bd53d85fb92e379b0

                                SHA256

                                1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

                                SHA512

                                d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                e55832d7cd7e868a2c087c4c73678018

                                SHA1

                                ed7a2f6d6437e907218ffba9128802eaf414a0eb

                                SHA256

                                a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

                                SHA512

                                897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                5865926f349de36601df1e8859a5cfd6

                                SHA1

                                9df094b5c2847035d245305f67260b2231b4c404

                                SHA256

                                fe97476112968ecaea4eddc8e12fa1bdd511ee29ebeb6c902e77fcddeb862785

                                SHA512

                                356be4382d7e19d856df896d0dd9174a325b2a63172c38bc80289c18223225f5961ce7a17857b8442614466d52b9e49b6860a87a8af356e6feba0e45069714d1

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                eb402e608dddcbabd70a9ffb65183288

                                SHA1

                                895efbef24fbb8ec70045cfccff371e67ffc870a

                                SHA256

                                d3d566edf14bac532f0ba8113488806d2469700e719ea8b32667a85ed7e188f7

                                SHA512

                                c0405c2b7d949d85b95284ecb993390f8283ebac7e60b0ac69ee1736018934263a9c77da9507867352946ccb1ef4f6c5e3349bd3989162193a2b231fb272092e

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                bf86781c58abcf9beecf8bc35461f0f3

                                SHA1

                                6b1a1f423f192602e29f99cc32b8d9c23d61ed09

                                SHA256

                                6ef6952b744085f31923caaaf2e9ed33a4bed60195bf7631a717f594ca4dd431

                                SHA512

                                82c4cf5ecd19bce63d0090a46ecab55b19b7a650904cf06b33e8dbc3e03d8b12d597e7c765640bd9b766b6edc21214ca0cfbb9a026a4a3953d873d761c19e212

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662820354407.txt

                                Filesize

                                77KB

                                MD5

                                dff9a55448f07381f403ff6e350ecb8e

                                SHA1

                                3937359808764154d9a25f40ede149af08ab0f83

                                SHA256

                                4e3b3b656d5f193f1bf705312a65bd2f071a60bdce8280bfe1f8f97f0ff393bf

                                SHA512

                                5a626f67c7c681b00e29ef3379ff86fcba7ecddc2e7eb897ba88e274b3cb11f107cdbe1d50a814c2a54cf65825ffa8da0e711f21d86c11f0382cfd70f8cab3bd

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt

                                Filesize

                                48KB

                                MD5

                                60cd78e973f55590ae0b61ebb492b812

                                SHA1

                                f5150ed50c22358df1f358bec29de1eb9a9c0cd0

                                SHA256

                                1a5f0f65be2e464af9c9c5d3ade38d1217c86f4c81f5982721c2b352127cb963

                                SHA512

                                4e5fcb85fdd051a9a9b935c5999106110a06b9835f5c8e20ade34206ca9a6aed539fc79076b060789f33a93d54f80728f105a69623a239a3475670eb1a259604

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672589120253.txt

                                Filesize

                                75KB

                                MD5

                                7b11200d9c5ef748760ed2e16d241516

                                SHA1

                                613ed0549ad29aa600a2bda18aff527ef8c80712

                                SHA256

                                5ca078674e7437e08afd480e1284f2b972a255c0a7472ec11a9e9a259e4566b7

                                SHA512

                                74fbed6d19d8a598d4153ac95b8a56470b96d450692fd6611ec880dcb94c1e4647dda7ba291977537d783b8b6b428c5b21358552450504e80794b7b915ec4e27

                              • C:\Windows\gtvjudpyjxit.exe

                                Filesize

                                328KB

                                MD5

                                fd1f075a3d1e23355b3d11eee0033a4a

                                SHA1

                                de2fc8f931ee4807cfe33fe21423818d38480f49

                                SHA256

                                36732c7840d2cff5a1759b97f63777493f4b5a43304ab9cd0cb21c94806832a2

                                SHA512

                                6724ca14ae693b782f27417c43a1a0d39654fc52ff16461c6bd6faf68c99cf611f80106e1831402af5c668b0f2b9ca2220f5a07e0a982d329ffcdf3585f84dbf

                              • memory/4220-2716-0x00000000021F0000-0x0000000002275000-memory.dmp

                                Filesize

                                532KB

                              • memory/4220-8860-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB

                              • memory/4220-10561-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB

                              • memory/4220-5388-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB

                              • memory/4220-10607-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB

                              • memory/4220-2715-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB

                              • memory/4220-9-0x00000000021F0000-0x0000000002275000-memory.dmp

                                Filesize

                                532KB

                              • memory/4720-1-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB

                              • memory/4720-0-0x0000000000AD0000-0x0000000000B55000-memory.dmp

                                Filesize

                                532KB

                              • memory/4720-14-0x0000000000AD0000-0x0000000000B55000-memory.dmp

                                Filesize

                                532KB

                              • memory/4720-13-0x0000000000400000-0x0000000000494000-memory.dmp

                                Filesize

                                592KB