Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 09:59
Static task
static1
Behavioral task
behavioral1
Sample
5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe
-
Size
325KB
-
MD5
5e78544b70dd390f5f466139ddc68a25
-
SHA1
01a4782dbf535bc212d89d2f7e7f11c37b190e2f
-
SHA256
9eccc1413d42ebeef19ec598feee7641476afe08a3c371d405a31549e32f3edb
-
SHA512
c436f11bd1ae7e34f35f0fb2ab90f0b847b3783e444ce6344aece1d6889406bada528c032c984621d43548b075473484f963e3616b5348178008deafd23f9ed4
-
SSDEEP
6144:R9BrvDh5Tsg7q0ROWVjmh2CkYmLzERQc4tpV/pb7:R91vDhlNbbVjmnmLz+QcepV5
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+qqphk.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/1B8D206465F44CC0
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/1B8D206465F44CC0
http://yyre45dbvn2nhbefbmh.begumvelic.at/1B8D206465F44CC0
http://xlowfznrg4wf7dli.ONION/1B8D206465F44CC0
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (424) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1796 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe -
Executes dropped EXE 1 IoCs
pid Process 2208 mlkdfkieisxt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\kfvexvudpchp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\mlkdfkieisxt.exe\"" mlkdfkieisxt.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\vi.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css mlkdfkieisxt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak mlkdfkieisxt.exe File opened for modification C:\Program Files\Java\jre7\lib\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\it-IT\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv mlkdfkieisxt.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js mlkdfkieisxt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Defender\de-DE\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css mlkdfkieisxt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Microsoft Games\More Games\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv mlkdfkieisxt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Media Player\Icons\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png mlkdfkieisxt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png mlkdfkieisxt.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png mlkdfkieisxt.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Microsoft Games\Chess\_RECoVERY_+qqphk.html mlkdfkieisxt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_RECoVERY_+qqphk.txt mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_RECoVERY_+qqphk.png mlkdfkieisxt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css mlkdfkieisxt.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mlkdfkieisxt.exe 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe File opened for modification C:\Windows\mlkdfkieisxt.exe 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000fff8c4b2e845bc195ec74fbd09e176b2eec5c6fe17d81db22daca6fe51bc1d82000000000e80000000020000200000000fca938edf2b1c96c4cf947998e08a6686e9448401fd893a9fddaf6335bffddb9000000026f0e37784c34c1fe9dd3e5e0e7e69b6092c14a21d4ae4b19dcb1ff592a274dbe69fea32ac240600cf758c2ee5b059429d399b8d07c01fe593777945efe0005d4718480e1754aff4658fbe57922e31e751c7441d6d26573fa6fa62adb3f829af16178589fcf941804a5603a4353f815f9cf45de60765bfa610538a0fbaf768a64c6dce092d85151de74027bc546068c4400000008b8acaf4fe7fb55fa54a4f73ec765a24e1a349acd7b22f9f86ac2749090075926532875009e4d9c36ab5321771adf2e40263d62b366