Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
-
Size
388KB
-
MD5
40707cdcd4220213b9ef2545043d6c99
-
SHA1
7f9d3ad1125de47368644e29b5d5cd515c6497e8
-
SHA256
6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
-
SHA512
0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088
-
SSDEEP
6144:tYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:tnSdO0iNEPn+TGOoYzwscMSOXUIJ
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+wmegn.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C689C4D83559D785
http://kkd47eh4hdjshb5t.angortra.at/C689C4D83559D785
http://ytrest84y5i456hghadefdsd.pontogrot.com/C689C4D83559D785
http://xlowfznrg4wf7dli.ONION/C689C4D83559D785
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation vilotinklltm.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+wmegn.html vilotinklltm.exe -
Executes dropped EXE 2 IoCs
pid Process 4460 vilotinklltm.exe 3648 vilotinklltm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thefkhsqaigp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vilotinklltm.exe\"" vilotinklltm.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 908 set thread context of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 4460 set thread context of 3648 4460 vilotinklltm.exe 94 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72_altform-unplated.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\165.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png vilotinklltm.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-100_contrast-black.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-lightunplated.png vilotinklltm.exe File opened for modification C:\Program Files\Crashpad\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-125.png vilotinklltm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-125.png vilotinklltm.exe File opened for modification C:\Program Files\Windows NT\Accessories\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\avatar_default_large.png vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-black.png vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\190.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\Recovery+wmegn.html vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+wmegn.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16_altform-unplated.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png vilotinklltm.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\Recovery+wmegn.txt vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-125.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-20.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png vilotinklltm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-32_altform-unplated.png vilotinklltm.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\vilotinklltm.exe 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe File opened for modification C:\Windows\vilotinklltm.exe 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vilotinklltm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vilotinklltm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings vilotinklltm.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1840 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe 3648 vilotinklltm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Token: SeDebugPrivilege 3648 vilotinklltm.exe Token: SeIncreaseQuotaPrivilege 556 WMIC.exe Token: SeSecurityPrivilege 556 WMIC.exe Token: SeTakeOwnershipPrivilege 556 WMIC.exe Token: SeLoadDriverPrivilege 556 WMIC.exe Token: SeSystemProfilePrivilege 556 WMIC.exe Token: SeSystemtimePrivilege 556 WMIC.exe Token: SeProfSingleProcessPrivilege 556 WMIC.exe Token: SeIncBasePriorityPrivilege 556 WMIC.exe Token: SeCreatePagefilePrivilege 556 WMIC.exe Token: SeBackupPrivilege 556 WMIC.exe Token: SeRestorePrivilege 556 WMIC.exe Token: SeShutdownPrivilege 556 WMIC.exe Token: SeDebugPrivilege 556 WMIC.exe Token: SeSystemEnvironmentPrivilege 556 WMIC.exe Token: SeRemoteShutdownPrivilege 556 WMIC.exe Token: SeUndockPrivilege 556 WMIC.exe Token: SeManageVolumePrivilege 556 WMIC.exe Token: 33 556 WMIC.exe Token: 34 556 WMIC.exe Token: 35 556 WMIC.exe Token: 36 556 WMIC.exe Token: SeIncreaseQuotaPrivilege 476 WMIC.exe Token: SeSecurityPrivilege 476 WMIC.exe Token: SeTakeOwnershipPrivilege 476 WMIC.exe Token: SeLoadDriverPrivilege 476 WMIC.exe Token: SeSystemProfilePrivilege 476 WMIC.exe Token: SeSystemtimePrivilege 476 WMIC.exe Token: SeProfSingleProcessPrivilege 476 WMIC.exe Token: SeIncBasePriorityPrivilege 476 WMIC.exe Token: SeCreatePagefilePrivilege 476 WMIC.exe Token: SeBackupPrivilege 476 WMIC.exe Token: SeRestorePrivilege 476 WMIC.exe Token: SeShutdownPrivilege 476 WMIC.exe Token: SeDebugPrivilege 476 WMIC.exe Token: SeSystemEnvironmentPrivilege 476 WMIC.exe Token: SeRemoteShutdownPrivilege 476 WMIC.exe Token: SeUndockPrivilege 476 WMIC.exe Token: SeManageVolumePrivilege 476 WMIC.exe Token: 33 476 WMIC.exe Token: 34 476 WMIC.exe Token: 35 476 WMIC.exe Token: 36 476 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 908 wrote to memory of 3096 908 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 88 PID 3096 wrote to memory of 4460 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 89 PID 3096 wrote to memory of 4460 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 89 PID 3096 wrote to memory of 4460 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 89 PID 3096 wrote to memory of 3036 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 90 PID 3096 wrote to memory of 3036 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 90 PID 3096 wrote to memory of 3036 3096 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 90 