Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe
-
Size
604KB
-
MD5
6f7abbc706baecf6e86cde729475dc7d
-
SHA1
00a55e2ae828f928770fdd1c59da361198fba382
-
SHA256
85e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c
-
SHA512
70b80ff7efeac45dc3cbaeb5b5a3b4f774dd3f61c08801fe43c5a086e8372ba199ea9f676ab3ceb9dd4d5332ebd5db79616460496632da831a51b21753f61092
-
SSDEEP
12288:PsEXei41jA1WnzVSxq5p1qHVXACWOEogk3pmIc5A1WnzVSxq5p1qH:PsEX341jA1wBSggHlpp3r0A1wBSggH
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+ydevf.txt
http://ert54nfh6hdshbw4f.nursespelk.com/995C55E8C6558A9B
http://kk4dshfjn45tsnkdf34fg.tatiejava.at/995C55E8C6558A9B
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/995C55E8C6558A9B
http://fwgrhsao3aoml7ej.onion/995C55E8C6558A9B
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
agiki.exefstkjlehu.exeboxty.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation agiki.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation fstkjlehu.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation boxty.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe -
Drops startup file 6 IoCs
Processes:
fstkjlehu.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ydevf.html fstkjlehu.exe -
Executes dropped EXE 4 IoCs
Processes:
fstkjlehu.exefstkjlehu.exeagiki.exeboxty.exepid process 1696 fstkjlehu.exe 4732 fstkjlehu.exe 1892 agiki.exe 3280 boxty.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fstkjlehu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwer-sadkfgsa = "C:\\Windows\\fstkjlehu.exe" fstkjlehu.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exedescription pid process target process PID 2952 set thread context of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 1696 set thread context of 4732 1696 fstkjlehu.exe fstkjlehu.exe -
Drops file in Program Files directory 64 IoCs
Processes:
fstkjlehu.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-200.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-125.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-100.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\SMSConnect2x.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-200.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-lightunplated.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\13.jpg fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\o365apps.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-lightunplated.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png fstkjlehu.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-200.png fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNG fstkjlehu.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Recovery+ydevf.txt fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\MutableBackup\Recovery+ydevf.png fstkjlehu.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-125_contrast-white.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-100.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Recovery+ydevf.html fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-60_altform-unplated.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png fstkjlehu.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png fstkjlehu.exe -
Drops file in Windows directory 2 IoCs
Processes:
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\fstkjlehu.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe File created C:\Windows\fstkjlehu.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NOTEPAD.EXEboxty.execmd.exeagiki.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.execmd.exefstkjlehu.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language boxty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fstkjlehu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fstkjlehu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 996 vssadmin.exe 2496 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