a0aa5d877504ca102061e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508e8b8b9caada01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000ce636170790b7de3b5a9960aed679721e7608d2fe52f8244f60c1fadf42b6551000000000e8000000002000020000000fd72b8d1b1206582afa4221ada364f5f24c42ba12f827a1379cda04858b55b6c2000000075b6ffbb3d8c756bbbaa9166efed92018cf9f47696da60cb63807767ae02f4c840000000e21237f6e4cd2b8da405744335617970b188e19bf5501136bdc301491f247cb59b061a29a479987a3aed45831e0c041eb3a932442c3666c0dd53603907e1b1ad iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B70CF1E1-168F-11EF-931A-4205ACB4EED4} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422361064" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1484 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe 2208 mlkdfkieisxt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe Token: SeDebugPrivilege 2208 mlkdfkieisxt.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeBackupPrivilege 2572 vssvc.exe Token: SeRestorePrivilege 2572 vssvc.exe Token: SeAuditPrivilege 2572 vssvc.exe Token: SeIncreaseQuotaPrivilege 2496 WMIC.exe Token: SeSecurityPrivilege 2496 WMIC.exe Token: SeTakeOwnershipPrivilege 2496 WMIC.exe Token: SeLoadDriverPrivilege 2496 WMIC.exe Token: SeSystemProfilePrivilege 2496 WMIC.exe Token: SeSystemtimePrivilege 2496 WMIC.exe Token: SeProfSingleProcessPrivilege 2496 WMIC.exe Token: SeIncBasePriorityPrivilege 2496 WMIC.exe Token: SeCreatePagefilePrivilege 2496 WMIC.exe Token: SeBackupPrivilege 2496 WMIC.exe Token: SeRestorePrivilege 2496 WMIC.exe Token: SeShutdownPrivilege 2496 WMIC.exe Token: SeDebugPrivilege 2496 WMIC.exe Token: SeSystemEnvironmentPrivilege 2496 WMIC.exe Token: SeRemoteShutdownPrivilege 2496 WMIC.exe Token: SeUndockPrivilege 2496 WMIC.exe Token: SeManageVolumePrivilege 2496 WMIC.exe Token: 33 2496 WMIC.exe Token: 34 2496 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1032 iexplore.exe 1196 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1032 iexplore.exe 1032 iexplore.exe 228 IEXPLORE.EXE 228 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2208 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 28 PID 2428 wrote to memory of 2208 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 28 PID 2428 wrote to memory of 2208 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 28 PID 2428 wrote to memory of 2208 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 28 PID 2428 wrote to memory of 1796 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 29 PID 2428 wrote to memory of 1796 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 29 PID 2428 wrote to memory of 1796 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 29 PID 2428 wrote to memory of 1796 2428 5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2740 2208 mlkdfkieisxt.exe 31 PID 2208 wrote to memory of 2740 2208 mlkdfkieisxt.exe 31 PID 2208 wrote to memory of 2740 2208 mlkdfkieisxt.exe 31 PID 2208 wrote to memory of 2740 2208 mlkdfkieisxt.exe 31 PID 2208 wrote to memory of 1484 2208 mlkdfkieisxt.exe 39 PID 2208 wrote to memory of 1484 2208 mlkdfkieisxt.exe 39 PID 2208 wrote to memory of 1484 2208 mlkdfkieisxt.exe 39 PID 2208 wrote to memory of 1484 2208 mlkdfkieisxt.exe 39 PID 2208 wrote to memory of 1032 2208 mlkdfkieisxt.exe 40 PID 2208 wrote to memory of 1032 2208 mlkdfkieisxt.exe 40 PID 2208 wrote to memory of 1032 2208 mlkdfkieisxt.exe 40 PID 2208 wrote to memory