Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2024 21:56
Static task
static1
Behavioral task
behavioral1
Sample
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe
-
Size
352KB
-
MD5
1e1def42d14365acdde0fab027ab4f73
-
SHA1
076c52faa6c76610fca15b8533e81bf8ba8133a8
-
SHA256
92b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23
-
SHA512
c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722
-
SSDEEP
6144:5Meb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:5Tb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+jdyxi.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/27FDC1DB33910
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/27FDC1DB33910
http://yyre45dbvn2nhbefbmh.begumvelic.at/27FDC1DB33910
http://xlowfznrg4wf7dli.ONION/27FDC1DB33910
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (856) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exeiuawrbajtfmk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation iuawrbajtfmk.exe -
Drops startup file 6 IoCs
Processes:
iuawrbajtfmk.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe -
Executes dropped EXE 1 IoCs
Processes:
iuawrbajtfmk.exepid process 1164 iuawrbajtfmk.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
iuawrbajtfmk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnudjeq = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\iuawrbajtfmk.exe" iuawrbajtfmk.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
Processes:
iuawrbajtfmk.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-100.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-125.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-200.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Windows Photo Viewer\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-150.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30_altform-lightunplated.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-fullcolor.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4FE7652E-89E7-4CDB-9F81-A44F45F6732C\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30_altform-unplated.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapLightTheme.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-125.png iuawrbajtfmk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-200.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-100.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-100.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Logo.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-100.png iuawrbajtfmk.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\_ReCoVeRy_+jdyxi.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-125.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-white.png iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office 15\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\_ReCoVeRy_+jdyxi.html iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_ReCoVeRy_+jdyxi.txt iuawrbajtfmk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png iuawrbajtfmk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png iuawrbajtfmk.exe -
Drops file in Windows directory 2 IoCs
Processes:
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exedescription ioc process File created C:\Windows\iuawrbajtfmk.exe 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe File opened for modification C:\Windows\iuawrbajtfmk.exe 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exeiuawrbajtfmk.execmd.exeNOTEPAD.EXEcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iuawrbajtfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
iuawrbajtfmk.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings iuawrbajtfmk.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2376 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
iuawrbajtfmk.exepid process 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe 1164 iuawrbajtfmk.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exeiuawrbajtfmk.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe Token: SeDebugPrivilege 1164 iuawrbajtfmk.exe Token: SeIncreaseQuotaPrivilege 4180 WMIC.exe Token: SeSecurityPrivilege 4180 WMIC.exe Token: SeTakeOwnershipPrivilege 4180 WMIC.exe Token: SeLoadDriverPrivilege 4180 WMIC.exe Token: SeSystemProfilePrivilege 4180 WMIC.exe Token: SeSystemtimePrivilege 4180 WMIC.exe Token: SeProfSingleProcessPrivilege 4180 WMIC.exe Token: SeIncBasePriorityPrivilege 4180 WMIC.exe Token: SeCreatePagefilePrivilege 4180 WMIC.exe Token: SeBackupPrivilege 4180 WMIC.exe Token: SeRestorePrivilege 4180 WMIC.exe Token: SeShutdownPrivilege 4180 WMIC.exe Token: SeDebugPrivilege 4180 WMIC.exe Token: SeSystemEnvironmentPrivilege 4180 WMIC.exe Token: SeRemoteShutdownPrivilege 4180 WMIC.exe Token: SeUndockPrivilege 4180 WMIC.exe Token: