Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe
-
Size
388KB
-
MD5
40707cdcd4220213b9ef2545043d6c99
-
SHA1
7f9d3ad1125de47368644e29b5d5cd515c6497e8
-
SHA256
6f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
-
SHA512
0a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088
-
SSDEEP
6144:tYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:tnSdO0iNEPn+TGOoYzwscMSOXUIJ
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+aetij.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6E3182D2DDCA1126
http://kkd47eh4hdjshb5t.angortra.at/6E3182D2DDCA1126
http://ytrest84y5i456hghadefdsd.pontogrot.com/6E3182D2DDCA1126
http://xlowfznrg4wf7dli.ONION/6E3182D2DDCA1126
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2164 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aetij.png pjgkqcsdvcay.exe -
Executes dropped EXE 2 IoCs
pid Process 2032 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhhdihrwkagb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pjgkqcsdvcay.exe\"" pjgkqcsdvcay.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2644 set thread context of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2032 set thread context of 272 2032 pjgkqcsdvcay.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Mail\it-IT\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\7-Zip\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\en-US\Recovery+aetij.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Recovery+aetij.html pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Journal\es-ES\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js pjgkqcsdvcay.exe File opened for modification C:\Program Files\Common Files\System\ado\Recovery+aetij.txt pjgkqcsdvcay.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png pjgkqcsdvcay.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\Recovery+aetij.html pjgkqcsdvcay.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\pjgkqcsdvcay.exe 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe File opened for modification C:\Windows\pjgkqcsdvcay.exe 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjgkqcsdvcay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjgkqcsdvcay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd51a97342801945b136bf1c521e8b07000000000200000000001066000000010000200000004d278c987b4a4f54e5bd18d9997482b27717619f713982a51dc520b6b9e8f553000000000e8000000002000020000000c771f76db6c349617455c02377de1280a92c0feb87875882d28786ff2f66ff1a90000000f742c46e992f261931164cdff80ea2b2543b75a295480c2762de241d5dbbdd056bf448aa9346b10440d7a05cc9b9bf8a7aee404b62a112af8e872af478a1c1cfb806e10ce3932fb2e5bac46faca12a1d960d310e35a4a15d8204f1143d67a3cc09c6fa93aab8474c3f6ad03051a55b8f36c112f840dc33b7e04add288fcc471630298d8055bcb54834775502e8aaa8a2400000004e12e357aba7264f8ceaa2dcb792d15802d7f31eb556412b3744123be206fd9d938d51e7a3d7ad31e4f5a8f526b2a290b63c5759e921c6ccd67a5637c42ef1e3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7054efb47e1ddb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd51a97342801945b136bf1c521e8b070000000002000000000010660000000100002000000007e2230d1d4a25f9b041ffd7892d91c74744ea82681f6682c24143107fcaf9be000000000e80000000020000200000003bc7b53271b14343809e6cd030baaecb08c20b70debb014f7865a152a3d555db2000000010866540cf34ab6c80e50bf920618d784be70e8e5b4962a9a0986862f5a56a0640000000e7a0de269d5fe24db7fc94665bb9a75e976578db44e0dc983ae7623281340b0a66f9ab739ff745e466534a9b6c07c56859ddd09d43eed62aca30fe08d4e9e8c6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E07572F1-8971-11EF-8AE7-D6CBE06212A9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 pjgkqcsdvcay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 pjgkqcsdvcay.