Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2024, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
-
Size
428KB
-
MD5
d74daee515bd5a77f299151a568cb57a
-
SHA1
68555ccb11104b0bb9243ba3f5f464de8bb701e6
-
SHA256
1d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0
-
SHA512
62dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646
-
SSDEEP
12288:oYV6HO69joWO8UD8KHCeAJlkMAUhX+cblCJxfS6:oYh8UD8cCEtUhXvOR1
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+ljtik.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1CCC4C5498A79C
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1CCC4C5498A79C
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/1CCC4C5498A79C
http://xlowfznrg4wf7dli.ONION/1CCC4C5498A79C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation dyohfxwqsyaq.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe -
Executes dropped EXE 1 IoCs
pid Process 4292 dyohfxwqsyaq.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oiffxvvpkuhy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dyohfxwqsyaq.exe\"" dyohfxwqsyaq.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-125.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\15.jpg dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.css dyohfxwqsyaq.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-100.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\WinMetadata\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\WinMetadata\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-30_altform-unplated.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-125.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-fullcolor.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Rainbow.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-100.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-100.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\ThumbRoad.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-400.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-unplated_contrast-white.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg dyohfxwqsyaq.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\_RECoVERY_+ljtik.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-96_altform-unplated.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Error.m4a dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-100.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\MedTile.scale-100.png dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateY.PNG dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\_RECoVERY_+ljtik.html dyohfxwqsyaq.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_RECoVERY_+ljtik.txt dyohfxwqsyaq.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dyohfxwqsyaq.exe d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe File opened for modification C:\Windows\dyohfxwqsyaq.exe d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dyohfxwqsyaq.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings dyohfxwqsyaq.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4012 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe 4292 dyohfxwqsyaq.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe Token: SeDebugPrivilege 4292 dyohfxwqsyaq.exe Token: SeIncreaseQuotaPrivilege 4808 WMIC.exe Token: SeSecurityPrivilege 4808 WMIC.exe Token: SeTakeOwnershipPrivilege 4808 WMIC.exe Token: SeLoadDriverPrivilege 4808 WMIC.exe Token: SeSystemProfilePrivilege 4808 WMIC.exe Token: SeSystemtimePrivilege 4808 WMIC.exe Token: SeProfSingleProcessPrivilege 4808 WMIC.exe Token: SeIncBasePriorityPrivilege 4808 WMIC.exe Token: SeCreatePagefilePrivilege 4808 WMIC.exe Token: SeBackupPrivilege 4808 WMIC.exe Token: SeRestorePrivilege 4808 WMIC.exe Token: SeShutdownPrivilege 4808 WMIC.exe Token: SeDebugPrivilege 4808 WMIC.exe Token: SeSystemEnvironmentPrivilege 4808 WMIC.exe Token: SeRemoteShutdownPrivilege 4808 WMIC.exe Token: SeUndockPrivilege 4808 WMIC.exe Token: SeManageVolumePrivilege 4808 WMIC.exe Token: 33 4808 WMIC.exe Token: 34 4808 WMIC.exe Token: 35 4808 WMIC.exe Token: 36 4808 WMIC.exe Token: SeIncreaseQuotaPrivilege 4808 WMIC.exe Token: SeSecurityPrivilege 4808 WMIC.exe Token: SeTakeOwnershipPrivilege 4808 WMIC.exe Token: SeLoadDriverPrivilege 4808 WMIC.exe Token: SeSystemProfilePrivilege 4808 