Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 10:31

General

  • Target

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe

  • Size

    371KB

  • MD5

    c192a273a786b569df2056914faf8327

  • SHA1

    87f24f470d678deae2cade1d3fd12255e796c091

  • SHA256

    e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

  • SHA512

    8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

  • SSDEEP

    6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+vdffo.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/F2D9B1604B5E4638 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F2D9B1604B5E4638 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F2D9B1604B5E4638 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/F2D9B1604B5E4638 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/F2D9B1604B5E4638 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F2D9B1604B5E4638 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F2D9B1604B5E4638 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F2D9B1604B5E4638
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/F2D9B1604B5E4638

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F2D9B1604B5E4638

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F2D9B1604B5E4638

http://xlowfznrg4wf7dli.ONION/F2D9B1604B5E4638

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (875) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
    "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
      "C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\ygglwxrusrlr.exe
        C:\Windows\ygglwxrusrlr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\ygglwxrusrlr.exe
          C:\Windows\ygglwxrusrlr.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5024
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2552
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1448
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeed5a46f8,0x7ffeed5a4708,0x7ffeed5a4718
              6⤵
                PID:3516
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
                6⤵
                  PID:3048
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
                  6⤵
                    PID:4668
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
                    6⤵
                      PID:636
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                      6⤵
                        PID:1352
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                        6⤵
                          PID:2316
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                          6⤵
                            PID:4348
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                            6⤵
                              PID:2928
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
                              6⤵
                                PID:2644
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
                                6⤵
                                  PID:1860
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                                  6⤵
                                    PID:4392
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10100977202909896341,4171109764235555133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
                                    6⤵
                                      PID:3252
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                    5⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4732
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YGGLWX~1.EXE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:296
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4920
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3044
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3384
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1152

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+vdffo.html

                                Filesize

                                9KB

                                MD5

                                65730126c6819946d3d0c37d14db4014

                                SHA1

                                6aba805319305ce2350f59df1c0f82d3cf58117d

                                SHA256

                                e2b6823c1d386bff8486e19e1894f47eed60cc30ede9c825de7599493368859a

                                SHA512

                                cfef1246ecac34a1775de7a306f05b9f5d2304c8c3add6d68859b56de9bada8423f5f86c6952b677883718c2548c815f7cf5dc6645648a0b966d938e8c8ce3aa

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+vdffo.png

                                Filesize

                                64KB

                                MD5

                                3428de678d1dcac41e5642e3f1aa0812

                                SHA1

                                b23faa4644cf2ce84b3f16388de0169f495d2519

                                SHA256

                                69c6f96ef207a33b2c32e52fbbe2fbe561c6a54b0e4b31f378f0bf6f8a8f89a8

                                SHA512

                                8f478fadb93d5dd2c16795db3d83780a4392f4eb4fe86f4386330c006e883850a611b5cc1bd2ac39b5e811dcbaceeba5fb1d5363aaa0f63a63cd383565252268

                              • C:\Program Files\7-Zip\Lang\_RECoVERY_+vdffo.txt

                                Filesize

                                1KB

                                MD5

                                7b1eb3321972afe973ff9053c93e0a46

                                SHA1

                                fb71a3af633fa41d19bc04cf0b7e949147eade68

                                SHA256

                                ae163809d5b438f6951731da302f8b4d8dc066595b21180631ad1189a91380c6

                                SHA512

                                4fd7a04d301ff067b405b8257c2978cf955822a4d5d2a1037dc86f650b89befc627c3b13dd57652555ab9a9c23a5314fad4d4950ab87d6460746c44ea5e9bce4

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                562f5067a5e6d59d264825b5be0674d8

                                SHA1

                                802c22a56d57f024ba5c6e294de04191e72ac70f

                                SHA256

                                3f239e5ff37979f04064ef211682d16f4266275e109ab5ccad26c0d272a65d70

                                SHA512

                                e55a3ee7b5972803d33e21446174d0d78b9b59a26bdeaa9bde62338cba920aa633e3183bf437cf4b6411b786dc7156c1ea16705a28dc6dbbdb286bcf91e51860

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                137e9a55b8ad9dc125ce6bea1aa267c4

                                SHA1

                                b8e01ac94be647a6e8baa626c402f16189c82d7a

                                SHA256

                                05f48251a2f6f769a0507320aa9fd64291490c05abb6046fe22a7e5562b2ff98

                                SHA512

                                6b60940f419cdeb70870d9f56fdad882e6209e8ebe64b3e546310843a9a8d3bc5198ebf7ff362f153657bbda2ade0dca07dcdab33dd15d4a9640283a6d0712d5

