Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23/05/2024, 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
-
Size
340KB
-
MD5
6bcc066e2a81f34c7e052895001f44c6
-
SHA1
6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
-
SHA256
39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
-
SHA512
b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
-
SSDEEP
6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+qqgrb.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with AES
More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES
How did this happen ?
!!! Specially for your PC was generated personal AES KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/59891527158A4F4D
2. http://tes543berda73i48fsdfsd.keratadze.at/59891527158A4F4D
3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/59891527158A4F4D
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/59891527158A4F4D
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/59891527158A4F4D
http://tes543berda73i48fsdfsd.keratadze.at/59891527158A4F4D
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/59891527158A4F4D
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/59891527158A4F4D
URLs
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/59891527158A4F4D
http://tes543berda73i48fsdfsd.keratadze.at/59891527158A4F4D
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/59891527158A4F4D
http://xlowfznrg4wf7dli.ONION/59891527158A4F4D
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (425) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1716 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+qqgrb.html cbnxpkcnkuwf.exe -
Executes dropped EXE 2 IoCs
pid Process 2624 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\abtixjcnfuwn = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cbnxpkcnkuwf.exe\"" cbnxpkcnkuwf.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3000 set thread context of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 2624 set thread context of 2380 2624 cbnxpkcnkuwf.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Mozilla Firefox\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Internet Explorer\en-US\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\Recovery+qqgrb.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\es-ES\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows NT\TableTextService\it-IT\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\Recovery+qqgrb.txt cbnxpkcnkuwf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows NT\Accessories\it-IT\Recovery+qqgrb.html cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png cbnxpkcnkuwf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\Recovery+qqgrb.html cbnxpkcnkuwf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cbnxpkcnkuwf.exe 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe File opened for modification C:\Windows\cbnxpkcnkuwf.exe 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c54ad93cadda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000081150ace02073f5075456273f0f3567594dbe136cbfa53dd4f91767baa6f950b000000000e80000000020000200000002c5b8d2f3c35f207b69e0fe76d8409ebe371be4bf227e3dcf59c80c8adc4b9819000000017dde810e4631b674e2bfbdc624b85effa3f0ca44afa83d70c17832f4292d7da65e0ec71fb91de9fcefefc03ddb89f5f99262df717b37ab7c6b054482274c70495147297ec585d6f4b33ccdb77f1ff2aa93a0f6aaf1fb5af28b4da34335b80b505df3906ddb83596b3f67be4dd68b852ac30e36e1611e9129dab07a2bec4adc401a428cf5038364a81e38ded3604f5cd40000000a89f93f73c2f483ae56b55e4df4c18a30c07bee2a479459baa346c43af27fdab2516f8051d0aadf9d98100f70d162d260ccf6c5af35344924206f327af1f71dc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000002f338953166eb1ab00d5df8914ff0eaaddaa723b3fe9ab9921586705e3a0cf7b000000000e800000000200002000000008e0abfbed148ac8f8702991bb80f641e9a63147667c998b7bc6ce0a01b134a42000000097a38a2f5c80e4df3c5a02b73528f28b2f3d22f01007f998013e7f0ce47cad0540000000afac1732924ab5f7b05df1b30675890139bdb244f5dd6b4ddc5350d3f46bc513624235225202b5e1293171a0f13134a75f737a9600f6bbd5ad470485e6d8237e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04BDC931-1930-11EF-B781-461900256DFE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1016 