of 1032 2208 mlkdfkieisxt.exe 40 PID 1032 wrote to memory of 228 1032 iexplore.exe 41 PID 1032 wrote to memory of 228 1032 iexplore.exe 41 PID 1032 wrote to memory of 228 1032 iexplore.exe 41 PID 1032 wrote to memory of 228 1032 iexplore.exe 41 PID 2208 wrote to memory of 2496 2208 mlkdfkieisxt.exe 43 PID 2208 wrote to memory of 2496 2208 mlkdfkieisxt.exe 43 PID 2208 wrote to memory of 2496 2208 mlkdfkieisxt.exe 43 PID 2208 wrote to memory of 2496 2208 mlkdfkieisxt.exe 43 PID 2208 wrote to memory of 288 2208 mlkdfkieisxt.exe 45 PID 2208 wrote to memory of 288 2208 mlkdfkieisxt.exe 45 PID 2208 wrote to memory of 288 2208 mlkdfkieisxt.exe 45 PID 2208 wrote to memory of 288 2208 mlkdfkieisxt.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mlkdfkieisxt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mlkdfkieisxt.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e78544b70dd390f5f466139ddc68a25_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\mlkdfkieisxt.exeC:\Windows\mlkdfkieisxt.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:1484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:228
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MLKDFK~1.EXE3⤵PID:288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5E7854~1.EXE2⤵
- Deletes itself
PID:1796
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD56b21ee0558ae8663aa8e1ab0b593195e
SHA1ea97c9aabb1bc344cc9b024cff4ea236b2a7db08
SHA256b9141ed9391db2fb8138916d45b610a50693ca2e8854a293887ad0515021a7e7
SHA512118dee6d1ad578a7ddf13571e4b31c50ed082f0d78f3cb123f77de8f7b57b86f5a1a8203459d35f7ddf3ccad3f7ef4498411590b8268c8a0f49b2b4788117aef
-
Filesize
65KB
MD5db0b48f92b16fc0256467f982bbf5c0b
SHA1ec072b2a68e612544189f1df4a1c208c6754e0ec
SHA2565c2e8acbcb470b13971e8142e5d1b69819968d4a6651ec0e8690244d83433f0a
SHA512b6cfa43c8aeaf04e878b075974337969d23d6e137e34a187e58e21a205d67c1183576434ca54e2864f59896c46da187e7c1a24e60003f24c73f927a2a7d81064
-
Filesize
1KB
MD50f8035b5bc82d64e52e1e74360f21b08
SHA1c41f9308da4bf43afd1439f5991e1f436d071ba0
SHA25628fa009b8b711758065b74d8dfb5fd41d4bf066cad829b2c274476932a4f3983
SHA5121fba46039723859694610e58d4601ca6989c5b240c05c0dcba2b7a6e1c541c1ff69d09ba4f2ddfb3ab699fae8ce6185f4514bbfe9507b40dad1a35bcc8de73db
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD51f6ec11ac81e1da3f2e1b491e3f61c81
SHA194a8de9e3dbf1859d99b9c8dc5dc775dc431a028
SHA2564111ddc6207ddd243357b0bd7fa7cec6757f9b16691c5ce9e39d4303f445efb8
SHA51297a47539df61a0dc82e9af329a460df44de97ce58406af4aea4f2b38ab0223ed3ef3faff6457e309a246381202bcfee31da07bba7ca01bdc9102ef5680212ad2
-
Filesize
109KB
MD53ced1cdefb1d5d0b93f4abe6b5e680e2
SHA1cd45b4cf03ea156833b33a9883d67738fda6e4f3
SHA2565b07cfef44268c4c6b79b21de1f57bb5073ee73ad72a43b2a16cae7630c096c6
SHA512cf03c08932a4d5ef5c6504c30406f7fd3ac6d99ee61670b0b6bd447a8e179a7032906040505691e46ab47747d51140aca8d6595172586f54860f81002d68bad7
-
Filesize
173KB
MD52d678b76abf4af7c6fbcc378d37fff0a
SHA1d65753f765eb7e3317e18ae9fabfbedc8a23ae89
SHA256c14356aaf9e0286901e6a9c63dccc3d44bbad5aeea522679661a8ca38accefd7
SHA512175047dba7d217a28d3f696d66b4d526902850f155b33e849f8515ffab590d236d08e10ce018a441b5437afdc8562d35fc5d542e4c7c51517e6a4123e681b2dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a870cd55d4fc8a943bb72861cfe109e5
SHA1f66c6b4bfa2b069989a677ab925dd5651380c387
SHA25650e0dd2ee386bca32e834e050892db8217a3ec66572aa3775c59712abb9b37b5