SeManageVolumePrivilege 4180 WMIC.exe Token: 33 4180 WMIC.exe Token: 34 4180 WMIC.exe Token: 35 4180 WMIC.exe Token: 36 4180 WMIC.exe Token: SeIncreaseQuotaPrivilege 4180 WMIC.exe Token: SeSecurityPrivilege 4180 WMIC.exe Token: SeTakeOwnershipPrivilege 4180 WMIC.exe Token: SeLoadDriverPrivilege 4180 WMIC.exe Token: SeSystemProfilePrivilege 4180 WMIC.exe Token: SeSystemtimePrivilege 4180 WMIC.exe Token: SeProfSingleProcessPrivilege 4180 WMIC.exe Token: SeIncBasePriorityPrivilege 4180 WMIC.exe Token: SeCreatePagefilePrivilege 4180 WMIC.exe Token: SeBackupPrivilege 4180 WMIC.exe Token: SeRestorePrivilege 4180 WMIC.exe Token: SeShutdownPrivilege 4180 WMIC.exe Token: SeDebugPrivilege 4180 WMIC.exe Token: SeSystemEnvironmentPrivilege 4180 WMIC.exe Token: SeRemoteShutdownPrivilege 4180 WMIC.exe Token: SeUndockPrivilege 4180 WMIC.exe Token: SeManageVolumePrivilege 4180 WMIC.exe Token: 33 4180 WMIC.exe Token: 34 4180 WMIC.exe Token: 35 4180 WMIC.exe Token: 36 4180 WMIC.exe Token: SeBackupPrivilege 3636 vssvc.exe Token: SeRestorePrivilege 3636 vssvc.exe Token: SeAuditPrivilege 3636 vssvc.exe Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe Token: SeSecurityPrivilege 1960 WMIC.exe Token: SeTakeOwnershipPrivilege 1960 WMIC.exe Token: SeLoadDriverPrivilege 1960 WMIC.exe Token: SeSystemProfilePrivilege 1960 WMIC.exe Token: SeSystemtimePrivilege 1960 WMIC.exe Token: SeProfSingleProcessPrivilege 1960 WMIC.exe Token: SeIncBasePriorityPrivilege 1960 WMIC.exe Token: SeCreatePagefilePrivilege 1960 WMIC.exe Token: SeBackupPrivilege 1960 WMIC.exe Token: SeRestorePrivilege 1960 WMIC.exe Token: SeShutdownPrivilege 1960 WMIC.exe Token: SeDebugPrivilege 1960 WMIC.exe Token: SeSystemEnvironmentPrivilege 1960 WMIC.exe Token: SeRemoteShutdownPrivilege 1960 WMIC.exe Token: SeUndockPrivilege 1960 WMIC.exe Token: SeManageVolumePrivilege 1960 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe 5040 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exeiuawrbajtfmk.exemsedge.exedescription pid process target process PID 3044 wrote to memory of 1164 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe iuawrbajtfmk.exe PID 3044 wrote to memory of 1164 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe iuawrbajtfmk.exe PID 3044 wrote to memory of 1164 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe iuawrbajtfmk.exe PID 3044 wrote to memory of 2272 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe cmd.exe PID 3044 wrote to memory of 2272 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe cmd.exe PID 3044 wrote to memory of 2272 3044 1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe cmd.exe PID 1164 wrote to memory of 4180 1164 iuawrbajtfmk.exe WMIC.exe PID 1164 wrote to memory of 4180 1164 iuawrbajtfmk.exe WMIC.exe PID 1164 wrote to memory of 2376 1164 iuawrbajtfmk.exe NOTEPAD.EXE PID 1164 wrote to memory of 2376 1164 iuawrbajtfmk.exe NOTEPAD.EXE PID 1164 wrote to memory of 2376 1164 iuawrbajtfmk.exe NOTEPAD.EXE PID 1164 wrote to memory of 5040 1164 iuawrbajtfmk.exe msedge.exe PID 1164 wrote to memory of 5040 1164 iuawrbajtfmk.exe msedge.exe PID 5040 wrote to memory of 4020 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4020 5040 msedge.exe msedge.exe PID 1164 wrote to memory of 1960 1164 iuawrbajtfmk.exe WMIC.exe PID 1164 wrote to memory of 1960 1164 iuawrbajtfmk.exe WMIC.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4672 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3848 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3848 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4708 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4708 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4708 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4708 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 4708 5040 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
iuawrbajtfmk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System iuawrbajtfmk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" iuawrbajtfmk.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e1def42d14365acdde0fab027ab4f73_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\iuawrbajtfmk.exeC:\Windows\iuawrbajtfmk.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1164 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd6f7046f8,0x7ffd6f704708,0x7ffd6f7047184⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:24⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:34⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:84⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:14⤵PID:844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:14⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:84⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:84⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:14⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:14⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:14⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16400299846446630238,713141939445399320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:14⤵PID:1444