WMIC.exe Token: SeSystemtimePrivilege 4808 WMIC.exe Token: SeProfSingleProcessPrivilege 4808 WMIC.exe Token: SeIncBasePriorityPrivilege 4808 WMIC.exe Token: SeCreatePagefilePrivilege 4808 WMIC.exe Token: SeBackupPrivilege 4808 WMIC.exe Token: SeRestorePrivilege 4808 WMIC.exe Token: SeShutdownPrivilege 4808 WMIC.exe Token: SeDebugPrivilege 4808 WMIC.exe Token: SeSystemEnvironmentPrivilege 4808 WMIC.exe Token: SeRemoteShutdownPrivilege 4808 WMIC.exe Token: SeUndockPrivilege 4808 WMIC.exe Token: SeManageVolumePrivilege 4808 WMIC.exe Token: 33 4808 WMIC.exe Token: 34 4808 WMIC.exe Token: 35 4808 WMIC.exe Token: 36 4808 WMIC.exe Token: SeBackupPrivilege 1124 vssvc.exe Token: SeRestorePrivilege 1124 vssvc.exe Token: SeAuditPrivilege 1124 vssvc.exe Token: SeIncreaseQuotaPrivilege 468 WMIC.exe Token: SeSecurityPrivilege 468 WMIC.exe Token: SeTakeOwnershipPrivilege 468 WMIC.exe Token: SeLoadDriverPrivilege 468 WMIC.exe Token: SeSystemProfilePrivilege 468 WMIC.exe Token: SeSystemtimePrivilege 468 WMIC.exe Token: SeProfSingleProcessPrivilege 468 WMIC.exe Token: SeIncBasePriorityPrivilege 468 WMIC.exe Token: SeCreatePagefilePrivilege 468 WMIC.exe Token: SeBackupPrivilege 468 WMIC.exe Token: SeRestorePrivilege 468 WMIC.exe Token: SeShutdownPrivilege 468 WMIC.exe Token: SeDebugPrivilege 468 WMIC.exe Token: SeSystemEnvironmentPrivilege 468 WMIC.exe Token: SeRemoteShutdownPrivilege 468 WMIC.exe Token: SeUndockPrivilege 468 WMIC.exe Token: SeManageVolumePrivilege 468 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3972 wrote to memory of 4292 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 84 PID 3972 wrote to memory of 4292 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 84 PID 3972 wrote to memory of 4292 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 84 PID 3972 wrote to memory of 2876 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 85 PID 3972 wrote to memory of 2876 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 85 PID 3972 wrote to memory of 2876 3972 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 85 PID 4292 wrote to memory of 4808 4292 dyohfxwqsyaq.exe 87 PID 4292 wrote to memory of 4808 4292 dyohfxwqsyaq.exe 87 PID 4292 wrote to memory of 4012 4292 dyohfxwqsyaq.exe 108 PID 4292 wrote to memory of 4012 4292 dyohfxwqsyaq.exe 108 PID 4292 wrote to memory of 4012 4292 dyohfxwqsyaq.exe 108 PID 4292 wrote to memory of 3608 4292 dyohfxwqsyaq.exe 109 PID 4292 wrote to memory of 3608 4292 dyohfxwqsyaq.exe 109 PID 3608 wrote to memory of 2212 3608 msedge.exe 110 PID 3608 wrote to memory of 2212 3608 msedge.exe 110 PID 4292 wrote to memory of 468 4292 dyohfxwqsyaq.exe 111 PID 4292 wrote to memory of 468 4292 dyohfxwqsyaq.exe 111 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1336 3608 msedge.exe 113 PID 3608 wrote to memory of 1132 3608 msedge.exe 114 PID 3608 wrote to memory of 1132 3608 msedge.exe 114 PID 3608 wrote to memory of 4788 3608 msedge.exe 115 PID 3608 wrote to memory of 4788 3608 msedge.exe 115 PID 3608 wrote to memory of 4788 3608 msedge.exe 115 PID 3608 wrote to memory of 4788 3608 msedge.exe 115 PID 3608 wrote to memory of 4788 3608 msedge.exe 115 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dyohfxwqsyaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dyohfxwqsyaq.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\dyohfxwqsyaq.exeC:\Windows\dyohfxwqsyaq.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4292 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff908f546f8,0x7ff908f54708,0x7ff908f547184⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:24⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:34⤵PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:84⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:14⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:14⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:84⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:84⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:14⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:14⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:14⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13201900443370402243,13786941715317398095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:14⤵PID:3712
