Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 00:01
Static task
static1
Behavioral task
behavioral1
Sample
e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe
-
Size
396KB
-
MD5
e3c7a712d0aa4db4b62ca2a2abc3af89
-
SHA1
80ebc294329a7d40e6ac13feedf0b5554fdf8a38
-
SHA256
c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3
-
SHA512
814df1437244043bfd5a7803b208695badc87b3a862f24f25b838b8eaee82c91314d5fdd2f52286494fd2499da48a1efb4738235eddc94bd04b7dc14d4cde8fb
-
SSDEEP
6144:Z0sTdSkul5CpfZsu43jx0HdEouuj5axxn7JCpIKxZU/bc92A6mJOl:qG7pfZsu43d0HdEFuj5EpNbWAcsoOl
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+qrhxi.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/519F19C117E8F74A
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/519F19C117E8F74A
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/519F19C117E8F74A
http://xlowfznrg4wf7dli.ONION/519F19C117E8F74A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation kxbvfewsldpm.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe -
Executes dropped EXE 1 IoCs
pid Process 2892 kxbvfewsldpm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syvbbvnmxxrm = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\kxbvfewsldpm.exe\"" kxbvfewsldpm.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-30_altform-unplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Java\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-unplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-125.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-150.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubGameBar.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-64_altform-unplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-100.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_contrast-black.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_altform-unplated_contrast-black.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyView.scale-400.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\FormatOptimize.ppt kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-lightunplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-200.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_RECoVERY_+qrhxi.html kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileExcel32x32.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\_RECoVERY_+qrhxi.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-96_altform-unplated.png kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\PSTN_cluster.png kxbvfewsldpm.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png kxbvfewsldpm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_RECoVERY_+qrhxi.txt kxbvfewsldpm.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\kxbvfewsldpm.exe e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe File opened for modification C:\Windows\kxbvfewsldpm.exe e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kxbvfewsldpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings kxbvfewsldpm.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3536 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe 2892 kxbvfewsldpm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe Token: SeDebugPrivilege 2892 kxbvfewsldpm.exe Token: SeIncreaseQuotaPrivilege 4156 WMIC.exe Token: SeSecurityPrivilege 4156 WMIC.exe Token: SeTakeOwnershipPrivilege 4156 WMIC.exe Token: SeLoadDriverPrivilege 4156 WMIC.exe Token: SeSystemProfilePrivilege 4156 WMIC.exe Token: SeSystemtimePrivilege 4156 WMIC.exe Token: SeProfSingleProcessPrivilege 4156 WMIC.exe Token: SeIncBasePriorityPrivilege 4156 WMIC.exe Token: SeCreatePagefilePrivilege 4156 WMIC.exe Token: SeBackupPrivilege 4156 WMIC.exe Token: SeRestorePrivilege 4156 WMIC.exe Token: SeShutdownPrivilege 4156 WMIC.exe Token: SeDebugPrivilege 4156 WMIC.exe Token: SeSystemEnvironmentPrivilege 4156 WMIC.exe Token: SeRemoteShutdownPrivilege 4156 WMIC.exe Token: SeUndockPrivilege 4156 WMIC.exe Token: SeManageVolumePrivilege 4156 WMIC.exe Token: 33 4156 WMIC.exe Token: 34 4156 WMIC.exe Token: 35 4156 WMIC.exe Token: 36 4156 WMIC.exe Token: SeIncreaseQuotaPrivilege 4156 WMIC.exe Token: SeSecurityPrivilege 4156 WMIC.exe Token: SeTakeOwnershipPrivilege 4156 WMIC.exe Token: SeLoadDriverPrivilege 4156 WMIC.exe Token: SeSystemProfilePrivilege 4156 WMIC.exe Token: SeSystemtimePrivilege 4156 WMIC.exe Token: