Analysis
-
max time kernel
139s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
-
Size
388KB
-
MD5
27e887aa14f3890a72f06ec5d0759f20
-
SHA1
8bacf22533725fd98c254c8eb6852edbe225a0ef
-
SHA256
91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267
-
SHA512
56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089
-
SSDEEP
12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+mbovf.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/3469FBB2D6B9F5
http://kkd47eh4hdjshb5t.angortra.at/3469FBB2D6B9F5
http://ytrest84y5i456hghadefdsd.pontogrot.com/3469FBB2D6B9F5
http://xlowfznrg4wf7dli.ONION/3469FBB2D6B9F5
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exehqqdstavuxui.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation hqqdstavuxui.exe -
Drops startup file 6 IoCs
Processes:
hqqdstavuxui.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mbovf.html hqqdstavuxui.exe -
Executes dropped EXE 2 IoCs
Processes:
hqqdstavuxui.exehqqdstavuxui.exepid process 4380 hqqdstavuxui.exe 4236 hqqdstavuxui.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hqqdstavuxui.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lashxexusfaj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hqqdstavuxui.exe\"" hqqdstavuxui.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exehqqdstavuxui.exedescription pid process target process PID 4888 set thread context of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4380 set thread context of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe -
Drops file in Program Files directory 64 IoCs
Processes:
hqqdstavuxui.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png hqqdstavuxui.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-32_altform-unplated.png hqqdstavuxui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-16_altform-unplated.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\css\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_TeethSmile.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-36.png hqqdstavuxui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square44x44Logo.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-125.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256_altform-unplated.png hqqdstavuxui.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-black.png hqqdstavuxui.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-100.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-100_contrast-white.png hqqdstavuxui.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-100.jpg hqqdstavuxui.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_home.targetsize-48.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-unplated_contrast-white.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-unplated.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png hqqdstavuxui.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\Internet Explorer\images\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+mbovf.html hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\Recovery+mbovf.txt hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\Recovery+mbovf.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\MedTile.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png hqqdstavuxui.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-200.png hqqdstavuxui.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt hqqdstavuxui.exe -
Drops file in Windows directory 2 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exedescription ioc process File created C:\Windows\hqqdstavuxui.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe File opened for modification C:\Windows\hqqdstavuxui.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
hqqdstavuxui.execmd.exehqqdstavuxui.exeNOTEPAD.EXEcmd.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqqdstavuxui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqqdstavuxui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