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DYOHFX~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D74DAE~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1564
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD52f069f6570af8835dbce5a6a8ddeb4be
SHA17729f526fbbdc7aa76d3eccab26fdbd326c869e6
SHA25611698f79806189332a4864d7c7420f098ec9da4e83d48e5ac7dabc09f39031a7
SHA51223456d8b0029e28833a3d0fd943b388e5341589e0c1be60dce210d729b86eaa367f3c065a5822552e024011f39dc9923e850afa21ce22ec466b27b6cf37c57c4
-
Filesize
63KB
MD5ee855490cf9c73d4bc3ffc96637862b4
SHA105765aa2f6c19a50911cac811a8a1c04252f62c0
SHA256982631aaa4d669c3023c4ca57d702591da55750b4af3b8ea12439a3cda440e26
SHA512f88d609bab34b54d3802dbb9423c6ae339f4f5296afa55d5eb8ac0a217442350482f7c910ab0416df7084b2fb2039c3acec99add64667d9a44a6c9354f9ae97c
-
Filesize
1KB
MD518884933f5158f0d646e18cf19fb8d1e
SHA1d94b3adc51496d20b62606911747ce479f0d1917
SHA25648e6a23a016d55058ce0a16a73d1db0f1f9d3a55628445147699dfdecf6b05c9
SHA512d74b1a08b081c88eeb3623bbf86a748b5159c77bcb38e03e0674f0fc0547bf160aa8d4be9f28230fa3a2d57079c32c7cfe4e5940cf00f629ef31f788da6efc2e
-
Filesize
560B
MD5372dce838d54b34b66c67b22bb8af32c
SHA1ae363b81894e23c419404c40ebb02b8f4e534327
SHA256225d5a88dae90e60c479d20bb61d91ca236c2a7d19717abebca777d3285acd99
SHA512fb848ebcbf5a17b56da8c8d0512ef56ca3ed32f65d8e4394eb3c319833bcb06b70195b5670a75960b6d401ed9e2f6ec486c6354fdeaea44f025e72fe205a477a
-
Filesize
560B
MD5916b75b90fca066b9f1e9e729c2dd9d1
SHA1f52c659a57b649cbcc16ba1adfe29c3400f04867
SHA256e138db9000844580c5e69edffda3d886fa596d4d95d2a11e632f189425ed2286
SHA5121528a4a69fd14be803692fd1257107c84b1b2d07fde5513bd088c46579a0fe1d85dd30d3e3722f885a0c9598cf01eb45ff34baadea2f9ca6a065083817632fa4
-
Filesize
416B
MD53128bf59d45623e4fd2731e85df2992d
SHA128c6c5eab192c394cb47c74cdf62adda19f0095c
SHA256578d475094e1cbac4100333a1b1058e359307a6c6dafbe042d07850ed67f8d35
SHA512c8b1ed42cac17e686b3de7d49f6f33ceb2f34e983ee4709fe251141203b27e01b2841a388710506a9faccfb60a3c83f2cd70684de45dd7c961c5d2388ec5bef9
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
6KB
MD5b6322c14b0f6d0369a63496f754e9655
SHA1cab077f964b24d766310523c05dc047cfa45c602
SHA256dd4d1151d92857347dd44ec53ad3dd8efdf4c60f994c3fd614e0a2b108616442
SHA5124910127f01b38cd8a2fa576e296d7b32ba1f57a6013f3bee0ccdf7bfe2fb60805715cbcb00dda058b46bf4fed8bf0972201e13844623e7f97d1b8d9f42356e3c
-
Filesize
5KB
MD51d282454a3f8476f9f105ea61640e7f5
SHA1c2cb5e8293ae4a7ce10c24717e751e87d13f38c7
SHA25640c07a7b57ae462761ec3d3c151bf46d2aa40a2c7de5b4b7615eb7474cb41f2f
SHA5128d0cfbfa404e0393f9bbe4f3c5fc4b67ae03918c59466fc0d606e790333c5f5f75e25c8a0b419a4d5f191593772aed88b2723098156e8d0560f2c6e7c9e1daf5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD578af99c27022108864c712730f5ccbd8
SHA1e3c29da341f4e5ceff9ba989a9025b7c0d1fa2ef
SHA256b7c6b99ee7a19aa01a112dc345c8ad2f82160f980e538572cbdc27437398fa66
SHA512eac56174876a65c17acc678eb51a26fa4106d8263283f48a40608559e0cadf65667469bea2dd61b5fcafeb4d7807208891aa450349e5e4766204f6bf0d02f8f3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt
Filesize77KB
MD5da2397d2f33dbcf6e8598c42287bd378
SHA1d038571ab0adc5dd03b21fb79de92d2149f69261
SHA256c9fbb2d2ef35e6b532ee5f69a880154dab0b36c27cb1b5f67e689d1c264fe1e3
SHA512080b56e25dc0376b6479b7d52dd4248e2d0466a7dd8d7b7f71121b2b33e2ee4cd9eec6380209722dee182c9e4ce313fce16b5735688beb14ce8cdd0ddb2c4124
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt
Filesize47KB
MD52ee3a9b5f58f776fc78a8996cf2edff4
SHA17888d1180ad15d05b6b8a70964d75fa803cfecbe
SHA2568ff71fb7fd4b5b356e8d89a8e204b04dd1f6703578e3ea7a58edd11d7fe1a34c
SHA512624059be8e7bf13a6b557c29095cf2c8614f06159132446b89f295cffaead0902316ca681bf952d4b3dca4128f279d4dac0f8d05f78b2ab62ba8eb000fba36e1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt
Filesize74KB
MD5300a376f93297fe35b846dc1f6769aaf
SHA1afa89cc4ff7b49a15e90d07c4b647b64f01bdf81
SHA25686988f70529fcbb0a687f807b9323a508046274b7d76f7717bfec2ef512983d0
SHA512fd7a72620930b7a5a5c3d1c53167ce28428257da5a46e9be46769e2694bcffccc8a44b0e7c90806dbde425a495d5b1b9e172b8b14d1520ef9c38b4bff1bf3986
-
Filesize
428KB
MD5d74daee515bd5a77f299151a568cb57a
SHA168555ccb11104b0bb9243ba3f5f464de8bb701e6
SHA2561d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0
SHA51262dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646