Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
-
Size
388KB
-
MD5
27e887aa14f3890a72f06ec5d0759f20
-
SHA1
8bacf22533725fd98c254c8eb6852edbe225a0ef
-
SHA256
91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267
-
SHA512
56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089
-
SSDEEP
12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3
http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3
http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3
http://xlowfznrg4wf7dli.ONION/E28EB396F85EF8A3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2200 cmd.exe -
Drops startup file 6 IoCs
Processes:
jyidguupnjpt.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+kvroe.html jyidguupnjpt.exe -
Executes dropped EXE 2 IoCs
Processes:
jyidguupnjpt.exejyidguupnjpt.exepid process 2684 jyidguupnjpt.exe 1664 jyidguupnjpt.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jyidguupnjpt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\kcwopqnsgihy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jyidguupnjpt.exe\"" jyidguupnjpt.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exejyidguupnjpt.exedescription pid process target process PID 2272 set thread context of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2684 set thread context of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe -
Drops file in Program Files directory 64 IoCs
Processes:
jyidguupnjpt.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png jyidguupnjpt.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Uninstall Information\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png jyidguupnjpt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Windows NT\TableTextService\fr-FR\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv jyidguupnjpt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\Recovery+kvroe.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png jyidguupnjpt.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt jyidguupnjpt.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg jyidguupnjpt.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Recovery+kvroe.png jyidguupnjpt.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\Recovery+kvroe.html jyidguupnjpt.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png jyidguupnjpt.exe -
Drops file in Windows directory 2 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exedescription ioc process File created C:\Windows\jyidguupnjpt.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe File opened for modification C:\Windows\jyidguupnjpt.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jyidguupnjpt.exejyidguupnjpt.exeDllHost.exeIEXPLORE.EXE27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.execmd.exeNOTEPAD.EXEcmd.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jyidguupnjpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jyidguupnjpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000762b1acf936c3c4fa8988255befb19bb00000000020000000000106600000001000020000000786280ffb3cf15ee7dfb9be7c970271ed87e88aa99284db78da556f7d82fa2fc000000000e80000000020000200000000d683fd5ec25a84e6f57d06c4eaab018a3a97c970ee76dca0cb821812b29a2472000000011420f5b28e373dd916886ef47bdfab5c5fff9e6c4d089c8b6bdf0639b9fbb65400000006ed09f7c0a1a1b8dabaf7076c2911a2257a663b9864295eb0d5a80bc7848282ab9c438e450985e42aa0a23720fa674f5b8450a42c6d251ae02ea199808ca4442 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000762b1acf936c3c4fa8988255befb19bb00000000020000000000106600000001000020000000a85c94fe12ef3bfac1408c4041eed9954614b73251afaf4cfa2579f8b6859b88000000000e80000000020000200000007d475d9d49927da2ba63cf556a4efee62c5b657684d7d99500fb9087aedc4fde900000002c2a1bcf1e5d767b71d94960ae6b83548adf84ae61c150f9653f9b5d497d8963825b2d4218f494671f6cd602745c4130c35668fbe90cc7d3fb0fb73b553cb7ff63651fbe3e4fd23a44bd7244e6ed840fa9ce80430bbde6059928b5504ba93fc564ceb0a8bc9cabea4e21785fb181759ecabf76520e1b7e31d99d948b494e6dd35e28eb4156614e92628052a8f3bd11b840000000eecac1bf961f1d81ec144863abe533f728ea45007f1392fa4cdb3be3f6e694780edc7a2392cb54f263f6ce711f9e413d9974488a700d7ecf3bae0fcd579d30a9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ea8861201adb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D1D6061-8613-11EF-8BBB-46D787DB8171} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Processes:
