Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe
-
Size
328KB
-
MD5
fd1f075a3d1e23355b3d11eee0033a4a
-
SHA1
de2fc8f931ee4807cfe33fe21423818d38480f49
-
SHA256
36732c7840d2cff5a1759b97f63777493f4b5a43304ab9cd0cb21c94806832a2
-
SHA512
6724ca14ae693b782f27417c43a1a0d39654fc52ff16461c6bd6faf68c99cf611f80106e1831402af5c668b0f2b9ca2220f5a07e0a982d329ffcdf3585f84dbf
-
SSDEEP
6144:bTZlzC2Ena1wjOud9vy9672m/kkI1Nf7fbBL0pjnthRKUFQjX31kAeKv1:/XzC2Ca1wjOh967x/7I1F9K1AX3HeK9
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+oepex.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9262D41CD58223C
http://kkd47eh4hdjshb5t.angortra.at/9262D41CD58223C
http://ytrest84y5i456hghadefdsd.pontogrot.com/9262D41CD58223C
http://xlowfznrg4wf7dli.ONION/9262D41CD58223C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation gtvjudpyjxit.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+oepex.html gtvjudpyjxit.exe -
Executes dropped EXE 1 IoCs
pid Process 4220 gtvjudpyjxit.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhsmclsxtyyk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gtvjudpyjxit.exe\"" gtvjudpyjxit.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-400.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png gtvjudpyjxit.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v3.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Schema\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40_altform-unplated.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-125.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_32x32x32.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-200.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QHEADLES\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-200.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\Cavalier.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Incoming_Video_Available.m4a gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-125.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-colorize.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\Recovery+oepex.html gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated_contrast-white.png gtvjudpyjxit.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+oepex.txt gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200.png gtvjudpyjxit.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32_altform-unplated.png gtvjudpyjxit.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png gtvjudpyjxit.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\Recovery+oepex.png gtvjudpyjxit.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\Recovery+oepex.txt gtvjudpyjxit.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\gtvjudpyjxit.exe fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe File opened for modification C:\Windows\gtvjudpyjxit.exe fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gtvjudpyjxit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings gtvjudpyjxit.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 556 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe 4220 gtvjudpyjxit.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe Token: SeDebugPrivilege 4220 gtvjudpyjxit.exe Token: SeIncreaseQuotaPrivilege 4216 WMIC.exe Token: SeSecurityPrivilege 4216 WMIC.exe Token: SeTakeOwnershipPrivilege 4216 WMIC.exe Token: SeLoadDriverPrivilege 4216 WMIC.exe Token: SeSystemProfilePrivilege 4216 WMIC.exe Token: SeSystemtimePrivilege 4216 WMIC.exe Token: SeProfSingleProcessPrivilege 4216 WMIC.exe Token: SeIncBasePriorityPrivilege 4216 WMIC.exe Token: SeCreatePagefilePrivilege 4216 WMIC.exe Token: SeBackupPrivilege 4216 WMIC.exe Token: SeRestorePrivilege 4216 WMIC.exe Token: SeShutdownPrivilege 4216 WMIC.exe Token: SeDebugPrivilege 4216 WMIC.exe Token: SeSystemEnvironmentPrivilege 4216 WMIC.exe Token: SeRemoteShutdownPrivilege 4216 WMIC.exe Token: SeUndockPrivilege 4216 WMIC.exe Token: SeManageVolumePrivilege 4216 WMIC.exe Token: 33 4216 WMIC.exe Token: 34 4216 WMIC.exe