Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe
-
Size
388KB
-
MD5
2b15e8b996a5e439f4bb7c9e98a2ae0e
-
SHA1
a8dd6a2388e0e75add58a86bc0b72448e969e7c5
-
SHA256
0349b7b5d9d720f8c454b69716f21346967bfff297ac2f6ceec40ce80747054d
-
SHA512
ed6e2b79df27034d2f72230db1b3c83ed1d5acdc6cdae3ce9ce456884f682a18cfe6995b7169cb6c7cca668d662d0e72b6bd971799de5e5e0e280df3d089e1d3
-
SSDEEP
12288:z+QA5i2ipjoMARxOJ7dLQsNeqKLGrDh/:CngLpjoMARxOJJsLLG5/
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+edpcn.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C8C275FE92390A1
http://kkd47eh4hdjshb5t.angortra.at/C8C275FE92390A1
http://ytrest84y5i456hghadefdsd.pontogrot.com/C8C275FE92390A1
http://xlowfznrg4wf7dli.ONION/C8C275FE92390A1
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exeneonlufikumn.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation neonlufikumn.exe -
Drops startup file 6 IoCs
Processes:
neonlufikumn.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+edpcn.html neonlufikumn.exe -
Executes dropped EXE 2 IoCs
Processes:
neonlufikumn.exeneonlufikumn.exepid Process 5100 neonlufikumn.exe 1776 neonlufikumn.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
neonlufikumn.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jvtqlgolsjdy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\neonlufikumn.exe\"" neonlufikumn.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exeneonlufikumn.exedescription pid Process procid_target PID 2900 set thread context of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 5100 set thread context of 1776 5100 neonlufikumn.exe 93 -
Drops file in Program Files directory 64 IoCs
Processes:
neonlufikumn.exedescription ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-150.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_contrast-black.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_contrast-black.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-125.png neonlufikumn.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-fullcolor.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\BlurredGradientBackground.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-125.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\MutableBackup\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\162.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-200.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-150.png neonlufikumn.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100.png neonlufikumn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_altform-unplated_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\ModifiableWindowsApps\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-150.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\Recovery+edpcn.html neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppUpdate.svg neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-32_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x86\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated_contrast-white.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-256_altform-unplated.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\View3d\Recovery+edpcn.txt neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png neonlufikumn.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\Recovery+edpcn.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-20.png neonlufikumn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png neonlufikumn.exe -
Drops file in Windows directory 2 IoCs
Processes:
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\neonlufikumn.exe 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe File created C:\Windows\neonlufikumn.exe 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeneonlufikumn.exeNOTEPAD.EXEcmd.exe2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exeneonlufikumn.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neonlufikumn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neonlufikumn.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
neonlufikumn.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings neonlufikumn.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 3668 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
