Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
-
Size
364KB
-
MD5
2b5c64d0ae335be2b30de30ed5cf9b71
-
SHA1
57a809107f1810a3ed01d4baf09f89a1fb562757
-
SHA256
33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b
-
SHA512
96ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8
-
SSDEEP
6144:REAU1eeD624pGSoJDZ2sqIrU5AsZBbgyg4s43yirHwlzKPm:RvU1eeD6282JtOI2D3bzsEHrQBKP
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+jqkno.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/512A8BC06C1C5BC8
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/512A8BC06C1C5BC8
http://yyre45dbvn2nhbefbmh.begumvelic.at/512A8BC06C1C5BC8
http://xlowfznrg4wf7dli.ONION/512A8BC06C1C5BC8
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (437) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2652 cmd.exe -
Drops startup file 6 IoCs
Processes:
udtajmeamkwc.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe -
Executes dropped EXE 2 IoCs
Processes:
udtajmeamkwc.exeudtajmeamkwc.exepid process 2852 udtajmeamkwc.exe 624 udtajmeamkwc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
udtajmeamkwc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\eubxylt = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\udtajmeamkwc.exe" udtajmeamkwc.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.exedescription pid process target process PID 2400 set thread context of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2852 set thread context of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
udtajmeamkwc.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Microsoft Office\Office14\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png udtajmeamkwc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Microsoft Games\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\System\it-IT\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png udtajmeamkwc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Uninstall Information\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\it-IT\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png udtajmeamkwc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png udtajmeamkwc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png udtajmeamkwc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png udtajmeamkwc.exe File opened for modification C:\Program Files\SelectCompress.zip udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\_ReCoVeRy_+jqkno.png udtajmeamkwc.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\_ReCoVeRy_+jqkno.txt udtajmeamkwc.exe File opened for modification C:\Program Files\Java\_ReCoVeRy_+jqkno.html udtajmeamkwc.exe -
Drops file in Windows directory 2 IoCs
Processes:
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\udtajmeamkwc.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe File created C:\Windows\udtajmeamkwc.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeIEXPLORE.EXEDllHost.execmd.exe2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.execmd.exeudtajmeamkwc.exeNOTEPAD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language udtajmeamkwc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language udtajmeamkwc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d1107b353f91f50f3107a96bb7dad5dd96fdc051aa3a41eff54f6319c0f0e870000000000e8000000002000020000000c321db26cfc2940d0a18d3f334f719d911f86af3b3bac156547c80937933963c2000000041ccce4698e841e009289706b891367e0000cab9ee699c3a5248f37af334e56f400000003030f20c39b2be4e1647f367d6d13a441b61988deae2f56f9017a06a0e714285cd46da5175864e5b797e3028676209c97f1416a993eba8e9d7189ce2e0527106 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90fdec315c1adb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000ac1a17cb4606a0beae4fe3dc10242d6d397066ac70f4c168fc7fb1c6bc0d7507000000000e80000000020000200000001704895b1c35170ba8d32721d5d6d6d706abeaf4a01be544d48d8313466a35a2900000003afe43a519493adfa514bcebec0a3b88b1be8ff897cbf3871c974c3e653c765bc7e2feec12e0bc0e2910f2d7f5bc487cf87ec2240ef7418da60ff0cf339dea680c76d74e1bb226bf1cbd838fad7d63ae7a588630e80078f126f45ea3ee575550677bccdcba4e2531e98fb2514952c8283d3bcc997b6752aeee0f755ac3790d71c935a54128aa7ce40d14142b6ae584b24000000098f01ebdf32566d89e3c336fd7088d51f0e0f3101798531e61bf5ac1d585c0da4771c1904b2bb3f64a63b1b4a95e33fb843ae68ff7eb0382e54c9b93c64f688e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D7A4801-864F-11EF-8320-E61828AB23DD} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 324 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
