Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
-
Size
364KB
-
MD5
764a3a6827e4d04ebbb801e8f5b95f8b
-
SHA1
6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb
-
SHA256
091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
-
SHA512
2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2
-
SSDEEP
6144:3M3Ia4g7E/Rd1WjfqMsSW9ZgsQ6LEme81Ip8/V+9jeOLzZXcIwXHX:qIt4EELq7p9ZgeLDc8/VkphcI
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\how_recover+ydr.txt
http://gfhshhf.home7dfg4.com/54F9E2C5EB85E45E
http://td63hftt.buwve5ton2.com/54F9E2C5EB85E45E
https://tw7kaqthui5ojcez.onion.to/54F9E2C5EB85E45E
http://tw7kaqthui5ojcez.onion/54F9E2C5EB85E45E
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
pid Process 1104 bcdedit.exe 4532 bcdedit.exe 3012 bcdedit.exe 3976 bcdedit.exe 4852 bcdedit.exe -
Renames multiple (881) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation vqlwm-a.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+ydr.html vqlwm-a.exe -
Executes dropped EXE 2 IoCs
pid Process 3780 vqlwm-a.exe 1896 vqlwm-a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 myexternalip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1248 set thread context of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 3780 set thread context of 1896 3780 vqlwm-a.exe 93 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-125.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-400_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-64_altform-unplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-lightunplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppUpdate.svg vqlwm-a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-150.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png vqlwm-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-32_altform-unplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-100.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-100.png vqlwm-a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak vqlwm-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\how_recover+ydr.html vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-fullcolor.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png vqlwm-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-16.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png vqlwm-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-150.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-150.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30_altform-unplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_TeethSmile.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\how_recover+ydr.txt vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-white.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-lightunplated.png vqlwm-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-24_altform-unplated.png vqlwm-a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqlwm-a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqlwm-a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2224 vssadmin.exe 284 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings vqlwm-a.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2108 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe 1896 vqlwm-a.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Token: SeDebugPrivilege 1896 vqlwm-a.exe Token: SeBackupPrivilege 2656 vssvc.exe Token: SeRestorePrivilege 2656 vssvc.exe Token: SeAuditPrivilege 2656 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 1248 wrote to memory of 4392 1248 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 87 PID 4392 wrote to memory of 3780 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 88 PID 4392 wrote to memory of 3780 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 88 PID 4392 wrote to memory of 3780 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 88 PID 4392 wrote to memory of 3900 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 91 PID 4392 wrote to memory