SeProfSingleProcessPrivilege 4156 WMIC.exe Token: SeIncBasePriorityPrivilege 4156 WMIC.exe Token: SeCreatePagefilePrivilege 4156 WMIC.exe Token: SeBackupPrivilege 4156 WMIC.exe Token: SeRestorePrivilege 4156 WMIC.exe Token: SeShutdownPrivilege 4156 WMIC.exe Token: SeDebugPrivilege 4156 WMIC.exe Token: SeSystemEnvironmentPrivilege 4156 WMIC.exe Token: SeRemoteShutdownPrivilege 4156 WMIC.exe Token: SeUndockPrivilege 4156 WMIC.exe Token: SeManageVolumePrivilege 4156 WMIC.exe Token: 33 4156 WMIC.exe Token: 34 4156 WMIC.exe Token: 35 4156 WMIC.exe Token: 36 4156 WMIC.exe Token: SeBackupPrivilege 648 vssvc.exe Token: SeRestorePrivilege 648 vssvc.exe Token: SeAuditPrivilege 648 vssvc.exe Token: SeIncreaseQuotaPrivilege 2276 WMIC.exe Token: SeSecurityPrivilege 2276 WMIC.exe Token: SeTakeOwnershipPrivilege 2276 WMIC.exe Token: SeLoadDriverPrivilege 2276 WMIC.exe Token: SeSystemProfilePrivilege 2276 WMIC.exe Token: SeSystemtimePrivilege 2276 WMIC.exe Token: SeProfSingleProcessPrivilege 2276 WMIC.exe Token: SeIncBasePriorityPrivilege 2276 WMIC.exe Token: SeCreatePagefilePrivilege 2276 WMIC.exe Token: SeBackupPrivilege 2276 WMIC.exe Token: SeRestorePrivilege 2276 WMIC.exe Token: SeShutdownPrivilege 2276 WMIC.exe Token: SeDebugPrivilege 2276 WMIC.exe Token: SeSystemEnvironmentPrivilege 2276 WMIC.exe Token: SeRemoteShutdownPrivilege 2276 WMIC.exe Token: SeUndockPrivilege 2276 WMIC.exe Token: SeManageVolumePrivilege 2276 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe 2584 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2892 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe 82 PID 5068 wrote to memory of 2892 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe 82 PID 5068 wrote to memory of 2892 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe 82 PID 5068 wrote to memory of 2024 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe 83 PID 5068 wrote to memory of 2024 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe 83 PID 5068 wrote to memory of 2024 5068 e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe 83 PID 2892 wrote to memory of 4156 2892 kxbvfewsldpm.exe 86 PID 2892 wrote to memory of 4156 2892 kxbvfewsldpm.exe 86 PID 2892 wrote to memory of 3536 2892 kxbvfewsldpm.exe 104 PID 2892 wrote to memory of 3536 2892 kxbvfewsldpm.exe 104 PID 2892 wrote to memory of 3536 2892 kxbvfewsldpm.exe 104 PID 2892 wrote to memory of 2584 2892 kxbvfewsldpm.exe 105 PID 2892 wrote to memory of 2584 2892 kxbvfewsldpm.exe 105 PID 2584 wrote to memory of 840 2584 msedge.exe 106 PID 2584 wrote to memory of 840 2584 msedge.exe 106 PID 2892 wrote to memory of 2276 2892 kxbvfewsldpm.exe 107 PID 2892 wrote to memory of 2276 2892 kxbvfewsldpm.exe 107 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 3668 2584 msedge.exe 109 PID 2584 wrote to memory of 2924 2584 msedge.exe 110 PID 2584 wrote to memory of 2924 2584 msedge.exe 110 PID 2584 wrote to memory of 4872 2584 msedge.exe 111 PID 2584 wrote to memory of 4872 2584 msedge.exe 111 PID 2584 wrote to memory of 4872 2584 msedge.exe 111 PID 2584 wrote to memory of 4872 2584 msedge.exe 111 PID 2584 wrote to memory of 4872 2584 msedge.exe 111 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System kxbvfewsldpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" kxbvfewsldpm.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e3c7a712d0aa4db4b62ca2a2abc3af89_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\kxbvfewsldpm.exeC:\Windows\kxbvfewsldpm.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe65446f8,0x7fffe6544708,0x7fffe65447184⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:24⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:34⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵PID:280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:84⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:84⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:14⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:14⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:14⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,9453926157240567672,2642067427469737850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵PID:4248
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KXBVFE~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3C7A7~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:648