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe 2380 cbnxpkcnkuwf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe Token: SeDebugPrivilege 2380 cbnxpkcnkuwf.exe Token: SeIncreaseQuotaPrivilege 348 WMIC.exe Token: SeSecurityPrivilege 348 WMIC.exe Token: SeTakeOwnershipPrivilege 348 WMIC.exe Token: SeLoadDriverPrivilege 348 WMIC.exe Token: SeSystemProfilePrivilege 348 WMIC.exe Token: SeSystemtimePrivilege 348 WMIC.exe Token: SeProfSingleProcessPrivilege 348 WMIC.exe Token: SeIncBasePriorityPrivilege 348 WMIC.exe Token: SeCreatePagefilePrivilege 348 WMIC.exe Token: SeBackupPrivilege 348 WMIC.exe Token: SeRestorePrivilege 348 WMIC.exe Token: SeShutdownPrivilege 348 WMIC.exe Token: SeDebugPrivilege 348 WMIC.exe Token: SeSystemEnvironmentPrivilege 348 WMIC.exe Token: SeRemoteShutdownPrivilege 348 WMIC.exe Token: SeUndockPrivilege 348 WMIC.exe Token: SeManageVolumePrivilege 348 WMIC.exe Token: 33 348 WMIC.exe Token: 34 348 WMIC.exe Token: 35 348 WMIC.exe Token: SeIncreaseQuotaPrivilege 348 WMIC.exe Token: SeSecurityPrivilege 348 WMIC.exe Token: SeTakeOwnershipPrivilege 348 WMIC.exe Token: SeLoadDriverPrivilege 348 WMIC.exe Token: SeSystemProfilePrivilege 348 WMIC.exe Token: SeSystemtimePrivilege 348 WMIC.exe Token: SeProfSingleProcessPrivilege 348 WMIC.exe Token: SeIncBasePriorityPrivilege 348 WMIC.exe Token: SeCreatePagefilePrivilege 348 WMIC.exe Token: SeBackupPrivilege 348 WMIC.exe Token: SeRestorePrivilege 348 WMIC.exe Token: SeShutdownPrivilege 348 WMIC.exe Token: SeDebugPrivilege 348 WMIC.exe Token: SeSystemEnvironmentPrivilege 348 WMIC.exe Token: SeRemoteShutdownPrivilege 348 WMIC.exe Token: SeUndockPrivilege 348 WMIC.exe Token: SeManageVolumePrivilege 348 WMIC.exe Token: 33 348 WMIC.exe Token: 34 348 WMIC.exe Token: 35 348 WMIC.exe Token: SeBackupPrivilege 2900 vssvc.exe Token: SeRestorePrivilege 2900 vssvc.exe Token: SeAuditPrivilege 2900 vssvc.exe Token: SeIncreaseQuotaPrivilege 872 WMIC.exe Token: SeSecurityPrivilege 872 WMIC.exe Token: SeTakeOwnershipPrivilege 872 WMIC.exe Token: SeLoadDriverPrivilege 872 WMIC.exe Token: SeSystemProfilePrivilege 872 WMIC.exe Token: SeSystemtimePrivilege 872 WMIC.exe Token: SeProfSingleProcessPrivilege 872 WMIC.exe Token: SeIncBasePriorityPrivilege 872 WMIC.exe Token: SeCreatePagefilePrivilege 872 WMIC.exe Token: SeBackupPrivilege 872 WMIC.exe Token: SeRestorePrivilege 872 WMIC.exe Token: SeShutdownPrivilege 872 WMIC.exe Token: SeDebugPrivilege 872 WMIC.exe Token: SeSystemEnvironmentPrivilege 872 WMIC.exe Token: SeRemoteShutdownPrivilege 872 WMIC.exe Token: SeUndockPrivilege 872 WMIC.exe Token: SeManageVolumePrivilege 872 WMIC.exe Token: 33 872 WMIC.exe Token: 34 872 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2684 iexplore.exe 1032 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2684 iexplore.exe 2684 iexplore.exe 568 IEXPLORE.EXE 568 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2664 3000 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 28 PID 2664 wrote to memory of 2624 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 29 PID 2664 wrote to memory of 2624 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 29 PID 2664 wrote to memory of 2624 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 29 PID 2664 wrote to memory of 2624 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 29 PID 2664 wrote to memory of 1716 