Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 23:52

General

  • Target

    MSUpdate.exe

  • Size

    360KB

  • MD5

    9ce01dfbf25dfea778e57d8274675d6f

  • SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

  • SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

  • SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

  • SSDEEP

    6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECOVERY_+xysfh.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/69FF1965B85F437F 2. http://tes543berda73i48fsdfsd.keratadze.at/69FF1965B85F437F 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/69FF1965B85F437F If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/69FF1965B85F437F 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/69FF1965B85F437F http://tes543berda73i48fsdfsd.keratadze.at/69FF1965B85F437F http://tt54rfdjhb34rfbnknaerg.milerteddy.com/69FF1965B85F437F *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/69FF1965B85F437F
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/69FF1965B85F437F

http://tes543berda73i48fsdfsd.keratadze.at/69FF1965B85F437F

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/69FF1965B85F437F

http://xlowfznrg4wf7dli.ONION/69FF1965B85F437F

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (863) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\yxywcdlvmcpe.exe
      C:\Windows\yxywcdlvmcpe.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4692
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3972
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:448
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e20846f8,0x7ff9e2084708,0x7ff9e2084718
          4⤵
            PID:3012
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
            4⤵
              PID:284
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
              4⤵
                PID:1828
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
                4⤵
                  PID:464
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
                  4⤵
                    PID:2768
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                    4⤵
                      PID:2624
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
                      4⤵
                        PID:3576
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
                        4⤵
                          PID:2384
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
                          4⤵
                            PID:1632
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                            4⤵
                              PID:1656
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                              4⤵
                                PID:324
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
                                4⤵
                                  PID:4900
                              • C:\Windows\System32\wbem\WMIC.exe
                                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1108
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YXYWCD~1.EXE
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4820
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:4852
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1700
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:5048
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3964

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\7-Zip\Lang\_RECOVERY_+xysfh.html

                                Filesize

                                11KB

                                MD5

                                d6377730ed5a65068541a72b23dc5e6d

                                SHA1

                                c2ae903ec50cada472020647bf14bd1c932e1715

                                SHA256

                                ee27410f69176d1eabe0b5da6951d532c7951ee0a2417b7348c61fb4b335e9e0

                                SHA512

                                0e9fcc38e8116d530b5f14150a7b16fdc01ad154f660ae17ab67575f7e907f6006755651eac4f32b1988968ab5081a66409a43dd1e903134fb3c701921458bfe

                              • C:\Program Files\7-Zip\Lang\_RECOVERY_+xysfh.png

                                Filesize

                                62KB

                                MD5

                                1495b337229bf13492b99797b474bf52

                                SHA1

                                d441770d650b056d06cab821fe01fc6d8a32b172

                                SHA256

                                bc7ab9f466acebd6a7b15b8793c48777095bf5173ff3b4d516631401e76d103b

                                SHA512

                                4c3a2624dfd7df002b278d579de38b09ee1250d018484f0f1247f0d43958aa06812094aadd7ecfd39e16b87069880752ac6cd0951c36cb379bba25a542d56f06

                              • C:\Program Files\7-Zip\Lang\_RECOVERY_+xysfh.txt

                                Filesize

                                1KB

                                MD5

                                fde04aa3d3b08764684c5741d40feaee

                                SHA1

                                108c44870e8887a6ed2671610c26aba4addfb9a0

                                SHA256

                                f9332da4c2072589becdc864e90e25d10b4ef7e2680099c0bdf9faaccee6644b

                                SHA512

                                689a78f81d015763b62f2469a622ce6500ad3e84a2772c69b9ac78799004401f8846dc868fd2489497820f71231fc92ecf3f2c0ff4b290b90aee7c436f839a53

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                Filesize

                                560B

                                MD5

                                13bdd3ac91a12f38eadf02a2224c4e05

                                SHA1

                                795a19675f1efbe1f75d27af0fded03bd64153aa

                                SHA256

                                998dbd2bd47bef16bb2929514de1efa0d08830764808e89acf28f46b23876ed5

                                SHA512

                                c71f2d3a76d6caa554231287f1a02d86fd05f31e04a11b694d7917f09573be2bb9c799ce1b59edb7c59d4d917d0ce2d447e518764500e45a531bdd5e64cc132d

                              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                Filesize

                                560B

                                MD5

                                53f7088551c8cafaef02389e040d9974

                                SHA1

                                cabe490b4e97789583f56f8027f2cf49bf8f650d

                                SHA256

                                4d51b3289740ec260d92fcb72fe31813da09b98ae3e4bcdfa590a57b0ba34d35

                                SHA512

                                5fa83b98965def059c2902c22e31180b701b71e572526e2fd6a18f811b6b0a6d1378c5f9be82dbec1bb27afe3ddb631e9f6b2febd2f07652411af12c26bb11fa

