Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 10:24
Static task
static1
Behavioral task
behavioral1
Sample
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe
-
Size
328KB
-
MD5
2f69faa2bacccf5a61b7c7996c558f4c
-
SHA1
172c3b8d22eb08f491d4c90cd86aaa21b95f5b95
-
SHA256
ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585
-
SHA512
712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578
-
SSDEEP
6144:F4MKA86q6kcKPqCAOFPmvSNQgstAw/u5jp2hnU4ZcRdN1Sgg68:F9x1KNRmKN+/Mk3eBU
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+yrljd.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8893394541F7852A
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8893394541F7852A
http://yyre45dbvn2nhbefbmh.begumvelic.at/8893394541F7852A
http://xlowfznrg4wf7dli.ONION/8893394541F7852A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation nlxqbdyodgqo.exe -
Drops startup file 6 IoCs
Processes:
nlxqbdyodgqo.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe -
Executes dropped EXE 1 IoCs
Processes:
nlxqbdyodgqo.exepid process 1052 nlxqbdyodgqo.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nlxqbdyodgqo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgdwtaefoedo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\nlxqbdyodgqo.exe\"" nlxqbdyodgqo.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
Processes:
nlxqbdyodgqo.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Styling\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-unplated.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-125_contrast-white.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-black.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-125_contrast-black.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-100.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated_contrast-white.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\dotnet\host\fxr\6.0.27\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-black.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-64.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-300.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-125.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-150.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentDesktop_144x56.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-unplated.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-32_altform-unplated.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-high.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2_Loud.m4a nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_pound.m4a nlxqbdyodgqo.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_RECoVERY_+yrljd.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-32.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\_RECoVERY_+yrljd.html nlxqbdyodgqo.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-400.png nlxqbdyodgqo.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_RECoVERY_+yrljd.txt nlxqbdyodgqo.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-black.png nlxqbdyodgqo.exe -
Drops file in Windows directory 2 IoCs
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exedescription ioc process File created C:\Windows\nlxqbdyodgqo.exe 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe File opened for modification C:\Windows\nlxqbdyodgqo.exe 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NOTEPAD.EXEcmd.exe2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlxqbdyodgqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
nlxqbdyodgqo.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings nlxqbdyodgqo.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2452 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