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 30 PID 2664 wrote to memory of 1716 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 30 PID 2664 wrote to memory of 1716 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 30 PID 2664 wrote to memory of 1716 2664 6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2624 wrote to memory of 2380 2624 cbnxpkcnkuwf.exe 34 PID 2380 wrote to memory of 348 2380 cbnxpkcnkuwf.exe 35 PID 2380 wrote to memory of 348 2380 cbnxpkcnkuwf.exe 35 PID 2380 wrote to memory of 348 2380 cbnxpkcnkuwf.exe 35 PID 2380 wrote to memory of 348 2380 cbnxpkcnkuwf.exe 35 PID 2380 wrote to memory of 1016 2380 cbnxpkcnkuwf.exe 43 PID 2380 wrote to memory of 1016 2380 cbnxpkcnkuwf.exe 43 PID 2380 wrote to memory of 1016 2380 cbnxpkcnkuwf.exe 43 PID 2380 wrote to memory of 1016 2380 cbnxpkcnkuwf.exe 43 PID 2380 wrote to memory of 2684 2380 cbnxpkcnkuwf.exe 44 PID 2380 wrote to memory of 2684 2380 cbnxpkcnkuwf.exe 44 PID 2380 wrote to memory of 2684 2380 cbnxpkcnkuwf.exe 44 PID 2380 wrote to memory of 2684 2380 cbnxpkcnkuwf.exe 44 PID 2684 wrote to memory of 568 2684 iexplore.exe 45 PID 2684 wrote to memory of 568 2684 iexplore.exe 45 PID 2684 wrote to memory of 568 2684 iexplore.exe 45 PID 2684 wrote to memory of 568 2684 iexplore.exe 45 PID 2380 wrote to memory of 872 2380 cbnxpkcnkuwf.exe 47 PID 2380 wrote to memory of 872 2380 cbnxpkcnkuwf.exe 47 PID 2380 wrote to memory of 872 2380 cbnxpkcnkuwf.exe 47 PID 2380 wrote to memory of 872 2380 cbnxpkcnkuwf.exe 47 PID 2380 wrote to memory of 2868 2380 cbnxpkcnkuwf.exe 49 PID 2380 wrote to memory of 2868 2380 cbnxpkcnkuwf.exe 49 PID 2380 wrote to memory of 2868 2380 cbnxpkcnkuwf.exe 49 PID 2380 wrote to memory of 2868 2380 cbnxpkcnkuwf.exe 49 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cbnxpkcnkuwf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cbnxpkcnkuwf.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\cbnxpkcnkuwf.exeC:\Windows\cbnxpkcnkuwf.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\cbnxpkcnkuwf.exeC:\Windows\cbnxpkcnkuwf.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
PID:1016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:568
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CBNXPK~1.EXE5⤵PID:2868
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6BCC06~1.EXE3⤵
- Deletes itself
PID:1716
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a5f7b04d75fd3f0a8d40f1286f84ed41
SHA14ff6663d242ce305de8d6f63b41fbe55450ff822
SHA2569b695b8cbb9b71dab3ff26809fc504a9192c7086e9eb70e9239607d994c6644e
SHA5127b5600ac49bd3b3160fcddaa3fcd197a559d69587189011baebb2fec91266074e8f95de2fad05d3db52fcd9df3616f2d68bfbc4668dbf4f8116bb515ea36e7de
-
Filesize
62KB
MD5dc177fd3d483a618384a79ffefebf3f5
SHA1addbaf6c6afc42e2b53d8657c00fd590904b647a
SHA25658d93ae394b6d0dff9824579ceaf05e630299bc997231cc725f76b92243aa0b4
SHA512650cfc7ffd41eea4b13cd95792763e0ce0f64dffe58348509e17688a55fadbe0f8c799c7cc603deb30963e00c30e89974a9e221713eb3c0cf720585e2579738f
-
Filesize
1KB
MD55652646874c58676e7caed4cf940cfc5
SHA1addebc102ba1b3f8d9b9870858b9c94b5175013c
SHA2569d172710b5c0ea3639881258cf1bddbd5500a115a4d4f1da25d8e79578af19a8
SHA51267f7dcec134240a0dfaf82899d2ecd26fbb4bf91633e30507b981759bfe77335ba27d0f923e76288cc403a36150dfdf272238c15931496b56e4e4efcbe6b384e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5c5251bb2a7cf2c0573b593d7c7fae987
SHA19e31e54a5fe5a21a4f0f272e24b0ffaf2acafa0a
SHA2563345b8c5fb66b39c12b7d0f40f7d2b1871595e4c076e8f0e2b417f150a3c625d
SHA51221c460911700a7cc1d13a979d4b44bca28db9d0be4717038b0501a6e17048dd25df25bff8a33bdea9e64a59c14c71c4380f1f477288f3494daa0e915dd10849c
-
Filesize
109KB
MD5b22cc7227bab67b4b99e1c4c0302a8af
SHA1fcf23e02b23b5e5c9a4b4039f1d8a4d41e61b875
SHA256897ef393d99512e6734000eb2c0aba36dad05471bd4ff1f0d30c27b177dffdd2