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IUAWRB~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E1DEF~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4576
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5d8217c1bd248393899b6119a0cb51adb
SHA132b7bf77df34699d65d76d558df116831c6cb696
SHA256901c977940d1a709e09bde9f89456b0e453ef812989caaa1be10d355e65e0c46
SHA5124b1eca843b51217f23cfd7304de4269eea4807b953e2fc2241ca8b40ccfa280f25d1052d06cab30d3cd0a8b139f9dacc7da7af9276a09b5625c5d34785ca1b31
-
Filesize
64KB
MD5d833c664fdcd0575783d4d013e2ac4d6
SHA184321af272f0ef388d33551ce5ee12ce6d37f48f
SHA2561fa15ebba0ce791c9452f8f4184ff00b99fb65d9ccac478cb5d2e1e4e419084f
SHA5122c9813952abc49e2addc1a2479be738d10f26ce0f8978c6a83a3cf4cebe9a4b5b84ce4eb563a0916b9ddd1bb94c00b62e68dd0972b24a433aab65f67eaeab111
-
Filesize
1KB
MD5d3860d08e01f7f7f6c86a96d0e090116
SHA13bb7c7515829a559cee052e157e3c955c388a8f5
SHA25657223983a68d73e83fdc82f8abb5c96a48d601ffe1eb86b5c7d70a6b57bf6f2c
SHA5121428b3aefd3e4619449309cfec618cada1f9d7ba1df2b94dbecea7a59970d171e663834dff3e05e45c88896a60b3fa7c91f1a098d9b00c406d4c89bf2c5dc0a9
-
Filesize
560B
MD586ab66923869f479b9d2ee124e47a840
SHA1a5c3ea930d55a438aa184234bcebbd2c9e176ea3
SHA256b7589eb5cb9b68094accc1dbe85e600de68c75be1b7b5c8fd6049be3a4b351f9
SHA512b6346acc5eebb7f39dd6ba520108d70302c3288abc04b5d245d1a2b127c5650cced9b925e5a3478c239dfb1a68512dfb70362ccad3e774efcd17e5d0523f3188
-
Filesize
560B
MD51bf5525b50f2455a1d7bca5ab65a05f9
SHA1bc97cc6dfb7ada351ae4d20b41aedf1ea0df90df
SHA256ad4dc82353389fa396b70da62bae56aca644c5961070f4ac2b8c1b6851045449
SHA5121d6663d20631e4f8239795b912748bdde52fc19a30e9422a58dc515e5591fe21d06642339da439a70ba98fb6413a159d462a137a01d4841b00e37d1d973fa17d
-
Filesize
416B
MD5df869f70aa5ce750bd09bd0354b27f1d
SHA1115760f0659f23b52913f9dd253153c6f315288b
SHA256e31150c3f75c6855936475060201256ce987edc27a194e0a9b7803b67facdab4
SHA512011c3a3cd5aa7552d3c8e9487e6addcc82dd0091c731f4cae7771e932a47c021d8e362d35333db32ce86e024e258befc8a4ea63731a95654f4bb77d7545103f6
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
6KB
MD59f5fd46c0a733b3c000359d2f00f91b5
SHA13cb1dcf11a67567bcc1bff9ba84d200f1c085b33
SHA2568ca168c94de045ab25be399675493bd338338a8840c8559f1b6d1ffd11d4491e
SHA51231f9febe078aded689fea00b07bc81d5dda87d41478d86da44d7b1ebda3ab1f77828684e221d67129cd388fb4d10222d31804253a47f1839e495f9b69758792e
-
Filesize
6KB
MD573342c502950c6f3df6279b9a3ba3dc3
SHA1d147e1f242855027c14ae881aba7bb39c6b43f0d
SHA256a9daed248a760830f080a4fcf60b5dfd51b18a6059b60ba1c1230641ffce9c48
SHA5128bcf949a174a6e64bf130a5c15c6aad8af8fb3cbf2cc62d3637cd455dbda409c0f5cc61b06301c99f9061a94d18513ba07541a41bb882d67d3faf9a0281cf2bd
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5b1f59c366dbb9ca6b5c37176e3c34fd9
SHA1fe92f008b27b008a0738b54da9e6debcfa9384a1
SHA2562f880003903f79865692fee451b60da47f22a64c4d9d9226eb3704c8cc4d0b86
SHA512420ad83f218f2518649583d40eb81426585c5d89fc45ac9a4dcae0de3f6499e0ee08bc56fce210b0dae549ea743145e09c4f61fe18dde55e2c5cb40f65dff094
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt
Filesize77KB
MD5ef28fe027687100ff4b20f252421b7d3
SHA1fb69109a13423fc47878c8e246732fc1b0da2a81
SHA256a691c8bf5d00cc442dfc7e6736f55089427da32c0103cb0524df31df70d71be9
SHA512fc723646663c948968729768af9c82aba2cfe0a225631c9a146fc5d55b2699aa75faedf0c7030f706d6eb16d166c22161ebd9cb9513990b6f6fd34864a7171e1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt
Filesize47KB
MD585f0252102664d6407a1f12016bd8d2d
SHA10dc2ac38c47c403821cfa6007782bfb38e4d7bc2
SHA2560cb7fba553d7580b139fd62370e059e913593d9c4e443741b268c3de07008ce4
SHA5127faaf2c3704c9d96481d691b99359553e30d7f4b6578acc6c716640b43f0cd0734463bd26b4bf6f6d886ef6842d9650ed8a6a4a7b5dbac0332b265c61ec112d1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt
Filesize74KB
MD5f0d121798a0cc14addb4b779cd98dafc
SHA113ba5323f6d6705079d1c63eef17488f13f5ab0f
SHA256e8457fcb652efe77dd1912a631bf7981c51dcebab263b6d595dcfc34c33fdf4b
SHA5124df2ed84bd1180a24ecfc4f901d977a5286400f00494b3fb88158db11f91a91388c93ce402e8a1f081de676a06d31d8c84dcc2b955e805ca70a8e0a3f23df1b9
-
Filesize
352KB
MD51e1def42d14365acdde0fab027ab4f73
SHA1076c52faa6c76610fca15b8533e81bf8ba8133a8
SHA25692b375015b3867f10a9cd94b6474986bf24c70e2d40b3280ceeec2331265be23
SHA512c93298bc25a818114018cb51a3b0e4c3137b46633dabb6a17303f12473e58d64e19c39c14f307c0df9e0e4202171d2ab22eaef2bf3f7b35e5b9b7a114eb7d722
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e