of 3900 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 91 PID 4392 wrote to memory of 3900 4392 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 91 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 3780 wrote to memory of 1896 3780 vqlwm-a.exe 93 PID 1896 wrote to memory of 1104 1896 vqlwm-a.exe 96 PID 1896 wrote to memory of 1104 1896 vqlwm-a.exe 96 PID 1896 wrote to memory of 4532 1896 vqlwm-a.exe 98 PID 1896 wrote to memory of 4532 1896 vqlwm-a.exe 98 PID 1896 wrote to memory of 3012 1896 vqlwm-a.exe 100 PID 1896 wrote to memory of 3012 1896 vqlwm-a.exe 100 PID 1896 wrote to memory of 3976 1896 vqlwm-a.exe 104 PID 1896 wrote to memory of 3976 1896 vqlwm-a.exe 104 PID 1896 wrote to memory of 4852 1896 vqlwm-a.exe 106 PID 1896 wrote to memory of 4852 1896 vqlwm-a.exe 106 PID 1896 wrote to memory of 2224 1896 vqlwm-a.exe 108 PID 1896 wrote to memory of 2224 1896 vqlwm-a.exe 108 PID 1896 wrote to memory of 2108 1896 vqlwm-a.exe 122 PID 1896 wrote to memory of 2108 1896 vqlwm-a.exe 122 PID 1896 wrote to memory of 2108 1896 vqlwm-a.exe 122 PID 1896 wrote to memory of 4032 1896 vqlwm-a.exe 123 PID 1896 wrote to memory of 4032 1896 vqlwm-a.exe 123 PID 4032 wrote to memory of 2852 4032 msedge.exe 124 PID 4032 wrote to memory of 2852 4032 msedge.exe 124 PID 1896 wrote to memory of 284 1896 vqlwm-a.exe 125 PID 1896 wrote to memory of 284 1896 vqlwm-a.exe 125 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 PID 4032 wrote to memory of 4292 4032 msedge.exe 127 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vqlwm-a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vqlwm-a.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Roaming\vqlwm-a.exeC:\Users\Admin\AppData\Roaming\vqlwm-a.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Roaming\vqlwm-a.exeC:\Users\Admin\AppData\Roaming\vqlwm-a.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1896 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
PID:1104
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
PID:4532
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
PID:3012
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
PID:3976
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
PID:4852
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:2224
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd84da46f8,0x7ffd84da4708,0x7ffd84da47186⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:26⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:36⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:86⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:16⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:16⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:86⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:86⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:16⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:16⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:16⤵PID:5156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6533829652012218619,4492850332676320491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:16⤵PID:5164
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\vqlwm-a.exe5⤵
- System Location Discovery: System Language Discovery
PID:312
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\764A3A~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5e934986609c30d84b918f37e5925c09a
SHA1e2c0686a863654ca010077db5bfed22a1bb7dd6b
SHA256c00caa3fdf946ff2b9a462f8a1d85e0b2ffaf08b9dbb35fbb24decccd1b885ca
SHA512c0200d1c88013168c3bda2bc8cb231302f8ea4bde4fca2380fedca56d72156971b883ef3fc5076e136ed10078bcd7ac02a30bc5667b0caf77524f2b400a9cd75
-
Filesize
2KB
MD5d0cfeb6d19154ee1eef1daf8bb6fbae3
SHA1936b633553b5964d23f1905f73c13aa0d387d3db
SHA2569cb5bf9a51266d33d068dd97e9d06b68ce1eb32502f75835851ff141d64350a5
SHA5128b87c80eeb3b676e36880ffa6dd851c0cb0a0326d303da573efc51cb55ee5bf5002284cb307962778374a82ab1115ec45ac165f61e84bb153c725930d1a2e75d
-
Filesize
606B
MD558b77e10cefff64c2e08ff74a1972b30