udtajmeamkwc.exepid process 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe 624 udtajmeamkwc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe Token: SeDebugPrivilege 624 udtajmeamkwc.exe Token: SeIncreaseQuotaPrivilege 2056 WMIC.exe Token: SeSecurityPrivilege 2056 WMIC.exe Token: SeTakeOwnershipPrivilege 2056 WMIC.exe Token: SeLoadDriverPrivilege 2056 WMIC.exe Token: SeSystemProfilePrivilege 2056 WMIC.exe Token: SeSystemtimePrivilege 2056 WMIC.exe Token: SeProfSingleProcessPrivilege 2056 WMIC.exe Token: SeIncBasePriorityPrivilege 2056 WMIC.exe Token: SeCreatePagefilePrivilege 2056 WMIC.exe Token: SeBackupPrivilege 2056 WMIC.exe Token: SeRestorePrivilege 2056 WMIC.exe Token: SeShutdownPrivilege 2056 WMIC.exe Token: SeDebugPrivilege 2056 WMIC.exe Token: SeSystemEnvironmentPrivilege 2056 WMIC.exe Token: SeRemoteShutdownPrivilege 2056 WMIC.exe Token: SeUndockPrivilege 2056 WMIC.exe Token: SeManageVolumePrivilege 2056 WMIC.exe Token: 33 2056 WMIC.exe Token: 34 2056 WMIC.exe Token: 35 2056 WMIC.exe Token: SeIncreaseQuotaPrivilege 2056 WMIC.exe Token: SeSecurityPrivilege 2056 WMIC.exe Token: SeTakeOwnershipPrivilege 2056 WMIC.exe Token: SeLoadDriverPrivilege 2056 WMIC.exe Token: SeSystemProfilePrivilege 2056 WMIC.exe Token: SeSystemtimePrivilege 2056 WMIC.exe Token: SeProfSingleProcessPrivilege 2056 WMIC.exe Token: SeIncBasePriorityPrivilege 2056 WMIC.exe Token: SeCreatePagefilePrivilege 2056 WMIC.exe Token: SeBackupPrivilege 2056 WMIC.exe Token: SeRestorePrivilege 2056 WMIC.exe Token: SeShutdownPrivilege 2056 WMIC.exe Token: SeDebugPrivilege 2056 WMIC.exe Token: SeSystemEnvironmentPrivilege 2056 WMIC.exe Token: SeRemoteShutdownPrivilege 2056 WMIC.exe Token: SeUndockPrivilege 2056 WMIC.exe Token: SeManageVolumePrivilege 2056 WMIC.exe Token: 33 2056 WMIC.exe Token: 34 2056 WMIC.exe Token: 35 2056 WMIC.exe Token: SeBackupPrivilege 3028 vssvc.exe Token: SeRestorePrivilege 3028 vssvc.exe Token: SeAuditPrivilege 3028 vssvc.exe Token: SeIncreaseQuotaPrivilege 1256 WMIC.exe Token: SeSecurityPrivilege 1256 WMIC.exe Token: SeTakeOwnershipPrivilege 1256 WMIC.exe Token: SeLoadDriverPrivilege 1256 WMIC.exe Token: SeSystemProfilePrivilege 1256 WMIC.exe Token: SeSystemtimePrivilege 1256 WMIC.exe Token: SeProfSingleProcessPrivilege 1256 WMIC.exe Token: SeIncBasePriorityPrivilege 1256 WMIC.exe Token: SeCreatePagefilePrivilege 1256 WMIC.exe Token: SeBackupPrivilege 1256 WMIC.exe Token: SeRestorePrivilege 1256 WMIC.exe Token: SeShutdownPrivilege 1256 WMIC.exe Token: SeDebugPrivilege 1256 WMIC.exe Token: SeSystemEnvironmentPrivilege 1256 WMIC.exe Token: SeRemoteShutdownPrivilege 1256 WMIC.exe Token: SeUndockPrivilege 1256 WMIC.exe Token: SeManageVolumePrivilege 1256 WMIC.exe Token: 33 1256 WMIC.exe Token: 34 1256 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 908 iexplore.exe 1972 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEDllHost.exepid process 908 iexplore.exe 908 iexplore.exe 236 IEXPLORE.EXE 236 IEXPLORE.EXE 1972 DllHost.exe 1972 DllHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exeudtajmeamkwc.exeudtajmeamkwc.exeiexplore.exedescription pid process target process PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2400 wrote to memory of 2868 2400 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe PID 2868 wrote to memory of 2852 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe udtajmeamkwc.exe PID 2868 wrote to memory of 2852 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe udtajmeamkwc.exe PID 2868 wrote to memory of 2852 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe udtajmeamkwc.exe PID 2868 wrote to memory of 2852 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe udtajmeamkwc.exe PID 2868 wrote to memory of 2652 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe cmd.exe PID 2868 wrote to memory of 2652 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe cmd.exe PID 2868 wrote to memory of 2652 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe cmd.exe PID 2868 wrote to memory of 2652 2868 2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe cmd.