Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
-
Size
356KB
-
MD5
5ef1fdd422951c153db8c39b87e84e5d
-
SHA1
a89966004343653b2d20c06b373b1390ed0450d3
-
SHA256
b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
-
SHA512
94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
-
SSDEEP
6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ddrwy.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4EF4ED8C821A875E
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4EF4ED8C821A875E
http://yyre45dbvn2nhbefbmh.begumvelic.at/4EF4ED8C821A875E
http://xlowfznrg4wf7dli.ONION/4EF4ED8C821A875E
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2284 cmd.exe -
Drops startup file 6 IoCs
Processes:
tnvhutyoduas.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe -
Executes dropped EXE 2 IoCs
Processes:
tnvhutyoduas.exetnvhutyoduas.exepid process 2656 tnvhutyoduas.exe 2996 tnvhutyoduas.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tnvhutyoduas.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\vipalce = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\tnvhutyoduas.exe" tnvhutyoduas.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exedescription pid process target process PID 2212 set thread context of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2656 set thread context of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tnvhutyoduas.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak tnvhutyoduas.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Google\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jre7\bin\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png tnvhutyoduas.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jre7\bin\server\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png tnvhutyoduas.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\CopyRemove.zip tnvhutyoduas.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_ReCoVeRy_+ddrwy.html tnvhutyoduas.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv tnvhutyoduas.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js tnvhutyoduas.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt tnvhutyoduas.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js tnvhutyoduas.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js tnvhutyoduas.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_ReCoVeRy_+ddrwy.txt tnvhutyoduas.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_ReCoVeRy_+ddrwy.png tnvhutyoduas.exe -
Drops file in Windows directory 2 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exedescription ioc process File created C:\Windows\tnvhutyoduas.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe File opened for modification C:\Windows\tnvhutyoduas.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.execmd.exeIEXPLORE.EXEcmd.exe5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exeNOTEPAD.EXEDllHost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnvhutyoduas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnvhutyoduas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000014442d246c2b5a494cdfbfbaf5913c40d21b429845f2ecbd8c281d705a31bb9b000000000e800000000200002000000037b17b5dd6464c138c6a3accf3afce6030f46f642e2f8f82ae63d5b34da2a91190000000cdd2f985d54ce32b44a2d59a08eb3a09ca7d4c5dccf5eee43d40acfef49e0fbfa7086a9915b88352cdb141aafc8c2882619418e2af01c5a381a18b703cafe9d02c791e9eb32921420a92b4ca109e3ef046ccf1dbbc01beb3ce15d352111ab567465387981593119c54bc7383f064969ce974b1c150fca9defe3d1e8110f5b237009eb0e1335db8543b934bf8df03499440000000ece964054d57f498041f2a10ee485f34a4f377325b347a5b4add60ad9ec582ffdf188d566ca148d09fa859cb4939e0027361c047d7891eceedef9986d24bade4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{407F99F1-8E68-11EF-9A8E-4A174794FC88} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0dcfb147522db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000000549a399c75cc6bedbd6e6208122f9b085adc1fddf41fb0bb3064adb8accbf79000000000e80000000020000200000007ed16827fbd0d2817b734b80f1491119e86b4d5ef543a2281a5942fa23c10e2b20000000d32890d47397ac8c99195e2c72da60771d77e67fd256b8b8bf83f7141baff844400000006db4c4a7e9f7ed996698423e4a3722e004790bc6edbf5535b65527412341564c2910b504e7e2a960f3c41c8ae0c01e6fbc44230441675b8339044f73dbc271eb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3024 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tnvhutyoduas.exepid process 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe 2996 tnvhutyoduas.