neonlufikumn.exepid Process 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe 1776 neonlufikumn.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exeneonlufikumn.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe Token: SeDebugPrivilege 1776 neonlufikumn.exe Token: SeIncreaseQuotaPrivilege 2732 WMIC.exe Token: SeSecurityPrivilege 2732 WMIC.exe Token: SeTakeOwnershipPrivilege 2732 WMIC.exe Token: SeLoadDriverPrivilege 2732 WMIC.exe Token: SeSystemProfilePrivilege 2732 WMIC.exe Token: SeSystemtimePrivilege 2732 WMIC.exe Token: SeProfSingleProcessPrivilege 2732 WMIC.exe Token: SeIncBasePriorityPrivilege 2732 WMIC.exe Token: SeCreatePagefilePrivilege 2732 WMIC.exe Token: SeBackupPrivilege 2732 WMIC.exe Token: SeRestorePrivilege 2732 WMIC.exe Token: SeShutdownPrivilege 2732 WMIC.exe Token: SeDebugPrivilege 2732 WMIC.exe Token: SeSystemEnvironmentPrivilege 2732 WMIC.exe Token: SeRemoteShutdownPrivilege 2732 WMIC.exe Token: SeUndockPrivilege 2732 WMIC.exe Token: SeManageVolumePrivilege 2732 WMIC.exe Token: 33 2732 WMIC.exe Token: 34 2732 WMIC.exe Token: 35 2732 WMIC.exe Token: 36 2732 WMIC.exe Token: SeIncreaseQuotaPrivilege 5000 WMIC.exe Token: SeSecurityPrivilege 5000 WMIC.exe Token: SeTakeOwnershipPrivilege 5000 WMIC.exe Token: SeLoadDriverPrivilege 5000 WMIC.exe Token: SeSystemProfilePrivilege 5000 WMIC.exe Token: SeSystemtimePrivilege 5000 WMIC.exe Token: SeProfSingleProcessPrivilege 5000 WMIC.exe Token: SeIncBasePriorityPrivilege 5000 WMIC.exe Token: SeCreatePagefilePrivilege 5000 WMIC.exe Token: SeBackupPrivilege 5000 WMIC.exe Token: SeRestorePrivilege 5000 WMIC.exe Token: SeShutdownPrivilege 5000 WMIC.exe Token: SeDebugPrivilege 5000 WMIC.exe Token: SeSystemEnvironmentPrivilege 5000 WMIC.exe Token: SeRemoteShutdownPrivilege 5000 WMIC.exe Token: SeUndockPrivilege 5000 WMIC.exe Token: SeManageVolumePrivilege 5000 WMIC.exe Token: 33 5000 WMIC.exe Token: 34 5000 WMIC.exe Token: 35 5000 WMIC.exe Token: 36 5000 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exeneonlufikumn.exeneonlufikumn.exemsedge.exedescription pid Process procid_target PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 2900 wrote to memory of 3292 2900 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 88 PID 3292 wrote to memory of 5100 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 89 PID 3292 wrote to memory of 5100 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 89 PID 3292 wrote to memory of 5100 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 89 PID 3292 wrote to memory of 936 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 90 PID 3292 wrote to memory of 936 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 90 PID 3292 wrote to memory of 936 3292 2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe 90 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 5100 wrote to memory of 1776 5100 neonlufikumn.exe 93 PID 1776 wrote to memory of 2732 1776 neonlufikumn.exe 94 PID 1776 wrote to memory of 2732 1776 neonlufikumn.exe 94 PID 1776 wrote to memory of 3668 1776 neonlufikumn.exe 97 PID 1776 wrote to memory of 3668 1776 neonlufikumn.exe 97 PID 1776 wrote to memory of 3668 1776 neonlufikumn.exe 97 PID 1776 wrote to memory of 4992 1776 neonlufikumn.exe 98 PID 1776 wrote to memory of 4992 1776 neonlufikumn.exe 98 PID 4992 wrote to memory of 4860 4992 msedge.exe 99 PID 4992 wrote to memory of 4860 4992 msedge.exe 99 PID 1776 wrote to memory of 5000 1776 neonlufikumn.exe 100 PID 1776 wrote to memory of 5000 1776 neonlufikumn.exe 100 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 PID 4992 wrote to memory of 2040 4992 msedge.exe 102 -
System policy modification 1 TTPs 2 IoCs
Processes:
neonlufikumn.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System neonlufikumn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" neonlufikumn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\neonlufikumn.exeC:\Windows\neonlufikumn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\neonlufikumn.exeC:\Windows\neonlufikumn.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcdbe46f8,0x7ffdcdbe4708,0x7ffdcdbe47186⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:26⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:36⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:86⤵PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:16⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:16⤵PID:952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:86⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:86⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:16⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:16⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:16⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:16⤵PID:2828