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1812 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe 272 pjgkqcsdvcay.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe Token: SeDebugPrivilege 272 pjgkqcsdvcay.exe Token: SeIncreaseQuotaPrivilege 2012 WMIC.exe Token: SeSecurityPrivilege 2012 WMIC.exe Token: SeTakeOwnershipPrivilege 2012 WMIC.exe Token: SeLoadDriverPrivilege 2012 WMIC.exe Token: SeSystemProfilePrivilege 2012 WMIC.exe Token: SeSystemtimePrivilege 2012 WMIC.exe Token: SeProfSingleProcessPrivilege 2012 WMIC.exe Token: SeIncBasePriorityPrivilege 2012 WMIC.exe Token: SeCreatePagefilePrivilege 2012 WMIC.exe Token: SeBackupPrivilege 2012 WMIC.exe Token: SeRestorePrivilege 2012 WMIC.exe Token: SeShutdownPrivilege 2012 WMIC.exe Token: SeDebugPrivilege 2012 WMIC.exe Token: SeSystemEnvironmentPrivilege 2012 WMIC.exe Token: SeRemoteShutdownPrivilege 2012 WMIC.exe Token: SeUndockPrivilege 2012 WMIC.exe Token: SeManageVolumePrivilege 2012 WMIC.exe Token: 33 2012 WMIC.exe Token: 34 2012 WMIC.exe Token: 35 2012 WMIC.exe Token: SeIncreaseQuotaPrivilege 572 WMIC.exe Token: SeSecurityPrivilege 572 WMIC.exe Token: SeTakeOwnershipPrivilege 572 WMIC.exe Token: SeLoadDriverPrivilege 572 WMIC.exe Token: SeSystemProfilePrivilege 572 WMIC.exe Token: SeSystemtimePrivilege 572 WMIC.exe Token: SeProfSingleProcessPrivilege 572 WMIC.exe Token: SeIncBasePriorityPrivilege 572 WMIC.exe Token: SeCreatePagefilePrivilege 572 WMIC.exe Token: SeBackupPrivilege 572 WMIC.exe Token: SeRestorePrivilege 572 WMIC.exe Token: SeShutdownPrivilege 572 WMIC.exe Token: SeDebugPrivilege 572 WMIC.exe Token: SeSystemEnvironmentPrivilege 572 WMIC.exe Token: SeRemoteShutdownPrivilege 572 WMIC.exe Token: SeUndockPrivilege 572 WMIC.exe Token: SeManageVolumePrivilege 572 WMIC.exe Token: 33 572 WMIC.exe Token: 34 572 WMIC.exe Token: 35 572 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 808 iexplore.exe 592 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 808 iexplore.exe 808 iexplore.exe 1660 IEXPLORE.EXE 1660 IEXPLORE.EXE 592 DllHost.exe 592 DllHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2828 2644 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 30 PID 2828 wrote to memory of 2032 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 31 PID 2828 wrote to memory of 2032 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 31 PID 2828 wrote to memory of 2032 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 31 PID 2828 wrote to memory of 2032 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 31 PID 2828 wrote to memory of 2164 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 32 PID 2828 wrote to memory of 2164 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 32 PID 2828 wrote to memory of 2164 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 32 PID 2828 wrote to memory of 2164 2828 40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe 32 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 2032 wrote to memory of 272 2032 pjgkqcsdvcay.exe 34 PID 272 wrote to memory of 2012 272 pjgkqcsdvcay.exe 35 PID 272 wrote to memory of 2012 272 pjgkqcsdvcay.exe 35 PID 272 wrote to memory of 2012 272 pjgkqcsdvcay.exe 35 PID 272 wrote to memory of 2012 272 pjgkqcsdvcay.exe 35 PID 272 wrote to memory of 1812 272 pjgkqcsdvcay.exe 40 PID 272 wrote to memory of 1812 272 pjgkqcsdvcay.exe 40 PID 272 wrote to memory of 1812 272 pjgkqcsdvcay.exe 40 PID 272 wrote to memory of 1812 272 pjgkqcsdvcay.exe 40 PID 272 wrote to memory of 808 272 pjgkqcsdvcay.exe 41 PID 272 wrote to