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3300
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55526518097fb4c37172c8bfd60631d52
SHA1c27020e1e2cf36f4c30aae1288895b8060bed0ca
SHA256d2677bee62cda024ca1d9a87c51842143c8eb40739ac6fe2435de4b5d086f734
SHA5123b93645f26cfbe9d282bd38abab75298ca63ba08edc9003cf09030114983c4a104d9a78490fb71ba41306b0930a9ac5773bb99015be28d000e460e6ac19f135a
-
Filesize
65KB
MD55c0d0b7131cd9dfbe2fdc31139c611a2
SHA1a5941ed896792d1afa06e476e26ec325246cce35
SHA256c869b6841fa46301f37200b229f71ec2200ab1a57d5811ddde626c80844418ec
SHA512dc4aa2aab65ff67f3ce3d8b52a4a3bddef90a0665ec5c63ac18ac5f05e8502cce66de3ea338da8de8fc7881a00fa45379aea4219f58c0b4d6a18fa03b5d6502f
-
Filesize
1KB
MD5a3e1492405b0b13b2ee7d9e9647bd557
SHA134869b026d2205f255082783cccfea8a0bd7322c
SHA256c2e10a3f56f92ef9ca45dcff70444c279a3df80ad8dc55b22aa4f5b8de0f180d
SHA5122bae67cf3b5356b4eff0853885f02ba7b777ac2e8595b73cb9070514f49300ab6cde378411624901fb2199fc68b08beab99429be2a13827e685503527b9c2d9d
-
Filesize
560B
MD5a164c0b92db93aa19e218a4de9b3c966
SHA1b913c168866c616a8d7a75b7ba7f84ca0b87a747
SHA25624c883261cc699a855d9d0f9c42f26ba72650a9027366db5e09b5bb6dd9865b3
SHA5120b58a2f90e54605db0d88cfe5e2fb01e8d87d58af00c7af3e62b24fc09f711cf7661df32bdaf3691fb78a4d9bf2e52bb069c51efc7d5819c1112bdf0210d375f
-
Filesize
560B
MD54a4141afc1193c020da61782de9eead2
SHA1cd1ed30da95a313aecd33430695890c40fc87a99
SHA256e4a501dea357a6554bbc8225476bc02522444534aaa25a2ebfe5d10e3c00ca12
SHA51248a4b97d153028bc5cf898cbc9de640c31b6c56317179645f34a098c253f61c270fd9265c7ccd7ccbee4612cda4924ccc67dcef0115b9cdc61b78e64e5f27b09
-
Filesize
416B
MD5907616b1a33a1fb3f6030bcc5f0ec37d
SHA14612f912f5c762c232202d2d25cc62d11f0174e2
SHA256789a9e35bf63c1aa7f6acec5bdccddba04b9f1785ecc685cf50584fb7512df76
SHA5125189317b1c66a813dd1b45b5be3bba95a58e100efecc981302fe59138ec652540e7467f798c57d3b065937f4f424b1c71cb36324c86b80e79fc3f5f1e05e0974
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\34898354-9cb3-479e-923e-7710636763fa.tmp
Filesize6KB
MD5d644e9836d37014940bd36ca3308ce1e
SHA194b904e6d823425a71bd585679191a93843139bf
SHA25646c9a6f33495f51fabcea0b574db8c52b06b283d55172dcd272d80f1cd34a58e
SHA51263316a410daed1448c3fe499803e4b5e4437dbe9a9f947f06fb0baa0e34c8fd81c3e0e9de7ef97cbf345675971d61ee48c5196c02f68e7d23ce4bb6f40fe98cf
-
Filesize
5KB
MD5a4d65491cb40e5be3a5cc9a79889b669
SHA1ba9e3684534bfa784f1abeec4b946cf9bcfc12f1
SHA256198259b796f741594faad22d312b903a329e02d4201818f155cbc9285b938419
SHA5121cd15e4ae8991a0eb22cc7482b9efc698448b44cdb6c26e50b6ff2751c96f2b001a6092f708b00a4c47cdb7b2befec83fd7bb5bd02aa611d97e839710a3a475a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD528eb49bad3024d2a5a5ae4cf55bcd31f
SHA13b96a10162c2b7b9a9cad7643dc9d67bf20d6639
SHA25601aeee9df3183c8d9d05f1db88dd7500fedff0f87815cda452738b1cb5513714
SHA51227de0673e5757e9abe2e823d17f66631e13f83e60044665ef81305f234c5b2bb24e42df48534f43f6467a7afec337d4d4a47307b96f2196a5f436ac782ce8068
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656298443196.txt
Filesize77KB
MD54c76e2b5c33ce72e57b00a33f4155b8d
SHA14cfae7c32cbbf22bec68adcd847ed20386b30038
SHA256fb65e123a57bc95fc03727bbed4dd58c66079af027be288add9f0e63c7596924
SHA51288f66ec095b2533efbc474aec0b6e00fd24af14bb8380c4dcc3e6813b6422487e919ca66e03baa8f4c8c3e9a1108e5965c0c52f2a279114e01b9f9a10d738fbe
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt
Filesize47KB
MD58d45b9f660869bd519893e3f87f55099
SHA19bb0025227722bfbdfee296faf02bfb97cdae143
SHA256bd10e327fce62984d1bf79b2d3f6cbd80dca872e60ac237cfac0c4fc16f48cd5
SHA512a54a04f07cd41fb567e26fc91c23cb1e0f783747f1101915c26571994148500a42d3a9dc494751928300ff98324448d567de4bee841e2e3b0370c3e7bf33de35
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666039184869.txt
Filesize74KB
MD5917dbf7bc198672e7a31ce3d05627288
SHA1297a36af17dc41d6761c59b18693c0c098778e69
SHA25605270637e06376724e788a7108690f2f984cf7bb61de6344b18de3bd1e3e4316
SHA512defd733ae0e3932b2c80145563ea73f8ec8535106f18587cb36ab18ca526f3493f8abf1ec1c428f4437aff92a9c573480f19a0da8f6560effef95f17a63b941f
-
Filesize
396KB
MD5e3c7a712d0aa4db4b62ca2a2abc3af89
SHA180ebc294329a7d40e6ac13feedf0b5554fdf8a38
SHA256c46d526ed752a808427220c412135972ed2fbfac2476b9fcd6b74b330e4dc9a3
SHA512814df1437244043bfd5a7803b208695badc87b3a862f24f25b838b8eaee82c91314d5fdd2f52286494fd2499da48a1efb4738235eddc94bd04b7dc14d4cde8fb