SHA1cfeb2f4d98f4b99caecf83a1e9e4711ba84b97a4
SHA2560aea1491c7638da7694ba7b19514b6c7998b77847009cb4cffd246e6ad6dca95
SHA5126fbd84347a90550c59225d1b2f29aa94974128596e147ba397bfeaa06d91583df49157e1fc1a081debd15c9ca7f16352472179dc9e675a7324f37be24ac58480
-
Filesize
606B
MD588e0c500f512d0d7e65890f2891b65e6
SHA121d1541b7966d41f0b5a70388a078b49169fbe25
SHA25608f0b4107437be884b9f9a832a610f0f34ff0e518104d72abc3760fa3c7c0f9a
SHA512facea6da5f86459f0491a33599fea633270dffb936c80a7117f41567663ae2641fe98606746cfb4fd8cf0d07af370cbe87e8c5068276ae3a60dd03e894c8d0ea
-
Filesize
462B
MD503669f320795483d8f30933e764e6703
SHA1769552fc813bd5fc1b89cab14d53c60fd15e236f
SHA256dfb31012fb3ad46ec55cec1a4771534db0b5c37fec54dd7b64170d672a316768
SHA5123d7b6da74056929d230eaf10c17be9043a7b4377a53bc1121daa6445961e8010e4635b7b80cea09bf568d97b8b369a0a5a427d638851beb1383b00a2fc5ae5a6
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
6KB
MD51aa60db21ba6dbe54d236c37ad8fd474
SHA159c5f36158d550460dd136b414fd7e19ae8da900
SHA2562dd66d26137aac03b8b1db05ae6692cc28e331d254b672cad6b5df26f9da0689
SHA5123105ea0b7bed5801e7500149033e429bb97a9bbb2fb4ae4daf65bda2ea079011aec0217752dbb404656537fb8967e9e78556c10d9a490944797b7e102be08a98
-
Filesize
5KB
MD54a2ae1d3a20337aa41aab2e1f44b2f92
SHA135306963eb3be97abafb175518e25af22a83ab44
SHA2566263c5f226317c4aabb8b0c0214b94bb6c75ed5b509f32cbd873e28f6ae0e957
SHA512a0336b0c63e678a3089eb36ddc88d5685f15870f17516770c1c56c3139191ac80647af1fa010b771de037b7460df63547711fc989125bbf63249721878a9084f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d7ed0d08ea84f2729a66e06869868636
SHA19e4e8a25a2c27dbcc6e6cc7097ca5dba47171226
SHA2561e014fa399544bcffc9ef0abd8f8441c812a7d1ec1a632a82b9653961955fca1
SHA5122c7a3a0953dff7e71b968c500d6de233cd1afe8e64b1a020b13b4081e6347a353e033b92ae221350cbce52253cef33c03e308a1663f40a9627063c254a1397dd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.1.filtertrie.intermediate.txt
Filesize430B
MD503d49acccff15a594047682135359e25
SHA15d1665c3293c60ce4c1dcbef5e46784e3df4c4d1
SHA256be4c647022e56511052dfbb15a086f864a5aa7a525e229c58456357c6550e533
SHA51203b48871eec8467b61e3b12db3fadd33167ca6068bc6a6ef46597c52a000bb958534067dbacbb0ed17f138b451cd39843226adc2c6986bc3b535990e1c0f03f6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f51d3545-795a-4d12-b38a-054029322811}\0.2.filtertrie.intermediate.txt
Filesize430B
MD562697800f1937f996ff42cd8e847b629
SHA169f7be8d3822009924b420413aafc55288be589a
SHA256099caff0fbc1d47f6c47d67b0a32276ff57b7fa9d66c92786768d26f4d393cb5
SHA512b77770e6da1cd11d0e6ee4180e698983a1e86668e02108ffd82c666664345226f70b6bb70abb418a4a0113f6b41a57903df2c1236f59a5e519182aae52a6df0d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662360645001.txt
Filesize77KB
MD55ca3861453b5273f15488ede3be82409
SHA14e94e11082e1414150fea560f18151e15fcb96a3
SHA25697819e17bcbf823923abefa0667f96f4487f4a6f284a1770256d9814fb3f01d2
SHA51254258af21c8a7b30a1433fb31907abef9716f836befa1e8aac83b6304b31758763f24e213419af1a04ab0825802ca1dbdbe2c51bc208ff9b62bec3a6f7c9294b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663623337830.txt
Filesize47KB
MD5c955122d5cd2abba7748e219d6364163
SHA1ba9f155f9ae2e5bb2b591709f15e48cda5d9f802
SHA256179449e7243e6e42087887a7a9b9399cf0a8c04e5a92bb958d36dc1af8224905
SHA512c766a4168643b1d35ba78c0c112142fa09123972e7021e81612c855d0e1e4777919bbc6055b5e05d8a0313356340689f95fdd9a549b9b6dfb7bf8892cda20728
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671211214398.txt
Filesize74KB
MD5aa3f9c5ca79c1fc57aed819e3c60f657
SHA196076a04d840c1904aa319211dcf74ec3005cfff
SHA25633cba2b71f439b9ddca3ccc5a68f2b7298ba57d2fcd94fc3c5e27a95609b0811
SHA512f5008b4985657598b5046baa17f966d522ac00d47b09b909faaac811d83128519f9e5f25c709de388f718e0a69c134f6246645266080418b96d8cc6d0bc3d75b
-
Filesize
364KB
MD5764a3a6827e4d04ebbb801e8f5b95f8b
SHA16bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb
SHA256091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
SHA5122a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2