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 4460 wrote to memory of 3648 4460 vilotinklltm.exe 94 PID 3648 wrote to memory of 556 3648 vilotinklltm.exe 95 PID 3648 wrote to memory of 556 3648 vilotinklltm.exe 95 PID 3648 wrote to memory of 1840 3648 vilotinklltm.exe 98 PID 3648 wrote to memory of 1840 3648 vilotinklltm.exe 98 PID 3648 wrote to memory of 1840 3648 vilotinklltm.exe 98 PID 3648 wrote to memory of 3516 3648 vilotinklltm.exe 99 PID 3648 wrote to memory of 3516 3648 vilotinklltm.exe 99 PID 3516 wrote to memory of 1336 3516 msedge.exe 100 PID 3516 wrote to memory of 1336 3516 msedge.exe 100 PID 3648 wrote to memory of 476 3648 vilotinklltm.exe 101 PID 3648 wrote to memory of 476 3648 vilotinklltm.exe 101 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 PID 3516 wrote to memory of 2364 3516 msedge.exe 103 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vilotinklltm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vilotinklltm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\vilotinklltm.exeC:\Windows\vilotinklltm.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\vilotinklltm.exeC:\Windows\vilotinklltm.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3648 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825d746f8,0x7ff825d74708,0x7ff825d747186⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:26⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:36⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:86⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:16⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:16⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:86⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:86⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:16⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:16⤵PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:16⤵PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17022548483191338222,15642473467267383460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:16⤵PID:4680
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VILOTI~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:4628
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\40707C~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3992
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD541c5ace2dbe23bed6bb7d936a4b06b3a
SHA1bd5d0de61bd245a1f1864598faaa982776b81a7f
SHA2567073ddbd42edcf738c0f314fe3f99018125c07e36c16101d4450ddd565b85dce
SHA51295d41da421cfeed93b6d124bde16a65724eb7ad71dab24afc20fa3b490ede04c31ed617ef8c1c26f3c52dc4843b291522beff9a5df538323218498eec3677b07
-
Filesize
63KB
MD57d1f985518b86ddbec3fbb15942eedd8
SHA179d11c74f4e28f19de6111a2a3bc0c72d6da2e89
SHA2569205cd36fe40e540596379cccc16020da9afbbbcf5750ee44a1daeec79982167
SHA5121f7951190ba274d918c88f53a175489d7eb19c4ae60039a0c8fd356074263c1b89f525b8deed03f928308d0223f1e3d7d87d32b019093c2f618b184bf14bf1cd
-
Filesize
1KB
MD5e47622354906085e1c64ae46fe0fe62d
SHA1818b6901540855486d01384af3473fc5ffea4112
SHA2564b4f96536892f370a2da1705c0f8ebec45bc5116a899509a1187e218b7eb22d8
SHA512c5ecb0577b02fa01c7d45eb048cc2fed2bf452e60786539591206975fad5324572cfb6fbc0f4797abc61bf5d2ecaca2c8080947d7e73c75e10740764ca42d824
-
Filesize
560B
MD5c317cf18d3b27d4cf23b694433866334
SHA1d2789342d66228d3b64f453afa68edd5d7560617
SHA256279985d783daa0c39b71f0acf19221f6426c799b5d8b4b4eb47d742b9685f2f3
SHA51208631e05ed8d454763b5201bad3efaf3d9cd20c7e4d556b5c740d9a72a756aeee5afa6a98ac98a7d1acabf6a0711aba8ef4aafd5b2ae53ffad6caa6baa370ec1
-
Filesize
560B
MD562c5e4184ee1ee928a6d2778c850c140
SHA1636447abbf344557bdc17df25c4fb615edf7e228
SHA256a11901e61fbe4450e60241e5dc20f2032c2f6c3f5e514f34ec39bc5281954c8a
SHA512c681c443e20aacf24166af05937a3bb913baedbc83aa27848e8284cc73abed6c39e2df4dcac305136cab31a609ec7355be7e842940622470d84c2531b6bf41b3
-
Filesize
416B
MD57beee0078ac9aaf779bd749686ff9753
SHA1dc4eeaa86bb21d579381383f94f9a7e975ef3f0a
SHA256f0ef975b209a66b179b61fc1fa7304d46a2881960db116756bbf5372449ea656
SHA512a70946ec312673dbb8e99facffdaadf7f4702d5bac512603a0cd1a27947dc44173537bd4293a3b8f5ce02b345d51ff766fa0dc3295bc4c91ca3bb46bb73bc49b
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
6KB
MD59e6f3f133ef8e40f60d1189e33063466
SHA1d5327d87606c4685c4cc562af8b28b2bf57e39e0
SHA2560f614ba9fc3e0914ffecf4e4033c95b162217bbde4a88d4ee49b5c659b9e088e
SHA512236d578d6b5ca40218bc988d4e4d53a858edbcd53df8a634e6364ce26d0990dc9ff22c9013a74c6b2a1bd1572c234fe5d06def55fac35e6b0b8151427bf4b2ad
-
Filesize
6KB
MD5b2cfb53f9a49fd7183a918ce9ccf10c0
SHA1d5c7e54c132fff7c64131fadda37dd3e559bf1bf
SHA2568b54c37632236e505c7133626c8dcd354dff0749f0c9e1623e0ddc71d5f7b634
SHA512dc2687114f23354b572275e9472bac35cfce82047e14908f29a5e5c5db836066f3313bb43d1ae17392668870ac87e9b612311149bba3f4042e6b515e82dd5664
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5038e09a1cff564f3e43384511f1a6d16
SHA1d70e0529ff497d159a9805fcc40995045dc0b7bf
SHA25677364f010a58587fa47a18febbde2f78a96a5e297cc11df87db8acf39dfa74b2
SHA5125cfc21871189c908754ef2a48a14a25822f06c22f98d635b9ffd9251e41e936f0da7720a5be845a3f716cde6241a760186b2f9ae9b866b4b34a51644d78f335a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665766873969.txt
Filesize74KB
MD543581398cd4abe88d9268cd69ee71d12
SHA1128df1b153c3ddc7305e8099a64c0088838bf478
SHA2561608630ab45004fae7f57e4ce2a8d2b0de9b9fab7cb4dd631f273488a97f3c0a
SHA512b6f71e54a132a4529404dcecca8ad75421d9f0861561330c73a5898c2221514e376bcde755391aa3dc9c96c03901534af7bfbb7d275d6706ad1ce2a4bb2a8415
-
Filesize
388KB
MD540707cdcd4220213b9ef2545043d6c99
SHA17f9d3ad1125de47368644e29b5d5cd515c6497e8
SHA2566f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
SHA5120a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088