nlxqbdyodgqo.exepid process 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe 1052 nlxqbdyodgqo.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe Token: SeDebugPrivilege 1052 nlxqbdyodgqo.exe Token: SeIncreaseQuotaPrivilege 3256 WMIC.exe Token: SeSecurityPrivilege 3256 WMIC.exe Token: SeTakeOwnershipPrivilege 3256 WMIC.exe Token: SeLoadDriverPrivilege 3256 WMIC.exe Token: SeSystemProfilePrivilege 3256 WMIC.exe Token: SeSystemtimePrivilege 3256 WMIC.exe Token: SeProfSingleProcessPrivilege 3256 WMIC.exe Token: SeIncBasePriorityPrivilege 3256 WMIC.exe Token: SeCreatePagefilePrivilege 3256 WMIC.exe Token: SeBackupPrivilege 3256 WMIC.exe Token: SeRestorePrivilege 3256 WMIC.exe Token: SeShutdownPrivilege 3256 WMIC.exe Token: SeDebugPrivilege 3256 WMIC.exe Token: SeSystemEnvironmentPrivilege 3256 WMIC.exe Token: SeRemoteShutdownPrivilege 3256 WMIC.exe Token: SeUndockPrivilege 3256 WMIC.exe Token: SeManageVolumePrivilege 3256 WMIC.exe Token: 33 3256 WMIC.exe Token: 34 3256 WMIC.exe Token: 35 3256 WMIC.exe Token: 36 3256 WMIC.exe Token: SeIncreaseQuotaPrivilege 3256 WMIC.exe Token: SeSecurityPrivilege 3256 WMIC.exe Token: SeTakeOwnershipPrivilege 3256 WMIC.exe Token: SeLoadDriverPrivilege 3256 WMIC.exe Token: SeSystemProfilePrivilege 3256 WMIC.exe Token: SeSystemtimePrivilege 3256 WMIC.exe Token: SeProfSingleProcessPrivilege 3256 WMIC.exe Token: SeIncBasePriorityPrivilege 3256 WMIC.exe Token: SeCreatePagefilePrivilege 3256 WMIC.exe Token: SeBackupPrivilege 3256 WMIC.exe Token: SeRestorePrivilege 3256 WMIC.exe Token: SeShutdownPrivilege 3256 WMIC.exe Token: SeDebugPrivilege 3256 WMIC.exe Token: SeSystemEnvironmentPrivilege 3256 WMIC.exe Token: SeRemoteShutdownPrivilege 3256 WMIC.exe Token: SeUndockPrivilege 3256 WMIC.exe Token: SeManageVolumePrivilege 3256 WMIC.exe Token: 33 3256 WMIC.exe Token: 34 3256 WMIC.exe Token: 35 3256 WMIC.exe Token: 36 3256 WMIC.exe Token: SeBackupPrivilege 3536 vssvc.exe Token: SeRestorePrivilege 3536 vssvc.exe Token: SeAuditPrivilege 3536 vssvc.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe 3224 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exenlxqbdyodgqo.exemsedge.exedescription pid process target process PID 2848 wrote to memory of 1052 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe nlxqbdyodgqo.exe PID 2848 wrote to memory of 1052 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe nlxqbdyodgqo.exe PID 2848 wrote to memory of 1052 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe nlxqbdyodgqo.exe PID 2848 wrote to memory of 1604 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 1604 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 1604 2848 2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe cmd.exe PID 1052 wrote to memory of 3256 1052 nlxqbdyodgqo.exe WMIC.exe PID 1052 wrote to memory of 3256 1052 nlxqbdyodgqo.exe WMIC.exe PID 1052 wrote to memory of 2452 1052 nlxqbdyodgqo.exe NOTEPAD.EXE PID 1052 wrote to memory of 2452 1052 nlxqbdyodgqo.exe NOTEPAD.EXE PID 1052 wrote to memory of 2452 1052 nlxqbdyodgqo.exe NOTEPAD.EXE PID 1052 wrote to memory of 3224 1052 nlxqbdyodgqo.exe msedge.exe PID 1052 wrote to memory of 3224 1052 nlxqbdyodgqo.exe msedge.exe PID 3224 wrote to memory of 2176 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 2176 3224 msedge.exe msedge.exe PID 1052 wrote to memory of 3028 1052 nlxqbdyodgqo.exe WMIC.exe PID 1052 wrote to memory of 3028 1052 nlxqbdyodgqo.exe WMIC.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 4084 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 1416 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 1416 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 2344 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 2344 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 2344 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 2344 3224 msedge.exe msedge.exe PID 3224 wrote to memory of 2344 3224 msedge.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
nlxqbdyodgqo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nlxqbdyodgqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" nlxqbdyodgqo.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f69faa2bacccf5a61b7c7996c558f4c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\nlxqbdyodgqo.exeC:\Windows\nlxqbdyodgqo.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a25846f8,0x7ff9a2584708,0x7ff9a25847184⤵PID:2176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:24⤵PID:4084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:34⤵PID:1416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:84⤵PID:2344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:14⤵PID:2272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:14⤵PID:436
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:84⤵PID:3832
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:84⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:14⤵PID:3564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:14⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:14⤵PID:3344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,11712426192345568812,1112534757964996305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:14⤵PID:836