Token: 35 4216 WMIC.exe Token: 36 4216 WMIC.exe Token: SeIncreaseQuotaPrivilege 4700 WMIC.exe Token: SeSecurityPrivilege 4700 WMIC.exe Token: SeTakeOwnershipPrivilege 4700 WMIC.exe Token: SeLoadDriverPrivilege 4700 WMIC.exe Token: SeSystemProfilePrivilege 4700 WMIC.exe Token: SeSystemtimePrivilege 4700 WMIC.exe Token: SeProfSingleProcessPrivilege 4700 WMIC.exe Token: SeIncBasePriorityPrivilege 4700 WMIC.exe Token: SeCreatePagefilePrivilege 4700 WMIC.exe Token: SeBackupPrivilege 4700 WMIC.exe Token: SeRestorePrivilege 4700 WMIC.exe Token: SeShutdownPrivilege 4700 WMIC.exe Token: SeDebugPrivilege 4700 WMIC.exe Token: SeSystemEnvironmentPrivilege 4700 WMIC.exe Token: SeRemoteShutdownPrivilege 4700 WMIC.exe Token: SeUndockPrivilege 4700 WMIC.exe Token: SeManageVolumePrivilege 4700 WMIC.exe Token: 33 4700 WMIC.exe Token: 34 4700 WMIC.exe Token: 35 4700 WMIC.exe Token: 36 4700 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4220 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe 83 PID 4720 wrote to memory of 4220 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe 83 PID 4720 wrote to memory of 4220 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe 83 PID 4720 wrote to memory of 2904 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe 84 PID 4720 wrote to memory of 2904 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe 84 PID 4720 wrote to memory of 2904 4720 fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe 84 PID 4220 wrote to memory of 4216 4220 gtvjudpyjxit.exe 86 PID 4220 wrote to memory of 4216 4220 gtvjudpyjxit.exe 86 PID 4220 wrote to memory of 556 4220 gtvjudpyjxit.exe 102 PID 4220 wrote to memory of 556 4220 gtvjudpyjxit.exe 102 PID 4220 wrote to memory of 556 4220 gtvjudpyjxit.exe 102 PID 4220 wrote to memory of 1396 4220 gtvjudpyjxit.exe 103 PID 4220 wrote to memory of 1396 4220 gtvjudpyjxit.exe 103 PID 1396 wrote to memory of 2400 1396 msedge.exe 104 PID 1396 wrote to memory of 2400 1396 msedge.exe 104 PID 4220 wrote to memory of 4700 4220 gtvjudpyjxit.exe 105 PID 4220 wrote to memory of 4700 4220 gtvjudpyjxit.exe 105 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 4796 1396 msedge.exe 107 PID 1396 wrote to memory of 2800 1396 msedge.exe 108 PID 1396 wrote to memory of 2800 1396 msedge.exe 108 PID 1396 wrote to memory of 2628 1396 msedge.exe 109 PID 1396 wrote to memory of 2628 1396 msedge.exe 109 PID 1396 wrote to memory of 2628 1396 msedge.exe 109 PID 1396 wrote to memory of 2628 1396 msedge.exe 109 PID 1396 wrote to memory of 2628 1396 msedge.exe 109 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gtvjudpyjxit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" gtvjudpyjxit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd1f075a3d1e23355b3d11eee0033a4a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\gtvjudpyjxit.exeC:\Windows\gtvjudpyjxit.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4220 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2f9146f8,0x7ffe2f914708,0x7ffe2f9147184⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:84⤵PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:14⤵PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:14⤵PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:84⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:84⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:14⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:14⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1289631341137794052,16924151872690411403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:14⤵PID:1360
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GTVJUD~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\FD1F07~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4408
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD504787b0ac612852a9b1161e697660e43
SHA104fd11e32389563a1bee12f27bc6a06aa13d12b1
SHA256637a2919d6643293c37430f91295596290e826c2763cebc1ecb46fa3f12e4100