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                1c788fa67bc7eaba828c023871e7cef8

                                SHA1

                                95a2560ef1c935f4dbe028d90b30a09df0a2d31d

                                SHA256

                                b92f463cb9bb0d0eb1cc85e92832b6b15b3a3930d2364fd9331c34ff53ce9e09

                                SHA512

                                dbd77d27d6538ce9bd4c2d9e3bfae4d65a4ad23bab4e82efb01ff5560e574910fd484073dbc75aeb1c8ae6771069cb574dc664a0af9fd15674596e5bc766472f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                61cef8e38cd95bf003f5fdd1dc37dae1

                                SHA1

                                11f2f79ecb349344c143eea9a0fed41891a3467f

                                SHA256

                                ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                SHA512

                                6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                0a9dc42e4013fc47438e96d24beb8eff

                                SHA1

                                806ab26d7eae031a58484188a7eb1adab06457fc

                                SHA256

                                58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                SHA512

                                868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                d228377fbefbb4de8247ea04eb488cde

                                SHA1

                                46e3cbdefa68baf6f4d2acaceefd8b3dcca8853d

                                SHA256

                                e5ea943ffe86e6a542e30869b9ff7297a474c5289c13abc799811dc24c120584

                                SHA512

                                7fe33b7705798430464e3dbc40ce4afd76f5ecf4a3d1a3fb9a9f909f4a8cc889d1409c1b87c7745925f333b4f2fd54f3483ffbf014cc0e917733fab50b70b6f2

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                8de3060b9ec728813e34cb5ecf3025a4

                                SHA1

                                242706ec7b9096eb035c505cbd891fc7d0bec5d4

                                SHA256

                                2a1a438e09445dd39dccca375dedef20cb3db66dddf94da6d845dbc735eb88f3

                                SHA512

                                cf5989569e248a3a20bbf39fa458f98ea2ea9726a50351ef0d02de9729f4ef2b85931f6df312daab460d5269ac4d72193636e6ff5f86b4039c47f8a96ff5970e

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                03d4468e047821375edaa33b7db24fff

                                SHA1

                                1405a0ba3191702dd5fbf41c6844cf656c8fdc86

                                SHA256

                                f4537842dba7cfd6c1066974024322db5aea83695bf3de84a43b912808353fb7

                                SHA512

                                1714c9f6048ae815d27cb922b4f848e0cd12642041167ff3dff4db591ff4503f63c4af75aa1bfad90fbf1b8d37b912f3d921b32c938818b4644f8fa96033fb21

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665885684530.txt

                                Filesize

                                74KB

                                MD5

                                1409e6d6b5fde8a1f9394333086c0731

                                SHA1

                                9860f904c298d652629fc9883570efef9c37e1f8

                                SHA256

                                48b40c79ba3ad62b45a2ceeaa83dfac2eec676fe3f79a0e83f13ebf1ae15564e

                                SHA512

                                ffeeb3b5c97b177eb43c18f635d9338828bf69a4499483ddf0eaa6a8148980bdd1f52746d55fb65138914fca6ae1dd0c7bba802e88c7dc38a780184c266ca1be

                              • C:\Windows\ygglwxrusrlr.exe

                                Filesize

                                371KB

                                MD5

                                c192a273a786b569df2056914faf8327

                                SHA1

                                87f24f470d678deae2cade1d3fd12255e796c091

                                SHA256

                                e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced

                                SHA512

                                8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427

                              • memory/1808-15-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/1808-6-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/1808-5-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/1808-3-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/1808-2-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/4564-12-0x0000000000400000-0x000000000056E000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/4828-0-0x0000000000830000-0x0000000000833000-memory.dmp

                                Filesize

                                12KB

                              • memory/4828-4-0x0000000000830000-0x0000000000833000-memory.dmp

                                Filesize

                                12KB

                              • memory/4828-1-0x0000000000830000-0x0000000000833000-memory.dmp

                                Filesize

                                12KB

                              • memory/5024-19-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-4853-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-7926-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-2609-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-10770-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-10772-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-10780-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-10782-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-2608-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-689-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-25-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-24-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-10822-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-21-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-20-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB

                              • memory/5024-18-0x0000000000400000-0x0000000000485000-memory.dmp

                                Filesize

                                532KB