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 2852 wrote to memory of 624 2852 udtajmeamkwc.exe udtajmeamkwc.exe PID 624 wrote to memory of 2056 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 2056 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 2056 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 2056 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 324 624 udtajmeamkwc.exe NOTEPAD.EXE PID 624 wrote to memory of 324 624 udtajmeamkwc.exe NOTEPAD.EXE PID 624 wrote to memory of 324 624 udtajmeamkwc.exe NOTEPAD.EXE PID 624 wrote to memory of 324 624 udtajmeamkwc.exe NOTEPAD.EXE PID 624 wrote to memory of 908 624 udtajmeamkwc.exe iexplore.exe PID 624 wrote to memory of 908 624 udtajmeamkwc.exe iexplore.exe PID 624 wrote to memory of 908 624 udtajmeamkwc.exe iexplore.exe PID 624 wrote to memory of 908 624 udtajmeamkwc.exe iexplore.exe PID 908 wrote to memory of 236 908 iexplore.exe IEXPLORE.EXE PID 908 wrote to memory of 236 908 iexplore.exe IEXPLORE.EXE PID 908 wrote to memory of 236 908 iexplore.exe IEXPLORE.EXE PID 908 wrote to memory of 236 908 iexplore.exe IEXPLORE.EXE PID 624 wrote to memory of 1256 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 1256 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 1256 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 1256 624 udtajmeamkwc.exe WMIC.exe PID 624 wrote to memory of 2564 624 udtajmeamkwc.exe cmd.exe PID 624 wrote to memory of 2564 624 udtajmeamkwc.exe cmd.exe PID 624 wrote to memory of 2564 624 udtajmeamkwc.exe cmd.exe PID 624 wrote to memory of 2564 624 udtajmeamkwc.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
udtajmeamkwc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System udtajmeamkwc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" udtajmeamkwc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\udtajmeamkwc.exeC:\Windows\udtajmeamkwc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\udtajmeamkwc.exeC:\Windows\udtajmeamkwc.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:624 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:324
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:236
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UDTAJM~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B5C64~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1972
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5627b96f22a8b34236c1247849cbf9d3e
SHA1c54e1c955189e89a12f03f052d306fa2dbb23337
SHA2569e85f1d1711fa3bf6b7da3bb98eb427c530da4c291edb960648d18d99bb8cb26
SHA512cce02c99d9e9c2277ef02e1c54b9bb87d6fe0bfa37ca209839320b7829ab8b6cadaecdb3b060d77cbf96abe5e89d1ad9faae0ad8816a5a139034dcbeff1aa864
-
Filesize
64KB
MD5c39e45b3b3ba32157c18e26cc41dc310
SHA1c631d62f809ee4cf35c76d246f0202ad9741b945
SHA25652a04d88bd32c858445e7ff7a8bc4181b45384f4fd898deb9fccab8c81162c78
SHA51249cee5866260684a5df81fdc1959910edd74718d28e29d60323234b142674adddb1edc100057ae729f5b6668bf2d027592466946112b7272ba216af97d329fdb
-
Filesize
1KB
MD5de6178ef3c9f4e69870bd0cec21b9dbe
SHA1cf1728de6778b1623390fd629e15373451105fa4
SHA2560e7ba4b3e3c862808e12e1a2f0b898bca73d7f65fb4291abdbb2801eb727bb0d
SHA5128f3accf391aac101c00db6dcebb2fedbcf412e36b103bcb37bea58d5f096ac191605306a9a19a7faf20f0d341abf7391ee658aa237d90b42c70a69476886589f
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5ee9052782b869ed5019066e28bd8dc2b
SHA167bbd080e65175f335f634d50cad1619f6fcd7f1
SHA2561700041b8b51b6098c6e13ab8e90bbbb1634d9da0bb8122686ac3d980feb5c7d