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NEONLU~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:812
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B15E8~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:936
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD59f2ce839a50d3ce49fca05a3a1b9a537
SHA11a9a0a8249974374bdbebe471dbe89e9730dd8d0
SHA2566c3aef33cf573034457346e90e2a0a1be069d061a37cab3074ddaac03cfff804
SHA51297824205868ab4d558ea667f3184c18811d589dd56363ab97306cd264a11d44b6786933318d296f03aa63587df68c611c5bd9ddde699b1fe8adb4b45ef9ef5cf
-
Filesize
63KB
MD5b90dbd7f0117f42ed44f24694ac4efa3
SHA1b2ac904b64e9a7c5ae7744074f5827976fec6905
SHA256b6f7b7bd0f7e7dd87147a3ea8274ac534ab1f3c800e457605f79e977869e8e9c
SHA512b0621aceb38fc68ded8434e1ce3b31e6b7bae38a0b5e0caebf870b98c08277bd87d2f7ee9ef7005d63bbd9c93c7d377e74dc1472e0d8ec771f9b05a0d83b9114
-
Filesize
1KB
MD54171dd001d475f64250a7f53b2001fbf
SHA1ced55b74676c77a700765d3c93a13051d02b5a2c
SHA256bee70f4edd1422179d6f27ee784170cd81ddc642f690cab359b2d5f42d4e6f32
SHA5121552cfc5b5f6e2b8a8f9de5097f3f2733f5ef29b1748aedb8e43f0a119b9e0332987db568c5374cbad3992323bdda2b1a216fb7faaf4fc7e0f09f3fd9072e84c
-
Filesize
560B
MD5b741d7d9b9ae336d8cd9513ac983f2b0
SHA104853a70c695c3c565d965444c1ae07e20cdb96a
SHA25617acf4a96e09be7f1c82fb50f294aca9829152f55fe3f2ecf66aef4e6a06879d
SHA512f79682db3490aafe72adb25fc0ea4bed7dca05883c63dab0c90c8d97f664635afda09ea04166731d7b2ec11a5603796f721723629128693a3965bea21cca62e8
-
Filesize
560B
MD541635229c6364820b3e02402808325d2
SHA15afa15c1d6ec150edc6e954a418ecd0bb0d63a97
SHA2568eb471e9853eeaad2ae2aa456906a8cbaeb703c30e4302f97776276096a4e2f0
SHA5123744775f83f1141f7fcfe76446faf13de0e863649b5dc09ec0d443953783cac0d8b56cac1a891325761939428bd8d532059455999854ca1129a1ea80bc299553
-
Filesize
416B
MD52fda0670b12cd2621f1cbee7aa138d93
SHA120025f231644172a8b9860569a5d812d925b207e
SHA25631c118ee96380eb582ad5ae91afe25b45b8b42d941eaef9bbac0588934e1528b
SHA512e2b87d8a95ebbbf4de2a0ab83c515bf6001c54d165ab8f8e477ee62cb898d953b87e28011911d9600d2421f40170012cc6ed346d555a9881eec851eca58de957
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
6KB
MD571ef29a133cc3711593386c6aa3ab241
SHA1504925a5492c55ca5dbe76e725aaf67821c27e4e
SHA256b5efed9add5c382f21d2db723d6cbed7cb0b058c576e44e01a4a477d7a5725a3
SHA512dd80961a45508dd46c094087ec7909c804b92b425923e788602b505d90cebb2c9343b8aacd71c897ac2b13d453061aa75066cace609653c85e776a710a8ca4bb
-
Filesize
6KB
MD5bfc2e35ef5a5b8d9a140de8c2011c6dd
SHA1774e9c25ad175477fb79fa94940b83b343e06a58
SHA2565f43ff12e75809b741e617dd50c347dd68024d8002a821941b610ea610c55217
SHA512572824c2db5ba38ed254c9e3a306ab99be29e7df200c549dab3e3052e2cbddfbfc81908f9fd4ebd3021bac37d1891f4a3f4e043776d314c2ba9b703c381f9158
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fd14cd9d85d7be297650c7a05b933144
SHA125ce75b91bf7bb9903058060756989b0220e2f43
SHA256ec4c46552aa02bb97f7ca8c945c6a6e4d6af7269f280b14e0fa67cc720f57a32
SHA5125c1a99a3cd40e9b30013f8c403a8f83e9ad48406be45aab7111575a388648e1473170780d95b5832fed21ab49f30d4dfc162d4ac917464db30d93327040898b3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662717143618.txt
Filesize77KB
MD58a28b0a59d9c649daebd3e98b70d4cf6
SHA17af4ea002ec63949bd77b0fed7dbe24911770a5b
SHA256bb21e35d6027cac0c8dc96b82d7ee3c4b372242122a5dce097800c39ab34fd5c
SHA5124969c596b778b115bb39721b4b4c2d335e4094d05080faad030bad1931048ac05ab158f317cdd2c5f60a8cf18fe01aff8bc924239bf4ef2a8f6eb3f88f943047
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663983438946.txt
Filesize47KB
MD5be38a7f48772929b3d9fc2628ce9bbf1
SHA18776b4e047be2efb9e22efa4478dfd44a779b45e
SHA256194fb3455bddd99579638847b9378eb33e7a341daddaf6175f46b407efc1fcd9
SHA512a2acb195e94cba5859a4a463e8ac798e9544900217e37d34904319877518eedd70463b9597f09ee19736ba26c84247b493d12ba3bbc7859c5c85591b071b12b4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671578469739.txt
Filesize74KB
MD551f35e856ae302eb7977f22fb6a5bd40
SHA1be654ac6eaf62b9247bad8c11bd22a9fab5a3f62
SHA256d2ef30427844571b272d4e407c64d9b7761d08147907821057aaff89be4e44b3
SHA512e4668e4240d251da6ba04b4396602900b70c1f7c34dd26d72a83a11ee301ddc64135031b3d6e00c028b3d045d156ed2ca2b687aa5feb425026a710a8814ae23b
-
Filesize
388KB
MD52b15e8b996a5e439f4bb7c9e98a2ae0e
SHA1a8dd6a2388e0e75add58a86bc0b72448e969e7c5
SHA2560349b7b5d9d720f8c454b69716f21346967bfff297ac2f6ceec40ce80747054d
SHA512ed6e2b79df27034d2f72230db1b3c83ed1d5acdc6cdae3ce9ce456884f682a18cfe6995b7169cb6c7cca668d662d0e72b6bd971799de5e5e0e280df3d089e1d3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e