SHA51248e8baec4325b97fbc396bf03fb6f6f9474e5ea235e74fd75091a9091c171bd48d5e8082c01ffb9b877a2335e183efcfa498a5f745c4537be9659034d2634f40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5147eff8026db11dae5892d0d1d79f32f
SHA1c150df903b942849cf5fe01d43aba55683ce7074
SHA256208a71b8af8c31a4ba231e78a7f29ead6d9d3cb896f1e35fb93aafc66503ff37
SHA512bfdacc981b8c108a7a1d569538b62dbd47d34c0d684416148b2db3fbab4f4f9b25fd424999092fbabb1ef6512f128997130c340f7420d0280c88ace7e5b8ebb5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52f11f66cb60be9f075ca8d8990eff21a
SHA11afe45cb8f752e5b5ea5aee026f52766dc973434
SHA256a023cbf24bdca55d4272513033e577dddfb92e17a44000bd5a8939f161328881
SHA512a66130a31dd25f3645cf2879febe271c9b448e48ec5b299767c6d0a3b7e7ba1b9fdcdc0fcecd19204a7d09f7441041c8e909f37422b71545ef91a538fae923b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59f2bfd7dc8efda48be8f7d1b0978eb4d
SHA148acba629e4cb09298d5899d9720fdc97ef12a4b
SHA256c1da3d517243d5a7899a33191be8b594dec87c4f00c8c7f32fa8d2153d41b968
SHA512adfff0018c1af7c061f6d6bbfc299b67386f569fdfa9fdbc7e323212ac8a5aca8cfeee26df2f6fc0dcee6ab7fc425599311744ac69d7d1aed120bca21b16ce91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50496346533d7ea896fb4a382665a32d9
SHA12517aa7d85ccefdb1b94c117c5f02badfeab6bf8
SHA2561190cb31d024f115eb70e96f65b9b4d7aac7fe28f2198a9aa69151e6fce1ec3e
SHA512b66eb07bd50679a9e3bc76f9e6e7f0de79495ac4519ebad271de8ac69e50706731281d96413f2da8af9a53d313094fda29a665101bef8704e0f77b3579c62e1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bbad18b918f6baa5bdaa5ed346119561
SHA19dd5b7050a1166451e85101df4c6648de2733554
SHA25673d6e90bd4956fe608210f84be6fd31cd374c683272e341ea3afd1b9cf3be849
SHA512ba3d2eb3957e0517089d7940486965f07433984ce2b42be20bc615de1dcb3786c90c8fbba447f5c8fe04d06d63dfe2ffae8530823f2f4ab6da6e47fc8520a48a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bd1c0c547dcc208188286daa3ede13ce
SHA16fc843a5ecd0cc0a4d4e4d06acae14d94ff07a2b
SHA25644ef57d7fa3430f7e2c94db621f6fead8cb65a7c34a2b0d3123df27b06758e69
SHA512b8c985236348f4269600c5923c9582cee43f240d415cc53daac4b9eae13ec82b1abaf030b2702983c0a197f06b31ad720280a682839af04c3c0605b67e86f1dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD593e304b7a98cf3b1ea29995e22832d60
SHA1410e9b7e9b90e91fbfefec61cacfce3aa5084d3e
SHA256046a7a4fd3a61b9ca8ee2fbcf055aea596e245bcb494501a7f9850eeab46596a
SHA512ca5d361f399b97d8016a549bfe6b4ea82dcc5fb01395176db578866a22cca99f3c253ba624f2cecd8fd075ccac2ac25a51bbb62e4c75cbfd7dc5339103d71cb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51fdd0806afb7598731ee922bf9c143dc
SHA1e04927111c31de22e126a6df137118d94940826c
SHA256de6b9157a66bef5c9f3d2a86daa4394b83160444ee3ecc6176005c810d1c8fca
SHA512781aea6b5601fa6d3681689cc5aed5880de8c22d146dc4d87e2ea6f52bc4ff5ff9baff8e367992243c7fde72dbd4694b9febb37631ff387416c38f1ffb79d053
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b6fdc930822ae9fa6b92bd7b70792f71
SHA16250efff51d66bca1853329784be2ff2ebbb60fc
SHA2560450351e41d67b934f393f764c6b76bfd5a40d5f53b780dc54387c0359d81698
SHA512fdb4f027edaa725a5ff95e75092914ff2aa10336cb2d2ebdb93e4f9a38fd97b6b3cf0aa0ff6459cec23cae46b0c8c04031a4f8ae10b2798dd79b3164b5daea08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5daa5f4bfe243a2ad8319651fdb6ee529
SHA17dcdd46d1bc4602a996c2b2aa12d9c3265a8b7b3
SHA256ef681aa68d3cfe51ef92ce805ff9c13f31b257a34bb7c2c679d73d002618df04