fstkjlehu.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings fstkjlehu.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2508 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fstkjlehu.exepid process 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe 4732 fstkjlehu.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exevssvc.exedescription pid process Token: SeDebugPrivilege 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe Token: SeDebugPrivilege 4732 fstkjlehu.exe Token: SeBackupPrivilege 3132 vssvc.exe Token: SeRestorePrivilege 3132 vssvc.exe Token: SeAuditPrivilege 3132 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exepid process 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 1696 fstkjlehu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exefstkjlehu.exefstkjlehu.exeagiki.exemsedge.exeboxty.exedescription pid process target process PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 2952 wrote to memory of 1064 2952 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe PID 1064 wrote to memory of 1696 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe fstkjlehu.exe PID 1064 wrote to memory of 1696 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe fstkjlehu.exe PID 1064 wrote to memory of 1696 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe fstkjlehu.exe PID 1064 wrote to memory of 2508 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe cmd.exe PID 1064 wrote to memory of 2508 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe cmd.exe PID 1064 wrote to memory of 2508 1064 6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe cmd.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 1696 wrote to memory of 4732 1696 fstkjlehu.exe fstkjlehu.exe PID 4732 wrote to memory of 1892 4732 fstkjlehu.exe agiki.exe PID 4732 wrote to memory of 1892 4732 fstkjlehu.exe agiki.exe PID 4732 wrote to memory of 1892 4732 fstkjlehu.exe agiki.exe PID 1892 wrote to memory of 996 1892 agiki.exe vssadmin.exe PID 1892 wrote to memory of 996 1892 agiki.exe vssadmin.exe PID 4732 wrote to memory of 2508 4732 fstkjlehu.exe NOTEPAD.EXE PID 4732 wrote to memory of 2508 4732 fstkjlehu.exe NOTEPAD.EXE PID 4732 wrote to memory of 2508 4732 fstkjlehu.exe NOTEPAD.EXE PID 4732 wrote to memory of 4544 4732 fstkjlehu.exe msedge.exe PID 4732 wrote to memory of 4544 4732 fstkjlehu.exe msedge.exe PID 4544 wrote to memory of 1628 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 1628 4544 msedge.exe msedge.exe PID 4732 wrote to memory of 3280 4732 fstkjlehu.exe boxty.exe PID 4732 wrote to memory of 3280 4732 fstkjlehu.exe boxty.exe PID 4732 wrote to memory of 3280 4732 fstkjlehu.exe boxty.exe PID 3280 wrote to memory of 2496 3280 boxty.exe vssadmin.exe PID 3280 wrote to memory of 2496 3280 boxty.exe vssadmin.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe PID 4544 wrote to memory of 4152 4544 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f7abbc706baecf6e86cde729475dc7d_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\fstkjlehu.exeC:\Windows\fstkjlehu.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\fstkjlehu.exeC:\Windows\fstkjlehu.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\Documents\agiki.exeC:\Users\Admin\Documents\agiki.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet6⤵
- Interacts with shadow copies
PID:996 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2508 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf62946f8,0x7ffcf6294708,0x7ffcf62947186⤵PID:1628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:26⤵PID:4152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:36⤵PID:1896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:86⤵PID:3732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵PID:3780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:16⤵PID:1840
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:86⤵PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:86⤵PID:2280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:16⤵PID:3512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:16⤵PID:2952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,10035792977011507568,6205143878605930138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:16⤵PID:4788
-
C:\Users\Admin\Documents\boxty.exeC:\Users\Admin\Documents\boxty.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet6⤵
- Interacts with shadow copies
PID:2496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FSTKJL~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6F7ABB~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2508