SHA512372ad0aa350ee28d39380865ab115a341d24acd0fcad5001dd61f8fdbd80c417fd1885f54ebc8234b6190471f21635e191ea1cbe822aec5d9729d12fc1fe729c
-
Filesize
109KB
MD5ca1d087e5b444c7d91bac250b4d0613a
SHA13b89d056c3f4a1cb4c9cb5958928874cdb85b55f
SHA256577382f14d7871adeac0f07936a267aa11eef3c037ea3f46d37fb4ddb8043fe5
SHA512d5873e9ed859da6ed0fb93954194c4f7e348f77ead18edd7ecc7d0d88a0cf3159ed3cad9b2e34d46164a563794340a156518119b2afb2f25f811a0978c3d7d46
-
Filesize
173KB
MD5b15d8e8b690c4bb6d4d467ad666dfdf8
SHA106ec74faf73d019d2f3371d4ff83bfab6a8bca07
SHA256a2332a568527228fba05e299729e480709dbbf3a408b3f4a02e07c58b17144fb
SHA5127e24c3aa524c3060e6c032fdee8a676d04723c4791fda5bc2548f5db70a2dcfd99bb42fc27a121fc8e74fd91432ef88a4a08f344fae25c88e8cf728dd755da96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53db2a18e17e7f1f7776965a8e9f2cf7b
SHA18e2ca944a72e758b4722c3d68a2e7eff3e5d9baa
SHA2564ec86f7898f36773466ad8ac3a4bb1ca5b297d47f0eda932b95a4cea1c8a24a1
SHA5124b1e538f1c57a7412310d30f1ba90f0db838883e18f32f3a22a87bf171a092b9190f1da7f3f88ee26bd6c8e8a22f692827ec983d315a3d7ae1592636654ace1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fdd72faf10376b8df826dde108d2abfa
SHA17bb66a96ebacfdfdbe429d590d989b3d6479cbbc
SHA256f7e83a5229a3ca4962691ad4116312deec88f7ab95e4b1b35795e7b7751bc7bb
SHA51283a285a72e8bed6eb00f6e68550a82fe531ba75b86d1af44acd32b49e457a5bd2ef77a914c35923e0f9dc3c51505262941192a838960821deba03be81872a1da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548756734bec758711d9d7bd9950c9d15
SHA17d8e39a9ffa046d310b1e257df93db62a9093573
SHA2567eafb603292c73c57d5cc341fdb78bd1af7f1dacba9f3cd93831e1dfc69a9fa1
SHA512c327723a8abf36ac8ecb6ddf95001bdb0c4346b199aecbe2d70c1d9b7cbee9338b863c8075ae6a3298f99e69c78019e1a1a4b70ebc6b4eb87cf8f173f50ee70d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51248232133eb176533efa60b1dd6cd46
SHA10a3e2d1a7d35184f997cdf610b7fef47a0a42399
SHA256ad7bd801f3c20dcce90e89e9019ebd9cc0c7f3181775dc9e4800bef5b8aa2a05
SHA512d1fec50742e849e944936d460aebd69d2863da98f9a6dbb1876616b90c6d0ad6b3ef0a79ad2a67caf2e99564c757154d0d252115f3429d0ee7644bbc27f1de94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6e56e7cbca4ddcb5600d6889f8cfc94
SHA12b276bf755368f3ee9eaeca4973974ec970a8ff7
SHA256adcb491b19cbf18b885fa26075231384389f1813c4a00147e82fa230ebccad89
SHA512c47c0bfc7b9d2e2166d0db8fb06495502f580ccb87051a4c431af5dfb4ca2dcff96e7ddfb69f9147833256934a8013894c0e98880bbd7f77b712bde0b6036927
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53de71ea025692b5fe95ad12b2d4a937b
SHA1663e63a7fcecd151add783475bc7cc6442ed6fa1
SHA256a25d3b75e5d9fbf50aa01d8959db229641b1456fe0bb7c9bede93da7978aed53
SHA51235a11009b0909b64cf42bba6ca8a7dbb5eda873008f4ab9a83353b58bec5a9cd519eaadf95b2fc9165841649ab201f69230672efc80435e1b074b41cb112435b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50661c46939f715440db27ca19468b534
SHA17e8aab866598c0f2bdcfd9bfccb6ab3a91cd419a
SHA256ebbba41c479d2d7284620b6a05697bc69dffa491be703b4fec02bd2b4844a729
SHA5125226e02642f8ee7ba1f1fa97c0036cba6eb3952ee937a50eda518a04056ed02d10a5ab9b545a9b47bffeedaa4c6a055439c0c361bf3e3d85b68f80ac272ec9a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5325505084779abe282137ff232011929
SHA19048ee02bc0477114213d3d96c325bc15bf2f9ae
SHA2568b9a89115ec7d8c12117472a0ed6e2728c99ee28822377d3e88a3c0eb54d5c40
SHA512f2ba733794abf5c83262af8e613acb6f1b3ccfbae45919cb39226e9d371bc9d6186bef1cdcb16bd1bdb2ccbf1c5b6d33a4ab3a09d3f39a8a65772a24c73a1196
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dde2936764ed1f3cd981b1c807444dde
SHA1a4b4fb33240b3be944d10645df14a5326d2f1f05
SHA256b62632afb7486ce96a84ad2ad61cb45962fbaf89ba6ff30f79b9073291e1e066
SHA51224d8b2c066241a073e03a099068b2d6b40b58b4e5164b495afbe6053a3c9f9740187c73002533ff6350e25dd8a4e53abbd1c997d49e28364414923def1b2b278
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
364KB
MD52b5c64d0ae335be2b30de30ed5cf9b71
SHA157a809107f1810a3ed01d4baf09f89a1fb562757
SHA25633e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b
SHA51296ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8