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe Token: SeDebugPrivilege 2996 tnvhutyoduas.exe Token: SeIncreaseQuotaPrivilege 2868 WMIC.exe Token: SeSecurityPrivilege 2868 WMIC.exe Token: SeTakeOwnershipPrivilege 2868 WMIC.exe Token: SeLoadDriverPrivilege 2868 WMIC.exe Token: SeSystemProfilePrivilege 2868 WMIC.exe Token: SeSystemtimePrivilege 2868 WMIC.exe Token: SeProfSingleProcessPrivilege 2868 WMIC.exe Token: SeIncBasePriorityPrivilege 2868 WMIC.exe Token: SeCreatePagefilePrivilege 2868 WMIC.exe Token: SeBackupPrivilege 2868 WMIC.exe Token: SeRestorePrivilege 2868 WMIC.exe Token: SeShutdownPrivilege 2868 WMIC.exe Token: SeDebugPrivilege 2868 WMIC.exe Token: SeSystemEnvironmentPrivilege 2868 WMIC.exe Token: SeRemoteShutdownPrivilege 2868 WMIC.exe Token: SeUndockPrivilege 2868 WMIC.exe Token: SeManageVolumePrivilege 2868 WMIC.exe Token: 33 2868 WMIC.exe Token: 34 2868 WMIC.exe Token: 35 2868 WMIC.exe Token: SeIncreaseQuotaPrivilege 2868 WMIC.exe Token: SeSecurityPrivilege 2868 WMIC.exe Token: SeTakeOwnershipPrivilege 2868 WMIC.exe Token: SeLoadDriverPrivilege 2868 WMIC.exe Token: SeSystemProfilePrivilege 2868 WMIC.exe Token: SeSystemtimePrivilege 2868 WMIC.exe Token: SeProfSingleProcessPrivilege 2868 WMIC.exe Token: SeIncBasePriorityPrivilege 2868 WMIC.exe Token: SeCreatePagefilePrivilege 2868 WMIC.exe Token: SeBackupPrivilege 2868 WMIC.exe Token: SeRestorePrivilege 2868 WMIC.exe Token: SeShutdownPrivilege 2868 WMIC.exe Token: SeDebugPrivilege 2868 WMIC.exe Token: SeSystemEnvironmentPrivilege 2868 WMIC.exe Token: SeRemoteShutdownPrivilege 2868 WMIC.exe Token: SeUndockPrivilege 2868 WMIC.exe Token: SeManageVolumePrivilege 2868 WMIC.exe Token: 33 2868 WMIC.exe Token: 34 2868 WMIC.exe Token: 35 2868 WMIC.exe Token: SeBackupPrivilege 1684 vssvc.exe Token: SeRestorePrivilege 1684 vssvc.exe Token: SeAuditPrivilege 1684 vssvc.exe Token: SeIncreaseQuotaPrivilege 2744 WMIC.exe Token: SeSecurityPrivilege 2744 WMIC.exe Token: SeTakeOwnershipPrivilege 2744 WMIC.exe Token: SeLoadDriverPrivilege 2744 WMIC.exe Token: SeSystemProfilePrivilege 2744 WMIC.exe Token: SeSystemtimePrivilege 2744 WMIC.exe Token: SeProfSingleProcessPrivilege 2744 WMIC.exe Token: SeIncBasePriorityPrivilege 2744 WMIC.exe Token: SeCreatePagefilePrivilege 2744 WMIC.exe Token: SeBackupPrivilege 2744 WMIC.exe Token: SeRestorePrivilege 2744 WMIC.exe Token: SeShutdownPrivilege 2744 WMIC.exe Token: SeDebugPrivilege 2744 WMIC.exe Token: SeSystemEnvironmentPrivilege 2744 WMIC.exe Token: SeRemoteShutdownPrivilege 2744 WMIC.exe Token: SeUndockPrivilege 2744 WMIC.exe Token: SeManageVolumePrivilege 2744 WMIC.exe Token: 33 2744 WMIC.exe Token: 34 2744 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 1744 iexplore.exe 2420 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEDllHost.exepid process 1744 iexplore.exe 1744 iexplore.exe 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE 2420 DllHost.exe 2420 DllHost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exetnvhutyoduas.exetnvhutyoduas.exeiexplore.exedescription pid process target process PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 2212 wrote to memory of 1688 2212 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe PID 1688 wrote to memory of 2656 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe tnvhutyoduas.exe PID 1688 wrote to memory of 2656 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe tnvhutyoduas.exe PID 1688 wrote to memory of 2656 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe tnvhutyoduas.exe PID 1688 wrote to memory of 2656 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe tnvhutyoduas.exe PID 1688 wrote to memory of 2284 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 1688 wrote to memory of 2284 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 1688 wrote to memory of 2284 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 1688 wrote to memory of 2284 1688 5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2656 wrote to memory of 