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1696
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a5135cdaab1ad4662810a1065e378448
SHA1186cd6d254117f6f6136fde718939df83598b334
SHA256beeb6d2655f3264ca9ace9c8be3f2240be518a5b8486bfedefa53668dffd13e9
SHA51266321b51db03337bb9b7a323611f8bbd1598bde1abd427f5aa6ec64805521a79f904a6436eab251fba864eec7d6ad20f4474cb02313c24249a3d5ef7d7b860e7
-
Filesize
66KB
MD55a3bd6a95968fc67b817d97aaa2c3568
SHA1059da845adba1f742e903d6ca6f245316c4bfa85
SHA2566b14ff9c06cfa60adf630a58238405df89f8bd321badec439dfb796ee0f5726c
SHA5120cd1e55c1c9b6eb7808def08db7b00a6e3eee2515ef5ba63dd5953f2aa8266d2ab0e4c91984e121a6603f6ebbbe4c78249b7aad0a61050b2151014e329949fcf
-
Filesize
2KB
MD5a17905b316cf4c189eeec7291dc31233
SHA1ed1c37bd45b703deb611038a0ddfe1534884dac0
SHA25621b6caa7870b7d71c522abe86f9dd1b74dec07e729d001fb5dae7cba0bf9ebdd
SHA5126e61c6037380dd67a789ea1fe63a2a058f291637e89a9065401157da1d146d79e7ba9ef6bba5ad5c9278550cbacbeb79822ad0956f5e3d35ca70ad437cde5868
-
Filesize
560B
MD57d01d6562bcfb46b0fd1b71c73c0b436
SHA1ba7f7f08b2961fa490345fe493040b6dfa2afb13
SHA2564efdc4e23ecafa49e97a4119323d3c476c2768b41f1b771fe87dd443dc442bbb
SHA512a7cf27007263e0dcefc584b81b87dd51f36c4c1169a2aec2d9611af82b4b0c7ecf7f0b653612f58442e41f85a275e5cecafd2772a07963b0f5c8d87095bd5420
-
Filesize
560B
MD550de89f8c33c8cef061aa04357b6fc09
SHA1dc393527053b7ba9877c98c9ad9850523cdacff9
SHA256ecf524863c81e1a1ba4a53a76e87c3ce0b5e8cff3067a16081e5878f5d6472f6
SHA5129e752b5e4571e959a1c8c8aa6fc8b3be76fcc7761cb48302bd5ea7a83934172c69dd0ce9bb1c423c4d70d664156e98aea4775605e82c8966ec0357cedbabe9bd
-
Filesize
416B
MD5f84c3ea2ff3bba758989b39835b8241c
SHA1893a69a3ed6a4ab6ed8d725ed2eafec7a02ad2cc
SHA2560c7b7d43b9dcad70caf2a88dfab67fced85040c4afd922993ba2738b8974eb2d
SHA5129b5aebcb82145c82dc5470ff04c7d92e799602b42f51fb6db0ce62abd7a19694e03402463a9a125c865d9ed4674879ff212a6eb1197e748ca45612db2cc797f4
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
5KB
MD54ccd75200115b336720aaf6c209e4d6b
SHA13cb0219ed7fbc93a828b22d805fbbdd17f71f339
SHA256b6fc82ea6cb4d87c763194c5822181b90ff64d2e3f5b307ad057adcb12c26d8c
SHA512b5ab7d802346d5d0987bc3894bee9aa100a50a3660c2a0b841de654d72132e2b55ebaab4210aaf53e3ae0f02e8776b301bfcb6ab34ef12dfdbca45812b99e4e8
-
Filesize
6KB
MD52058a2cb925d125dbfbf11e956caee5d
SHA1e24bc3012b4ae9c18a295a761c820aad96f24951
SHA256a34965d59c99632dd0d6fb5d88ec82a572ddccebd87f271c7203409c8fffa4d1
SHA5123f26ab77c1b966a61f54c10bb25c663ab06b418a6ceffe2f77253dfa0c1b9db1a7ffed554882f60ca6298f4e808b61199d7bbbda2bbca5b37ecf33ae0adbdaf0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD544c12630bc72ff08fc5c6d2837b4c3b9
SHA1b5b6d146d805ad5b016283385d39338fcc8e67a6
SHA256e072f47d389bc239637e983d564910528a9ef92d89375779e0f9d3debfab2b13
SHA512748f46ee9b4e42e97eb6b3b6c8e4fd9f7bd0540c10bb944457f4a364098c897d46707f22f200e3f13fa17bf74e7c3e6b5baf2986585a6eb55b8cf9f96c618d9b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656067266351.txt
Filesize77KB
MD5b4940fb093834fb75a71cec2077ad3a3
SHA1200e94e37b594d130057508e28d8c54985ee680f
SHA2566bcb8227516e8c115a20d928d798df2f209241dc804c4f1db4a99fc83e5992df
SHA512aeb4349cfd06ef92352dc9519fda49f7c23ec86903d8dd0dca78eaf9d93a201b3860d3271de05db0c1a54bce7292bb9e47815fbd1e638cb05bc052c1c052e110
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt
Filesize74KB
MD5b8f32bdfbebd814976ce05a2d0753c55
SHA1c4ff36ac9565b2a07133d37b9aa93663f6ed1294
SHA256818d4f4193d1efb091ce7acb37ff8463004ae8e6d1826bde390db7ab349ce659
SHA51290e01cc8ce0f50432b4aa87031ffc866e61c2bb8156665c0750d2e82c141ff576c2e458b3e6f6f7dafb4d51854255dd40c1284ecce6d5846503e2e1f9295b221
-
Filesize
4KB
MD5307074acffa41e69ae7449338accbac4
SHA1d880915f78361db3b15ff18b0d3239a5d2a6a997
SHA256a5d3ed693c85298bd8f1c116bb16f78e032364143c76da2e22b3d0de29182380
SHA512aba5ffe7ec7342ba381927d3ff995f339b1837faab30e0fe48ed38b2da636b4e38b969a23c1c87271e54862522098775cb2f695c22a42b7a81d7f4e88fefa426
-
Filesize
604KB
MD56f7abbc706baecf6e86cde729475dc7d
SHA100a55e2ae828f928770fdd1c59da361198fba382
SHA25685e3772d5502b9f5251843b3884788ab6c4d44af761900c787d36e1d5586244c
SHA51270b80ff7efeac45dc3cbaeb5b5a3b4f774dd3f61c08801fe43c5a086e8372ba199ea9f676ab3ceb9dd4d5332ebd5db79616460496632da831a51b21753f61092
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e