jyidguupnjpt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 jyidguupnjpt.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 jyidguupnjpt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2324 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jyidguupnjpt.exepid process 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe 1664 jyidguupnjpt.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exejyidguupnjpt.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe Token: SeDebugPrivilege 1664 jyidguupnjpt.exe Token: SeIncreaseQuotaPrivilege 2360 WMIC.exe Token: SeSecurityPrivilege 2360 WMIC.exe Token: SeTakeOwnershipPrivilege 2360 WMIC.exe Token: SeLoadDriverPrivilege 2360 WMIC.exe Token: SeSystemProfilePrivilege 2360 WMIC.exe Token: SeSystemtimePrivilege 2360 WMIC.exe Token: SeProfSingleProcessPrivilege 2360 WMIC.exe Token: SeIncBasePriorityPrivilege 2360 WMIC.exe Token: SeCreatePagefilePrivilege 2360 WMIC.exe Token: SeBackupPrivilege 2360 WMIC.exe Token: SeRestorePrivilege 2360 WMIC.exe Token: SeShutdownPrivilege 2360 WMIC.exe Token: SeDebugPrivilege 2360 WMIC.exe Token: SeSystemEnvironmentPrivilege 2360 WMIC.exe Token: SeRemoteShutdownPrivilege 2360 WMIC.exe Token: SeUndockPrivilege 2360 WMIC.exe Token: SeManageVolumePrivilege 2360 WMIC.exe Token: 33 2360 WMIC.exe Token: 34 2360 WMIC.exe Token: 35 2360 WMIC.exe Token: SeIncreaseQuotaPrivilege 2556 WMIC.exe Token: SeSecurityPrivilege 2556 WMIC.exe Token: SeTakeOwnershipPrivilege 2556 WMIC.exe Token: SeLoadDriverPrivilege 2556 WMIC.exe Token: SeSystemProfilePrivilege 2556 WMIC.exe Token: SeSystemtimePrivilege 2556 WMIC.exe Token: SeProfSingleProcessPrivilege 2556 WMIC.exe Token: SeIncBasePriorityPrivilege 2556 WMIC.exe Token: SeCreatePagefilePrivilege 2556 WMIC.exe Token: SeBackupPrivilege 2556 WMIC.exe Token: SeRestorePrivilege 2556 WMIC.exe Token: SeShutdownPrivilege 2556 WMIC.exe Token: SeDebugPrivilege 2556 WMIC.exe Token: SeSystemEnvironmentPrivilege 2556 WMIC.exe Token: SeRemoteShutdownPrivilege 2556 WMIC.exe Token: SeUndockPrivilege 2556 WMIC.exe Token: SeManageVolumePrivilege 2556 WMIC.exe Token: 33 2556 WMIC.exe Token: 34 2556 WMIC.exe Token: 35 2556 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 1396 iexplore.exe 2756 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEDllHost.exepid process 1396 iexplore.exe 1396 iexplore.exe 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2756 DllHost.exe 2756 DllHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exejyidguupnjpt.exejyidguupnjpt.exeiexplore.exedescription pid process target process PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 2272 wrote to memory of 1752 2272 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe PID 1752 wrote to memory of 2684 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe jyidguupnjpt.exe PID 1752 wrote to memory of 2684 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe jyidguupnjpt.exe PID 1752 wrote to memory of 2684 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe jyidguupnjpt.exe PID 1752 wrote to memory of 2684 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe jyidguupnjpt.exe PID 1752 wrote to memory of 2200 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 1752 wrote to memory of 2200 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 1752 wrote to memory of 2200 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 1752 wrote to memory of 2200 1752 27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe cmd.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 2684 wrote to memory of 1664 2684 jyidguupnjpt.exe jyidguupnjpt.exe PID 1664 wrote to memory of 2360 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2360 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2360 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2360 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2324 1664 jyidguupnjpt.exe NOTEPAD.EXE PID 1664 wrote to memory of 2324 1664 jyidguupnjpt.exe NOTEPAD.EXE PID 1664 wrote to memory of 2324 1664 jyidguupnjpt.exe NOTEPAD.EXE PID 1664 wrote to memory of 2324 1664 jyidguupnjpt.exe NOTEPAD.EXE PID 1664 wrote to memory of 1396 1664 jyidguupnjpt.exe iexplore.exe PID 1664 wrote to memory of 1396 1664 jyidguupnjpt.exe iexplore.exe PID 1664 wrote to memory of 1396 1664 jyidguupnjpt.exe iexplore.exe PID 1664 wrote to memory of 1396 1664 jyidguupnjpt.exe iexplore.exe PID 1396 wrote to memory of 2696 1396 iexplore.exe IEXPLORE.EXE PID 1396 wrote to memory of 2696 1396 iexplore.exe IEXPLORE.EXE PID 1396 wrote to memory of 2696 1396 iexplore.exe IEXPLORE.EXE PID 1396 wrote to memory of 2696 1396 iexplore.exe IEXPLORE.EXE PID 1664 wrote to memory of 2556 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2556 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2556 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 2556 1664 jyidguupnjpt.exe WMIC.exe PID 1664 wrote to memory of 1008 1664 jyidguupnjpt.exe cmd.exe PID 1664 wrote to memory of 1008 1664 jyidguupnjpt.exe cmd.exe PID 1664 wrote to memory of 1008 1664 jyidguupnjpt.exe cmd.exe PID 1664 wrote to memory of 1008 1664 jyidguupnjpt.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