SHA512b225523dc5e0dbd095e28e022280dc4368eba092a293e41dc6e5d94b4ac9dd17ee6442678b6f2e5bd4c3aea0584098de4085c8e929dc60fac458b7ed41e84c38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b2df67e3bc3343e3cf23ee6cc1ccd3c9
SHA12dad42ddd3dbdbfbe492f68771736d1b6ac7344f
SHA256fa0fa9b133a3e474d7503c7ac3352ab490c79047dad9d9ad67ec7e68f8066843
SHA51209be26ef62abb97cbf8df8469611786e5ca79fc2651d600b0c57948b29c2e7ac0ef7377522d0a27192b6d4c4e5fb986e13ef7a098c66241d4358104bc56f5641
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c9a4503613b2566b996793f597017731
SHA10ec7d335e05109d72c1c59dba0485ce379a44427
SHA256eb0c055b0299dd92dd8dfd83419750f2993fc293517928fa76704b3b9b34ff72
SHA51241a88f918dac0ea611b5afb85fab8515c86375d17ff02b78082fd4fa8097f81440d77447cb6beabc4969cffa97a9ffb87d96569924e363a3c3a70ee35ca3e779
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD566642d08a165234566a3c6935fbc4a45
SHA14a9cb987ac3e5d8396180c68397c7b6b6786a939
SHA256738988083f06b5cf11e738bf6be51501d9c4b558c8206bb9f0acfbf559e7545d
SHA5122b3baa6a5eaf77b22ee061e7a6cda8febcfe70d23a6c8c22824e39510d0192f026878244a6bc981c30b3c8f2cf7fcb93d7ce829f1e812d5005cc183b21762bdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cb80ff1259f9585e2fc606340067ede7
SHA1c84d34931267568b0e7718c81e63ddbeb88b5202
SHA256039b240f9f8072696eb2651bd019357d36e3307805a85271ce311a39e3768c2c
SHA5127035a31bc01513f0ed780317ebdbe3e3e50c1126646533f5cf8de9c487c8285b30a96d903560e0bc747f92d630f8e5f2c678f537f0b3fe189117718ff0cef3b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5332915ab2075f620f7e7441014f0ab79
SHA13b65fa53463b3eb17cdbebff2f926f22914d07b1
SHA256822d85c3a291436bab5a5c61ce27dbcacec4d5b5489cc74d6a2f8a6136f0388a
SHA512ed383743b856545d27a611590a5b20b9ccddf8f5ee0956a640beb9a84a732b5226d72c2f8afbc1e10e6842701822eb4466459c6b31c3d65007a804717317fcbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD553a411d9e697f9e49573efdc2d7c653d
SHA140c3248a0ba8f4640d42400a2227b5408b80de43
SHA256282758b5a4af6db75da4e97a122ecbdcf5870840551d5d9eef1b9bd0575e81f0
SHA512d67f9bfc38c171edd2953e19018db7af15eaa777ff83c737cc7adedcf6dfafd077b82f99bb6421b503036ccf84d62806907384f03361bd0b8d8e1f447bdd3c51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD531eba3ea8996b2a6bfe2574586beae70
SHA12b00561b0626426bafcae4dfe79f8a29d2a28ba1
SHA25605084558fa940903c1aef0f019f8feeaf9328e07879c03518b4a57b19046fd20
SHA51273f2277df87357ad3c0058d4b9d5652e6d54479d98e9bc98890a0e699e7963373450b5c00fdb6c9131ec0f0ae0441bc67f58b05408a2a863433e79ca2dabc92e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD525cf761e2c34e7b970bcacbc0872f73c
SHA1e38be9fe1a4228949c8ac0d3dfcb58cd164d1169
SHA25695996b2223b31915567f309205f51687cae035a40cf4e14248f82fe5d91648a4
SHA51270d335e412aa496acde19298caa1b851c499fe7b9433798a12ec50042611cdf0c6d4f375d2996b5b8a6c6fe75d670aa8bcfc427d7c4a927ea2df77d5a12c16c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a6f49792dfbec61f430fda2b2faf1bf0
SHA1f0f3d29b64d896d533bec025fd6faec8a17ccd81
SHA256e4895e3d5fbf709285065ff225947733d40af71c658e124c7adb63f3019a0957
SHA5126621db6e95fa60acec1b218f6405391998af784c6d27d459c2af733690d6c80aba5ff544c1e7c670e22e5a3ac8ed575f5b2676aba15cbb9443e1b60258cdfd59
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
325KB
MD55e78544b70dd390f5f466139ddc68a25
SHA101a4782dbf535bc212d89d2f7e7f11c37b190e2f
SHA2569eccc1413d42ebeef19ec598feee7641476afe08a3c371d405a31549e32f3edb
SHA512c436f11bd1ae7e34f35f0fb2ab90f0b847b3783e444ce6344aece1d6889406bada528c032c984621d43548b075473484f963e3616b5348178008deafd23f9ed4