                              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                Filesize

                                416B

                                MD5

                                4f04e5c85660889480ca0d1303a207ae

                                SHA1

                                1cd060c430badd3e391671caf035b4da6b0737cf

                                SHA256

                                5c456d2481e90336588d9f7dc81041a71a95ff99b1572c94cb4dad9b86350c19

                                SHA512

                                b7bb6e473ca19ca22177a8fb45606e43393b4cb94039714b39a681bed64cfba7745d6e5394da2306328285f83b6df72f92aed636b719e5be9bc9da336975efc5

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                37f660dd4b6ddf23bc37f5c823d1c33a

                                SHA1

                                1c35538aa307a3e09d15519df6ace99674ae428b

                                SHA256

                                4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                SHA512

                                807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                d7cb450b1315c63b1d5d89d98ba22da5

                                SHA1

                                694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                SHA256

                                38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                SHA512

                                df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                f5bf74137cf460620c72d0655b94115d

                                SHA1

                                18f0bac2d4ee54ea8f8cc1d734fcd7bfd0531ba4

                                SHA256

                                8d8c4d86220f8a0eeeabd6c01d8c605935a201af4c7739af64a0036d992143bb

                                SHA512

                                e49936d444f797afdfb56b9e37c9ce9b49c569cf257daf8a29d2e0c48f2e58f465e06e5a6a3b030cc26608d33e7a139cf820dba6c6fd98d22db5d660e7e59731

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                a4d44f1ee9e5aa7ef9be5b6cc7e1c997

                                SHA1

                                59faf2c94899bd52fb255268abafc8eb04ad0241

                                SHA256

                                a39417e0c664e137000a09f7407be2bf3fd16d0e8b79e2e6affc03cabfaaf568

                                SHA512

                                4a0cbe81c3d94162f9d2c2f7a972e7c622b98d38ffba86fc451d518da99c8a7a12e1ffc6ff918f46a428a72544c02948717927496f5b917a2e5a6caf3f20a48a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                10KB

                                MD5

                                b322d455cfd14acbf6915c549f702cca

                                SHA1

                                ade99d6c9765890352d8f7c97ee5cef73c1772f1

                                SHA256

                                1087d058766a6aef60a9f02c782f6bd8963c79e05e3bce7d54935ddd5ed2d311

                                SHA512

                                b530f41a61666a01d5eccdfdd45119d303aa01816fe45e9835ec06ca7ce610b445d3b4a7a84e079a8432eeeb26c5f4f9581bb83cb0f4d9cb1f6d2a75516b6cb7

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

                                Filesize

                                77KB

                                MD5

                                d706e56d1c0fc90e7c34bb227727009f

                                SHA1

                                82bada2e63da5723b13abc229a6696a81b37327a

                                SHA256

                                5259f8e03d5a6563104e620999c7f6e246ab852d50b364dbec4fa790d0ddbadd

                                SHA512

                                f61c7934043985131fa4b3561ba6a3ca17762f1e7e2a2bfd5a64b07ce1e8a943d7dd2005afcc210d39a86729b2adb54f83142645726c633c1e7f01bc6d2cc2c7

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

                                Filesize

                                47KB

                                MD5

                                3cab405fdf57d96e02310bf3f4ef390f

                                SHA1

                                142af4b729aa05ecd22b9ab58343baf3655fb55b

                                SHA256

                                066964166d65c57eea65076e3dcb64013542751f731544dc25b38d20183f9ad9

                                SHA512

                                69329ad549ce975be905eadd634e873bd24cd1c5355f3b1d543fe6873b1517cf25eb4fffb345316d09a681a6318d30f996efecd7647342afcccc1608a88d6c4e

                              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667861810871.txt

                                Filesize

                                74KB

                                MD5

                                ad9d0729e9505b4a924c53ec24a0f6f8

                                SHA1

                                4e6c554a7f86e78a534b54c6e1f9af88b0490e5a

                                SHA256

                                c1fee6b2ec9ad41fc691d1fd942351a937e2fdf6ebf6418bd74258b1b1d448de

                                SHA512

                                4bf20a969ddbdcad03c7b56c4aa468f8141c40f7cb621166c55e3ba3913a9539dea5e9fe09206c9bbe28915ce823c2a044587f9516011c01f4df152822024ab9

                              • C:\Windows\yxywcdlvmcpe.exe

                                Filesize

                                360KB

                                MD5

                                9ce01dfbf25dfea778e57d8274675d6f

                                SHA1

                                1bd767beb5bc36b396ca6405748042640ad57526

                                SHA256

                                5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

                                SHA512

                                d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

                              • memory/4412-0-0x0000000000AE0000-0x0000000000B65000-memory.dmp

                                Filesize

                                532KB

                              • memory/4412-14-0x0000000000AE0000-0x0000000000B65000-memory.dmp

                                Filesize

                                532KB

                              • memory/4412-1-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4412-13-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-8201-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-10711-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-5253-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-1137-0x0000000002150000-0x00000000021D5000-memory.dmp

                                Filesize

                                532KB

                              • memory/4692-1135-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-3149-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-10780-0x0000000000400000-0x000000000049E000-memory.dmp

                                Filesize

                                632KB

                              • memory/4692-12-0x0000000002150000-0x00000000021D5000-memory.dmp

                                Filesize

                                532KB