jyidguupnjpt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jyidguupnjpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" jyidguupnjpt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\jyidguupnjpt.exeC:\Windows\jyidguupnjpt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\jyidguupnjpt.exeC:\Windows\jyidguupnjpt.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2696 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JYIDGU~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\27E887~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2200
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2756
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD571600f1d3f4a70fdf11c3085f73dfd66
SHA1f3fee4dc472b39d850e43064b33411c0cfd537e0
SHA2561a985bd853126e4d6a8ae84f6948965d2594c741cc84cd669358b140546771a9
SHA512832a9b506ca6626c3045f173a2510728ddd0793d4912d1a354f5d166f26c00027e5afd9cfd712f4cfd2d9c1255b1111e43a8386cf0951abe49899b7540287d54
-
Filesize
63KB
MD5fc4ed43e3c8c7fd4efc44f7a8d01b914
SHA1b559e3bd4d75a9a6661b4243f79d6b7fa7499ee7
SHA25605a4a9d21d0d745cc8c83001b6d8658c46056a0431c5a6a62a436ae273532c9e
SHA51277f90fad37c6f8eb7d8a592f4217dc05e07041ee8bce3e8338cb769f4a471d0483f96825d818fe7eb05ced4eb176e861a2d61022bbdce37124af90cbb865d542
-
Filesize
1KB
MD501184afac9e1528ed3bd7b9f8c85c2d1
SHA1fe06e6a4f250f6e55fc052dc9541f5e3e115021e
SHA2564a1fe91e41f16355ac83686f08f3b42abefc1603cca6ce014af659c5444b9152
SHA5127d3e18b8035b2dd7b752101e6c5be0e521b53473713c9e7bd8da6edbd944c286a146868c6e6d1bf1b052c64c19b31941563c198983ccfe5aa111de84645f7e84
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5f71101670856d4fd6b943408f66af767
SHA1e8ccf0cbb0a37984ba34c13f5cf3291152bfd6e8
SHA2561d4e63cad844866a5e2583930b4c4512909be7aee97cf735e403f4ebc5164aab
SHA5126917c6c00fbf441f39af042e8682d3f0973ddd9c45a10df607cdd4b906138fef3e7f22f9104de1137865d6d66466462450115230e4782749a584d9bc85fb0daa
-
Filesize
109KB
MD52511b598b25ffe28b085551e0eee4f3f
SHA148953d1c0d597e3683cc0c3116b225a5a43df05a
SHA256be7a45f36c17ae78a12790003216019eed7dfe2a04e4d688a613e8e49665439c
SHA5128e912a53c1fd1f59eecdad444efa69c953fd03aef2c5c4d7cf1277d19148c4cf9a52fbb278fc32c7ccbffc31aa4e8c63385c65cbceb71f2e1b28a34b0d1db346
-
Filesize
173KB
MD582e9cdd3fe64bfcd12a1e23fccdc8033
SHA1642dfa4f7d798cd04cf72e3310f167e1b49fbcdf
SHA2565824bf292bc7e06176256df06018101ac3432b216dd5970f98db318ac47b276a
SHA512e179d55246d03d84250c5e1e1689a20275880e33b72c2d14b2b9e913d927d838bf6cddb6ffc5bf506ac1659e636bcf2d26f1dfa5b676e8286abda5eba22a34e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c88c89804b9b02ef97dfa974e70bc971
SHA1ae55e8dee38a4339b0bb3d626a7fb595486d6456
SHA256e747fcdf8db1c8b0099ddb422a83964273f89eac88717ad941f2c376f9f59d01
SHA51204f46c3a9e898009a57736ba3c62728a1607aea0f4964dba0b91294bf422f4c67f6ebacc8a9af919d1cc20e0e0bc4b9d4e7886c4ac448093d365e33d04f1274e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bdbfa183728138f31a7f17f9ab860b16
SHA1a5828d36bbe6bc83b02c96a739aac36657f5ad2f
SHA2569f990e243d67f58fb1679e8777cc9f00da2d76bd5c4403249887ca658785ee25
SHA512cf5a91f4039d8ad52fc8bc4981d7ce30442ddb479d4f480f76467781ec7a95ac21f496aacdc112acddc1a57045e0258777e650541357e8dc09718ec8dfe587f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4270f7411af666e8fb5eb7dd0266df6
SHA187064b6a93005686deacf32bd2d1d5a99033776b
SHA256bd45603c86dd1c4237633e129bb859daa69831703d9b2507dd56189a42b0f597
SHA512cd2935ba99e807b0a52f12fba3a76969b38ffc1c3def4971dc8715760d41fc67aa683921513b7175e53beff41083e48564d6849a14018534de25a7b89d4ac392
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
388KB
MD527e887aa14f3890a72f06ec5d0759f20
SHA18bacf22533725fd98c254c8eb6852edbe225a0ef
SHA25691a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267
SHA51256f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089