hqqdstavuxui.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings hqqdstavuxui.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3092 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hqqdstavuxui.exepid process 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe 4236 hqqdstavuxui.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exehqqdstavuxui.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe Token: SeDebugPrivilege 4236 hqqdstavuxui.exe Token: SeIncreaseQuotaPrivilege 3812 WMIC.exe Token: SeSecurityPrivilege 3812 WMIC.exe Token: SeTakeOwnershipPrivilege 3812 WMIC.exe Token: SeLoadDriverPrivilege 3812 WMIC.exe Token: SeSystemProfilePrivilege 3812 WMIC.exe Token: SeSystemtimePrivilege 3812 WMIC.exe Token: SeProfSingleProcessPrivilege 3812 WMIC.exe Token: SeIncBasePriorityPrivilege 3812 WMIC.exe Token: SeCreatePagefilePrivilege 3812 WMIC.exe Token: SeBackupPrivilege 3812 WMIC.exe Token: SeRestorePrivilege 3812 WMIC.exe Token: SeShutdownPrivilege 3812 WMIC.exe Token: SeDebugPrivilege 3812 WMIC.exe Token: SeSystemEnvironmentPrivilege 3812 WMIC.exe Token: SeRemoteShutdownPrivilege 3812 WMIC.exe Token: SeUndockPrivilege 3812 WMIC.exe Token: SeManageVolumePrivilege 3812 WMIC.exe Token: 33 3812 WMIC.exe Token: 34 3812 WMIC.exe Token: 35 3812 WMIC.exe Token: 36 3812 WMIC.exe Token: SeIncreaseQuotaPrivilege 1020 WMIC.exe Token: SeSecurityPrivilege 1020 WMIC.exe Token: SeTakeOwnershipPrivilege 1020 WMIC.exe Token: SeLoadDriverPrivilege 1020 WMIC.exe Token: SeSystemProfilePrivilege 1020 WMIC.exe Token: SeSystemtimePrivilege 1020 WMIC.exe Token: SeProfSingleProcessPrivilege 1020 WMIC.exe Token: SeIncBasePriorityPrivilege 1020 WMIC.exe Token: SeCreatePagefilePrivilege 1020 WMIC.exe Token: SeBackupPrivilege 1020 WMIC.exe Token: SeRestorePrivilege 1020 WMIC.exe Token: SeShutdownPrivilege 1020 WMIC.exe Token: SeDebugPrivilege 1020 WMIC.exe Token: SeSystemEnvironmentPrivilege 1020 WMIC.exe Token: SeRemoteShutdownPrivilege 1020 WMIC.exe Token: SeUndockPrivilege 1020 WMIC.exe Token: SeManageVolumePrivilege 1020 WMIC.exe Token: 33 1020 WMIC.exe Token: 34 1020 WMIC.exe Token: 35 1020 WMIC.exe Token: 36 1020 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe 1548 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exehqqdstavuxui.exehqqdstavuxui.exemsedge.exedescription pid process target process PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 4888 wrote to memory of 1044 4888 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 1044 wrote to memory of 4380 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe hqqdstavuxui.exe PID 1044 wrote to memory of 4380 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe hqqdstavuxui.exe PID 1044 wrote to memory of 4380 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe hqqdstavuxui.exe PID 1044 wrote to memory of 2432 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 1044 wrote to memory of 2432 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 1044 wrote to memory of 2432 1044 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4380 wrote to memory of 4236 4380 hqqdstavuxui.exe hqqdstavuxui.exe PID 4236 wrote to memory of 3812 4236 hqqdstavuxui.exe WMIC.exe PID 4236 wrote to memory of 3812 4236 hqqdstavuxui.exe WMIC.exe PID 4236 wrote to memory of 3092 4236 hqqdstavuxui.exe NOTEPAD.EXE PID 4236 wrote to memory of 3092 4236 hqqdstavuxui.exe NOTEPAD.EXE PID 4236 wrote to memory of 3092 4236 hqqdstavuxui.exe NOTEPAD.EXE PID 4236 wrote to memory of 1548 4236 hqqdstavuxui.exe msedge.exe PID 4236 wrote to memory of 1548 4236 hqqdstavuxui.exe msedge.exe PID 1548 wrote to memory of 2608 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 2608 1548 msedge.exe msedge.exe PID 4236 wrote to memory of 1020 4236 hqqdstavuxui.exe WMIC.exe PID 4236 wrote to memory of 1020 4236 hqqdstavuxui.exe WMIC.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe PID 1548 wrote to memory of 1088 1548 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
hqqdstavuxui.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hqqdstavuxui.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" hqqdstavuxui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\hqqdstavuxui.exeC:\Windows\hqqdstavuxui.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\hqqdstavuxui.exeC:\Windows\hqqdstavuxui.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4236 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe15e46f8,0x7fffe15e4708,0x7fffe15e47186⤵PID:2608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:26⤵PID:1088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:36⤵PID:4560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:86⤵PID:3284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:16⤵PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:86⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:86⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:16⤵PID:1020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:16⤵PID:312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:16⤵PID:2516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13851315614153058542,3068810585718913793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:16⤵PID:5016