SHA512ad3f3f8ddea8e5907cc3a383cbbc7d283937cf74a4d88cddc1377904c7e01c1e4ae14c5f139e9872191c5e1ccf5e46313aa144645f205ba9a4c2d94ffe59ca26
-
Filesize
63KB
MD5a1271667f73ae34194a7d4c2608bc6e9
SHA1a62faca6782ef66a8e9aa2cae5b96bbe744ba43b
SHA256c8a0c44fc37fd378ee1f55bfc0eddb3aa4267bc4e6d1e550825827f41abcc023
SHA51208a72d0bc44703fc2c58d2f33a111289b491db5262630acd72f516f3719d0991de3ac1dcee7cc8cd6bc7c3fa9ac99a6e6b90da1b861a5aca900d35e4a959d808
-
Filesize
1KB
MD54c7775c8e42c3b032df201b6b2d0d146
SHA1fac179a3bd2a1be9cf3831cc50e506b075534318
SHA25643789a1cc811e400883d188030491befab61a7d53d09e2b400c4b06338aac587
SHA512fc6c767629a5030b452dbf309cb0fc0ea02bdbf0ffa2ea24c1fca3f2a5628e3b3f5217d5159f62b686c55edd36a889bf00a51fe816912fffd22c20fb11a4109a
-
Filesize
560B
MD509538b5ace0109cfe1f2b7e642a1c6d5
SHA14698ed1c9d3d8d522d9a0206305bc1486b9449a4
SHA2566c9651340d051297b7ff9e7d4fa6a8ea23546143675cb063e1d2c185940220cc
SHA5121bd564ec20b5f83435eed87a060f0e1ca753396b34ff1162d9f3d4b2905063d954ac4ca3093fed78d19a877a4d5c00051afd00499b5951003ea8a560d620e824
-
Filesize
560B
MD5fa59b374c7ce8eb2a7b6eb0237a5945c
SHA1dce862615b7c6879b1e48c72d69b482c8ca985fe
SHA2564b615139d3e4755d5a7ddade0450f425da39b9ca1917ccaf21677601780a6f20
SHA5122649f0f6ed1039ff3233212826c5a519e94b51af872acea7d3a8321d75e457f3100008e66b8a504874b24e80d3f3a20289af57b9edeb6c0c3812645b7dbd45be
-
Filesize
416B
MD57dfa04f52b5d59d9d32e1e5900913839
SHA17887716e0617df191bdc330a448d4e4db89129a4
SHA256592b6009664f39ba07d5c2178e58503cdf27970e225f3c71c2db6ff7944c3cc5
SHA5120ed799f020fa9d3e324961434c9e6b2470dbc2dca45b9daea8d4c9ff2019d4fcc0b38722f95b57aac713039504ee1011c65188911fdabc7706c6fd6b7e89c08a
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
5KB
MD55865926f349de36601df1e8859a5cfd6
SHA19df094b5c2847035d245305f67260b2231b4c404
SHA256fe97476112968ecaea4eddc8e12fa1bdd511ee29ebeb6c902e77fcddeb862785
SHA512356be4382d7e19d856df896d0dd9174a325b2a63172c38bc80289c18223225f5961ce7a17857b8442614466d52b9e49b6860a87a8af356e6feba0e45069714d1
-
Filesize
6KB
MD5eb402e608dddcbabd70a9ffb65183288
SHA1895efbef24fbb8ec70045cfccff371e67ffc870a
SHA256d3d566edf14bac532f0ba8113488806d2469700e719ea8b32667a85ed7e188f7
SHA512c0405c2b7d949d85b95284ecb993390f8283ebac7e60b0ac69ee1736018934263a9c77da9507867352946ccb1ef4f6c5e3349bd3989162193a2b231fb272092e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5bf86781c58abcf9beecf8bc35461f0f3
SHA16b1a1f423f192602e29f99cc32b8d9c23d61ed09
SHA2566ef6952b744085f31923caaaf2e9ed33a4bed60195bf7631a717f594ca4dd431
SHA51282c4cf5ecd19bce63d0090a46ecab55b19b7a650904cf06b33e8dbc3e03d8b12d597e7c765640bd9b766b6edc21214ca0cfbb9a026a4a3953d873d761c19e212
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662820354407.txt
Filesize77KB
MD5dff9a55448f07381f403ff6e350ecb8e
SHA13937359808764154d9a25f40ede149af08ab0f83
SHA2564e3b3b656d5f193f1bf705312a65bd2f071a60bdce8280bfe1f8f97f0ff393bf
SHA5125a626f67c7c681b00e29ef3379ff86fcba7ecddc2e7eb897ba88e274b3cb11f107cdbe1d50a814c2a54cf65825ffa8da0e711f21d86c11f0382cfd70f8cab3bd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt
Filesize48KB
MD560cd78e973f55590ae0b61ebb492b812
SHA1f5150ed50c22358df1f358bec29de1eb9a9c0cd0
SHA2561a5f0f65be2e464af9c9c5d3ade38d1217c86f4c81f5982721c2b352127cb963
SHA5124e5fcb85fdd051a9a9b935c5999106110a06b9835f5c8e20ade34206ca9a6aed539fc79076b060789f33a93d54f80728f105a69623a239a3475670eb1a259604
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672589120253.txt
Filesize75KB
MD57b11200d9c5ef748760ed2e16d241516
SHA1613ed0549ad29aa600a2bda18aff527ef8c80712
SHA2565ca078674e7437e08afd480e1284f2b972a255c0a7472ec11a9e9a259e4566b7
SHA51274fbed6d19d8a598d4153ac95b8a56470b96d450692fd6611ec880dcb94c1e4647dda7ba291977537d783b8b6b428c5b21358552450504e80794b7b915ec4e27
-
Filesize
328KB
MD5fd1f075a3d1e23355b3d11eee0033a4a
SHA1de2fc8f931ee4807cfe33fe21423818d38480f49
SHA25636732c7840d2cff5a1759b97f63777493f4b5a43304ab9cd0cb21c94806832a2
SHA5126724ca14ae693b782f27417c43a1a0d39654fc52ff16461c6bd6faf68c99cf611f80106e1831402af5c668b0f2b9ca2220f5a07e0a982d329ffcdf3585f84dbf