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NLXQBD~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2F69FA~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:1604
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2292
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5e9381f7f94428c6c22352966495bfde3
SHA194ded40b350d5fddc6a25fc6c5672ba0cd9ec3cc
SHA25640a217d73b85d8f763f3096a75ff333595c796120d5ac942084711e8c4ebde12
SHA512bcc4b9e09f375df9d503a3c330ba8b1820750742239249fb574940c89e0572f72c7cb78d032f12b9493fef4b4f777cf8be1d4d1c9886dc8ff90c2cc53aad4971
-
Filesize
64KB
MD5c98fd4f4e4111046da8570f59355525c
SHA16eaea70b862d88c0e0afef0164f60c5717becd59
SHA2562374e41d44f37dbe8474697a3f85e9f2a1dc63cbf60357b82f76235d90a84b7e
SHA5129449f611f28c10de95d671198b5a2978449dd277b5f9aeae559a80e4ad76c9c1bc0bd2a60827679154a7eb46b3c796dc65442641339e2a8dfe6324dcc20ea5ff
-
Filesize
1KB
MD5dea822b9e82378182fff8f6c6d271a5e
SHA1db42ee8686e6e64f05b177473bbb7de1b1d060df
SHA25645111c4d2dfd90feda0c38758668ecd73ec8f5f09f3bf41e16db52a64f79be9f
SHA512b8e5667530ce34a427d4a6cf10b10ee1b409204238fe049e54ec3f89bc8691cd92188df7a1424451bd2db62e0f1ec0c4d4f8c61e5a52ee96afbb550600e60e0d
-
Filesize
560B
MD514e767c9c7a84fadb6a59d221d704b81
SHA1bd43fb4a74131d025861aee6b5bc837b308ee10d
SHA2569a93cc084a15692de91d5a284d90401b73a81c670c0e6f83d6697ed6e12b138d
SHA5128f52c75d37fefe380cece5a46e3a7075a42fff63771782ad5fdcfe9a18bafc5b8e05f0b72411d04c787a72c9584e21745f750809fc1bcd99be375258c9ec8e54
-
Filesize
560B
MD57d97b92fc31e4b362c1a4c43ed61e374
SHA13486a15c609b3ee4ee6df500e37435a7ae1fce40
SHA25620fcbc1175f557da31e9b1bbe5d0547ac1bac38533b906077fe1745341fbce4c
SHA512ae7c202a89cceec15b5c25e48c61dda7ae0bc8fbb17013611e02913808e18c72bb5c4bca08a6e0b7c1593886e5302aad2867169a2737964afd9c153d98cde76f
-
Filesize
416B
MD58417ae8b3b10962284124bef418d9889
SHA1af5c651153c972ead6f8300f948bd70a4e0eddd1
SHA256c800c8d0c73b31c1e0815fe57dea00bac6da80be498f34f8a08116955f81bfe2
SHA5123d0b48790bebc52dc884e15810938bd97c6da7a831b563f7e528917ca0e640aab6e8bd752b72c4abd76f3175e12b363d18c6d40edafd841dbab458be947b5e89
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
6KB
MD54939e9a8a729bf4d93775fa15a82a597
SHA101bb0ff60bc1dccff62bd73e53c092d849b2b396
SHA256377bdc2f23fc48f0a04026b13949bb5c821a7d297dbb2040e85fe15ef8b8d17d
SHA512d56304aa0dfa56883c623fe27e6f3f768fa5a0138176751023dcffa0ff908fda6f65574230cc31467144c997e232525f378e359f233a5c9887a0c7d152a6aa6f
-
Filesize
6KB
MD53d1337a0393a40fc0bc481d31170d571
SHA1d8705ede88d40122a43828b89138069a623f776a
SHA2569a7e55acfbf5d31a595a4f8a41307db31784fb502d6eea6ca998783bc09f3c5d
SHA5120da4fce5baaea89994214c7bf52eb4e90de5828138d3f7e8b912d452c95a32c5074bbb22f46886893ef419b254b3f459cad428568b99f97a4df849f9b5ee09ce
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD525f981a5c7a8f7b5e7907196fce6de05
SHA136d08919aa6a22604c1e5c55cb98f9ffcc9ba3de
SHA2563d04428b174f5b9b0dc3786d4b0c6546f53456ca0c929e533a361de1513be792
SHA512e175890354d3dc8c2d5dcd89eda4617ecea67fc26244a15ef11c7408017665fd5bcaf65536d88177f0db3963a7d8d255e6cc110a817e1764521feb7b3b952816
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662824772148.txt
Filesize77KB
MD5c863f246d5b4d8c4efe409651482db9a
SHA1ac3feb42cca0af75f94690cd038662090e5b4dd4
SHA2564268361429015ba2365befa116d5533ddb8749a8bf23ae1f841f77f819a6f192
SHA512d9b356fa9f7d7c6db18a8ebfee0daa3412edcdd248a4fb80b74004b505ac452c01fd1e2da9e885a056e5999761c15e42df3094224b30b1379fd369c8156dd8f5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671764608349.txt
Filesize74KB
MD5496f47746a8edc8f70f1aecd00348ace
SHA10fa82769427a978bb34bf874d5386f3890ade55b
SHA256dd0bdc083cacf1c1061d5ff6a872704be2576355ab0a60a0052c115973d60758
SHA512d94afc7f9e518d3d688263a8c16dc45367475961b3bb6f4c52fbfcb6f6c7763f0e921ac9d8e8e1922e4b6a1287fe25e9a720429824a3fc92c3372a32be53edd3
-
Filesize
328KB
MD52f69faa2bacccf5a61b7c7996c558f4c
SHA1172c3b8d22eb08f491d4c90cd86aaa21b95f5b95
SHA256ac4a172dd0cec7582090313549f3adbba96a7aa11a1bb85f39da11246fa73585
SHA512712184c799086b5c03605ede0adac41695d620aaa5fe74dee82e30e4fa4d440672b2b2af473233c99de17bce511ccd7641b9562363aa875d6e954554d6f38578
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e