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HQQDST~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\27E887~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2752
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5016
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5c98c6ad2efc850a8b979f5b9b2e10363
SHA104cbe100397c3325d83d61a9b9dcf4c1e042939d
SHA25698b858121d11b2cd7082c54a142b58727fda604e14a7ba4f68c78c0f511dc197
SHA512c53a95d3b192bc45f102397a2c0a74ef0839396e5a916ed6ba8dc4ad86212cd9aec89ac9f091548583582baa63ccd09f5ad9c785c4955318f5f39681a8d8a2fa
-
Filesize
62KB
MD52ff046217fc97d4e279d82323f2133bd
SHA13227d13418ef1fa6dbab509075ba5e8ca277e4c0
SHA25679da2a0c3dd9258c19e4b3d5ba30e949a374bd5a2f89195047e74f07fe20f7d7
SHA512ebdc8d78d67a9a6ae8b3e00960fbfdc3a6552f0e556ea8acb5f3bac05ff8acd72e71c03b912f74042a023e6c828676554ae92773a3b783264d925346edfaf1c4
-
Filesize
1KB
MD5a0c006e361b1213c6ed6ff9aeefd2ff5
SHA1d4aaf5c8f5e97cc1eebcbb12c1964c212424b544
SHA2560444e04e53ded14d6aef009cc98a47dbdcbc35eefcdf66e97ca7b75df1e42086
SHA51282af6a10c10045c9a4d1ca89e826fe9a3bbd61123d8c00556a5cce5d548a28b71d5794fb787642bd0d828a1aa5b6d886bd97aac208a7c12256c3908e59b30da2
-
Filesize
560B
MD5264d2cf565ee69e80afebe36167fc21e
SHA192d1143361479037c06c709ddab3d1587d71aecb
SHA2569ad24098ae925137dd39fa6771dbb99a305215053002a942ea57315c682931fd
SHA5123e6c0ea0273f22271931d55ed25cde43bbbb7a8a2815b4d08708dbd68f21c9646feaab4e6915291b1dfd17177b2b91a84c3b3bc2fc87cf5dc412a63c9c2e5594
-
Filesize
560B
MD5e8fdc412cc3a8c336fc2a2874352f89a
SHA141e23e0c5ded26de10c433ec0fef2b8e75fd924b
SHA25602a560b271b8e75663cf67e682696ea254f611f83015a549686c74ed86896ffc
SHA512da9cd29c02340a88669e5ee805d23c01043e91486957664a9821d251506c4ac0274a94486de51d3884ae19ba94c7659964819538495aaab5ee22c68a768550e7
-
Filesize
416B
MD5fa7d3963e4627be19be1b3624f72bb56
SHA18f9f935fb2420ca1a1ae6be5ad7c2a65f73d19c5
SHA256521751980847077af26cd37092ab877bdf1c39b7cc827ab38b8e8aebe9d80af8
SHA51255f0cae360162859fc0b855e72156359ead4c799720b4df4106597f5a31fbbb92d3ecb1330958446454ea20caad06b2eb91240349c63f57251e888ab516f41a4
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
6KB
MD5971e1646ce9d8c805bc6d0eb48b3662b
SHA1f97bfbbc7248c7b716b14a80c2a10ac4e15d4265
SHA25613bd8f1f103efc5fe78096fd354195bafd11c419f476194453a91661075c8c93
SHA5120e1b3bbc47d94d39c7fda24a5044bf305fb41a7a1eb8afd82327c3149c2fe29514c0bd884c18fede5e147624fcff578fccd4f09ba983683e3ad5eeb3a25c4045
-
Filesize
6KB
MD535a16c0dcdaa9bf10227bf1a9b857f50
SHA1347ca4d95454f78d874778d0d303a0b4865fb14b
SHA256ca3241fd418b4a945bdd8d3df72029a32b6dedece8851d68af617ff902898043
SHA5124d8da2f03daa58a2490eef9897ff1e7ff9e1837e9094e6c336becd24b2ef995a329f8915829cc02addc3b392506c86bfc457c7ecc065c3bf9e70f789f48feec2
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD57479a1bb955d46a73c8f004651e9936f
SHA13dcb15a02a4dfc6e92fd2d081a70a1bfa6a51632
SHA256b80f3eec3efe7ef187e97461ee3d24a87b22c893b70033cb491d1cbf8890c34c
SHA512d63a347c263e54144b0691cde309b04bb043000ef2ade17e8e8d0555261e5ad96ace9a184309050e72c6c57c5908c5d17cd273963440d0162c5b99104fbc67a4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt
Filesize77KB
MD5ee53721a8b720f1fe444def7d29c3bee
SHA12d6d641db56d689555afa8d2e33e545321c7c25a
SHA256a52c562d81dc6e283302010223d890334b298ded534f0ca6ccdd883e33c717b7
SHA512f325cbd12b205f8664247f752dfbfb2dfe8512f0b1bb6093f2acd57b6c3aa07a9eb3fc1d82239aff6c158fafed93a4f1eb890c53a175afe61ce96cd6d2a69d37
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt
Filesize47KB
MD5fc578ea49c8081e4b208aa9b6c4aa3a0
SHA185fca7dc0c14f632c121ddc642db44d31320df53
SHA256c4048f9b391fdc962bbf705f2df3e79e5f4120ecb1c31c2c9faecf13a24f7c94
SHA512043614237755ead7e352643c0ecc0c53899095b25c49fca2b320638e9112133bf94dc706fbfef58d93e08c613641c3b3d5467e3d210b4e00720f00f25099743c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt
Filesize74KB
MD5d603c18d2cbc50635f5590202c96ab16
SHA1f96fa315cb7ab5173c5e550e32ddecb237bb3dff
SHA25685f41bf54c33c1c786f834ca7bdc375fab0a1e6710f27087ff91722fe6060fa0
SHA512c68ef3e947d121622ea1c3432c8553626a37f37a665277b16d942f97bdfc50b45ec35e62077a75dea5f21061ccb997abe970747cb053be5e480b1ab8e7ebac7d
-
Filesize
388KB
MD527e887aa14f3890a72f06ec5d0759f20
SHA18bacf22533725fd98c254c8eb6852edbe225a0ef
SHA25691a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267
SHA51256f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e