memory of 808 272 pjgkqcsdvcay.exe 41 PID 272 wrote to memory of 808 272 pjgkqcsdvcay.exe 41 PID 272 wrote to memory of 808 272 pjgkqcsdvcay.exe 41 PID 808 wrote to memory of 1660 808 iexplore.exe 43 PID 808 wrote to memory of 1660 808 iexplore.exe 43 PID 808 wrote to memory of 1660 808 iexplore.exe 43 PID 808 wrote to memory of 1660 808 iexplore.exe 43 PID 272 wrote to memory of 572 272 pjgkqcsdvcay.exe 44 PID 272 wrote to memory of 572 272 pjgkqcsdvcay.exe 44 PID 272 wrote to memory of 572 272 pjgkqcsdvcay.exe 44 PID 272 wrote to memory of 572 272 pjgkqcsdvcay.exe 44 PID 272 wrote to memory of 2296 272 pjgkqcsdvcay.exe 47 PID 272 wrote to memory of 2296 272 pjgkqcsdvcay.exe 47 PID 272 wrote to memory of 2296 272 pjgkqcsdvcay.exe 47 PID 272 wrote to memory of 2296 272 pjgkqcsdvcay.exe 47 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System pjgkqcsdvcay.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" pjgkqcsdvcay.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40707cdcd4220213b9ef2545043d6c99_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\pjgkqcsdvcay.exeC:\Windows\pjgkqcsdvcay.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\pjgkqcsdvcay.exeC:\Windows\pjgkqcsdvcay.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:272 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1660
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PJGKQC~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2296
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\40707C~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2164
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:592
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5ccf1d4c273999160bb656b825e4e39fe
SHA12230922134e3bfc3bf97c53097ef11a306126924
SHA256f77fcdcbff74400668c54417f447d1a8adda77eb8e92405a566dfe1c126a841c
SHA5124740bbca1e82cd24e26f52df90220b076c49028078e5fca68884bc23868ef227d717c7d6b75dea1d6fda64cd2b5d8d7a568d0aba2d0bf04aa02bcf485235c856
-
Filesize
63KB
MD5a4461a3cac221b97f4d2c51997b8a200
SHA179b63d2b9847958ff316297c7be5e7e3f42984d9
SHA256370ce233607e7344600e5c57eabea288926dd5c330b5eb020b7443852b319739
SHA512f6606cd309bf972223ef62302b04417867846a0394f724a8dfcf502640f5a37702d97e1e637534a6a9114019ea28a792414a52e900b64ac411d5e8768a92e60d
-
Filesize
1KB
MD520cd6f2652839fabcff7e97b22825400
SHA1fb320f053ec797c0e5190edbc9d0f34e54b04f2d
SHA256a6d11a7ce1c4dd18c259b41504c3090a2f9da6b637049b2a3bdd00a9789d4a7b
SHA512b46682e9cd1a24063d4a4bf43c6131473e33e770c2da1e48884e49677cd6ffa0a1f70975bfd8fe667a383e3a587a39a54ae44674f4eec098f45e9d2e65e0c304
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5f171cc92c469a91096f4c4ad72f3b442
SHA149eae13afafbf345418b8f83a88a904e7f32d62c
SHA2563bf17ccfbab680398464dd3c4eb027a9d3052e97e59a79e8901bb066b418cd3f
SHA5120f54098bad44af1a2ef7e2ccb5c1bfb9f795e8c4b083f44311cbe0565aa86f494b17e7efa86a8944eb3b6e5eacf89ea104cf762ec0818b95c83714ebc2f674bf
-
Filesize
109KB
MD5996358eff536fee86e1c70143fce0fe7
SHA1f3bb63b34f678c817cbc5d7a338aee72dd3b4205
SHA25685720cc76b97e19c18a3eb803facae6a80507d6470b7e286bd1c6db31aa06d88
SHA512138b3aa124781976ffdd7fc7083033e4a9a378ac587c74bd73947660987276a7a4af723515040f6ff7544aa286e98b1c47b23ec1abf872763f53eb03135becfb
-
Filesize
173KB
MD5d84272c7fe99dcc5b069b3bf45e85c8b
SHA1377327990075c89900630dabf3069f26ad7ba333
SHA25698fea4a177c94b746e3f17aaffddf59be49cbd276a3c2dbd7e1e8d11cd3685fb
SHA512570d59770ea614a13e5606ef6180ada43aff0c4d3657a99a69ec2b118a855f9c98594d8a2f6c7a10b5f75e7cfeaffb6676807f17e7060aaa06a35b4d44339522
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3c30c4c171f6a454bdbf6530c3461dd