SHA512b4c3e31a378f2f3175c73cb49873d0ce1f21031761cb2b0ae377a6f21e51a2f33a3aadba1af49930d5bcf74117e4873aa38697eac299ade560d450fb1bf1b8c5
-
Filesize
173KB
MD59a00ec17812dd1af24c71790d9d125a5
SHA13a0d325cf76cb62d771ddbb66e249c7ca26c4494
SHA2562616ded5d741ecb3f9c2ee7d2ed0d9f9472fee0fe880ebf8d0c2b60cac42f30e
SHA51221d9eec43dff5490ea7eae407adb1a09d13471452ce327ec0e7fa18c28ebe5cec0af99e3e3ee51f827edf4a16e77562a229f6deb9aa758489d565040d702de45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fc5fccdc7781babba132a78a4559c0bc
SHA124512e079ae376857bd1bb378a11d4863f2a6997
SHA25698d70c72c2b96c95c25fb99c1afb0002ff75f15cb7c3d9e4f78d3e79d5ee8dd0
SHA512d474e9041f29b0e725225045b16ada1454555ac5fe762ca81bd447c1ea4018798a141f052baf1093875c8d5ac46309f76cc203579f2e8492e47f667a97936a62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c9bd54df7f6a51815c76721a59452aed
SHA103244b00ec13463304c5da30a7ce2912d00771e9
SHA25696a4d42225218f2470869c827f08aafffd2b7e1fdfc401e1208e3a1923a527b1
SHA51296e1aba4d2e5c941231e70faa522e551dfcbc246257c702f1e6e95a4dea44e9b0ed5a5e3f4a1fcc79a77d39635a5b2d68cfca7c3f3e2e86d60dcbaf45b26f9a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD516400c1f4e06978a3570b370798504cb
SHA1b52b003a0bafde577b09cd20e8ca3a6b86abe3b1
SHA2560c9425876d848ef197bffe4b26e2832216bc4c0db9717fa633f823ba8904ac60
SHA512015a2f3860f551978ff2736d3c90dafc40030e0102b51797b35287523ebedfaad75bf3889b7172306fc75ad72a54171aae04b600e639a51e142d604399075c5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c9ac1717fede938d81a317ce81292d9a
SHA19adad06a878a1a2bde8bdc2cd6f7ab2d83eddc4b
SHA2569e1db814f218159d62621e644092524a22dff151bdc7b521d2fe39b0ee2fc606
SHA512a875bf418a0429dc79d2bb836b2c896a1d0ff0f6a532cc7997d50f53240bd59c278ee1be22d5fcf23cf5d2fbb8f411d96ebf0059259415367ec0356ec207d8eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD593dac74ed2b9ea98eb1f6b7dc4562cc1
SHA1e631c890cbd45d0704a3712a472e5c19d3363abb
SHA256912a7517dce643c2da47eba9310d36223babc6b0159505c5d8345e5aa857b8b1
SHA51228145e2ac7d54b64fbb31abdc00387b85df254252ade777b4d556e812f8189035c905f8f423fc2e20957e0bcc90871a7c0f11a15b92a509d2ceb6290b75afd59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a335b0b9381890244de4b09e475f18a7
SHA14e50bd94f71a391c3f2fe9bde860f4b36507970a
SHA256d90701d3b27bc977d24d963ab603b8a37e1aaf9186a71d47544e50ddc5054271
SHA5128f080458932a00711e5132d9bb82b7627c6082ccf8afac661ac853809dda21e099f7a6995a7c38743cfbaf51b5ba2a0cd5f039898d9567a9e11333a1faef9b91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5538c740216581762978200b622a842f3
SHA13b1cbf5d70fb3a0d0e57f534ad004f97bcede9d3
SHA256c353e98e8ba488f462e7e9a8e6ec6e131289c2f84ceec4854f50b2e6054f3f7e
SHA512b80becddde060946b812944d31ec7f04416f4000ab40be6a6f9eb2de03e534f81762de4486a33cea1e4a52c801ad0e283ee3a03882ec4d3a8eda158fac9e2b26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5163c8f4dab9a693476c74d0dd35cf2da
SHA1af208f6ff1e6f108e3358677ff4bec50756afd40
SHA256faf747d2a998590391c884ac6372fe3f6d5c8fe0789ef534321e360f2014d8b3
SHA512c3785e5b0d8efeb8064271d5a0f0e750db6508e039163898bd82e5ff6b75873174e59abc9d7ee34fd025575812ef7afc23a1a35661a4b317e98e6e976a727da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dc6d56b7f8914d0356b06e17f428be56
SHA1d64bd8d6e7c53b06149dcc3315fdb35ff9aa8d53
SHA256704226a253e6779581f573099c69bf64f8a887d48743c468e67abfbd55561f0c
SHA5125bf11daccc01b5236a5617329656bebf2c7b47e09957478a77d820807524ed7600d64cbdd46630272ca5cabb6a772164a31447ef4b76ea9740ea9ad987729d2e
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
340KB
MD56bcc066e2a81f34c7e052895001f44c6
SHA16f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
SHA25639a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
SHA512b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