SHA18daf5a71c8e209adbc67a060029e79822dbf5b2e
SHA25655e04ce6e3c1019219cbfddd879989b2fa7acabc1c816b2817ea254292665bee
SHA5122ff4ae21b0a576db7c085b685181a5c3d73326cbfc2d9d01590fe381ab09ab37ebcb7cb3ee203e6e60c52134cc1c8c9546ebe72e90d4a15828ed3abe22cc04e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df00be7afe6d93104b9cffbf07e58957
SHA14de2d7d5e08ec7d2efef726c3b614d1407595b28
SHA256fdc5fb4031c81be21d6623f75039fcfb0604a81599d4f02726fe4309e1a4829d
SHA512cd93937c9425fb2ec792b64e493a855c25065557079aa1163f9ace2a1f7da06ddc66eb18004f96e016e24db0d4e8d486a17a772f54f80f9a6f6d48eeee7fff24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b34d69a1bfdaf7765b96bb5a386dad6
SHA19278256ac6a06d82047059ce8e5fee4d08da9bf9
SHA256828e7195f28ffce498043d5de7722772244784a81158cbacd65f5601b820f76e
SHA5126bd7c6638dfac4be979679576ee908011cb4fd2f7d606ebbf9036a3e8006f7898714d4468fb8b92cbe029655c4fdbc526e2719485b8f6d6b4c494f4fd21e771d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD541f04a164104335f8caca150ffd98853
SHA12c576ed6a8d94a7ea625b6c993a3dd0f29758ee1
SHA25651e08ef4cb416a9a38098c88daca8e597ddda722c6d9301d5e230574e4414d56
SHA512b0c83803ead25ed09fdf971d9a2d25ff4120809e6773c9a05420bafead63881f5a0a1759ec4b2e86e9d96c9db2c1b8a970d6585e4ef89a26582b6e55d0ed7c37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ec0a77a6661186d140d43d6593cf333
SHA13be2dfa7d90590a2c03383690a688f80f78206d2
SHA256fe0772b34e3a73b93067f6497e72440d7e2b911151b5e79ae07b3db5d69f1306
SHA512af24c788d73462ef6187ef20c227afff5889012a6d04be97c8f936fe3f90826b1cded331106434a48d170e9f5e50af0ef022d2273b9084a1301221d190fbc364
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee938da573a2cd82feafd057bacfec82
SHA1847276b7ea0066ea8fce8a5eb2cedc16e15902b0
SHA2560fbff6a8b931be39c2e83d4bcbde0ccb81130b3f021313673f7bf23b45986323
SHA5120dc902c4b731c71240dcd68250830b83492178ba156a44cd6ac8c4bc7486cd79481075058206eeffaaab92a3868573ea3fa4cc544799466b75dce7ee4116ea20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5616388f2f346e05635a857a040821eb3
SHA1030b3ccf70b27ecf38c34a79e1a34947452a8fab
SHA2566f16b90bfc3e673a48d3ac334d9babd517f75f15fe5a3b142f1e435d0af482da
SHA51237d5ee0da704df585b4291da6d62c84e269fad65387ec32e50d33a1e5506f8bec365b020199c99347e56d070b0a7e317e9bcc933c7d91b5b802b96f427fef3da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57367a718dc193a3ef9b5e30b3dd016ee
SHA1eb983d370265922e91ed80aeb8aeb87359055eec
SHA25669ad0af5eb3f3c9245159f7a857a4354720ebec630a3621ea3989092d0a339dc
SHA512c836a278944fbcd3694e354233c0da83128aad4afe17ff9d8354a53832798fbea91013af429b557ab9f84d0131e9541a69339820ef9c5441da321dc09e429755
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585f851768cc889ee2506c7a4e3f30067
SHA162155ad0c617b2326c4ca07844869fc1503110c2
SHA25694f02ca464c4a14867cc934f03b8c163446ca2e100383b395fd4b304fad22b23
SHA5122bab1d30a5d4b620670a22e017ca739e67088615e8350c4ea224d31633ce3390e39e2923b55ecaf6257ae2503ab492dc8786a158a85875e7128fdfe87204d885
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5e4f70278c8829a7022aca87815a413d3
SHA17cb343b0f6f0153282ffc30d9654873f3448429a
SHA25673a77adb0ae9c1e5c26242718572338cab02a79b73b03dc9e4ffe7069f4cda90
SHA512ef54f21cdf17a53294594aef1a788f4959f8cdc468c8cf915c8907c606027ed19acae3adcac53a097f5f7e2ac889c643862de758896158154c0bea75b5e4fd60
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
388KB
MD540707cdcd4220213b9ef2545043d6c99
SHA17f9d3ad1125de47368644e29b5d5cd515c6497e8
SHA2566f7c7b4f3bd9e6ce0dc0d4dd7662e35d8a2079dfe61b2febf2645b68fe11ee3f
SHA5120a3cda582f1a444ad78d5f09d4e204a753c74863bcbbbdf5c6ffcafa523b195ac4c6aa7922973cf2687b673e4e346f94b6525402db7380a4e53c3f8855480088