2996 2656 tnvhutyoduas.exe tnvhutyoduas.exe PID 2996 wrote to memory of 2868 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 2868 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 2868 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 2868 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 3024 2996 tnvhutyoduas.exe NOTEPAD.EXE PID 2996 wrote to memory of 3024 2996 tnvhutyoduas.exe NOTEPAD.EXE PID 2996 wrote to memory of 3024 2996 tnvhutyoduas.exe NOTEPAD.EXE PID 2996 wrote to memory of 3024 2996 tnvhutyoduas.exe NOTEPAD.EXE PID 2996 wrote to memory of 1744 2996 tnvhutyoduas.exe iexplore.exe PID 2996 wrote to memory of 1744 2996 tnvhutyoduas.exe iexplore.exe PID 2996 wrote to memory of 1744 2996 tnvhutyoduas.exe iexplore.exe PID 2996 wrote to memory of 1744 2996 tnvhutyoduas.exe iexplore.exe PID 1744 wrote to memory of 1704 1744 iexplore.exe IEXPLORE.EXE PID 1744 wrote to memory of 1704 1744 iexplore.exe IEXPLORE.EXE PID 1744 wrote to memory of 1704 1744 iexplore.exe IEXPLORE.EXE PID 1744 wrote to memory of 1704 1744 iexplore.exe IEXPLORE.EXE PID 2996 wrote to memory of 2744 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 2744 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 2744 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 2744 2996 tnvhutyoduas.exe WMIC.exe PID 2996 wrote to memory of 1808 2996 tnvhutyoduas.exe cmd.exe PID 2996 wrote to memory of 1808 2996 tnvhutyoduas.exe cmd.exe PID 2996 wrote to memory of 1808 2996 tnvhutyoduas.exe cmd.exe PID 2996 wrote to memory of 1808 2996 tnvhutyoduas.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
tnvhutyoduas.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tnvhutyoduas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" tnvhutyoduas.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\tnvhutyoduas.exeC:\Windows\tnvhutyoduas.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\tnvhutyoduas.exeC:\Windows\tnvhutyoduas.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3024 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TNVHUT~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5EF1FD~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2284
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2420
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5ccea1accd625cdbaf4017eb8fdce9c6b
SHA1c2c27ea2af80e511f182f6bf376bdcb032a5165f
SHA256056ae90b6c993e2f222dee91cdd562404e08d9f846805dcb9598d949d23e1f88
SHA512786f6d942c8e7b096bc6fa452352f7c158a07cb759f7c4ac03d5db2faf4eaddc81649badfe68d1e214b2dde15cacc3a0bb9a8e701c9ea8cf330bff0508752de2
-
Filesize
64KB
MD545e417be3bccd1b4a925b3640b21a923
SHA1fe57898423449018bebaf99be2f6766dcc4ddb06
SHA256f5a09074c42fb3789671e3fbcb0972f414a989208f36ef86e6fe340fda407900
SHA512b9aae0825b84c64740c1707a40101a251c57d8e6fd3a475a7181531b484014b4b2cfee3cb4d90ee13d01851edb2e950cae4ad1ca79b0263bcdb994a9d1653305
-
Filesize
1KB
MD5046b1fbcb17169d61e7c723590fb5925
SHA17665f0b04d3ac161e6c4e5005f5fde93b03606a6
SHA256b7f900d45d1b32ccaa7e769666892192af1a5b208adec9f1c51e0afff51e3dde
SHA5128602cc538d3ef683c1db0faeceec616a0181e4f504bc4f85a01b50c277c7bb437c31041e987b70e4903b68c13fb9ab62fb398ea063151c467663523bedbc1280
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD532465cc129b5a22712cfd9d3c34482e6
SHA148839144d45a0819af31b53eb360a4ba82989fff
SHA256d4e70c6086a2aa3ea2984fba0a4947b2ab265c53bd51bb2311529aaaa978bf59
SHA5127f6fc6fb5fee41d33163de201fec47ff6ad52a543c751166d34a99f1ca0ccfac4b1783c735d840c840d7db6c676260abd74b2e6720b60be666be8f75598a0dba
-
Filesize
109KB
MD54d85c5972eaa2580d23ae16e9b49997f
SHA1b32a8e1c131bfc66ab5d7473fa3eb1249365faa6
SHA25603a555f00696bd77489494760de8d4b6d9fb383cb7444c337f777870f72c287a
SHA5126c9964266e152b639ca38d657d2710113525724c9ab5710fd0d00898e794674b86c405bd3a02c8490e984988abc0051774d3b9e478a804947437ec0fc1575811
-
Filesize
173KB
MD576cc74b248121248d6bae8d454f0cd4d
SHA11c8d07c62150f22e14a4d9c0b1697fa4f73805b9
SHA256e73cf53909128a9e8d377dbd082d9a9af3f556df024958d651fd9681b33cbdb7
SHA5125a41ec79f433b7514b44f6948fd781e2fb85d4b4d1847dab9c1e4cc57c95ca76a76077e2b99efc9bfbd8d6514b31166fad2fa012fdef8fdb8b75a23b8f59fdad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f94dcf3b95ca2a335186b8e14dee7f6f
SHA1fb4ec0ceef9bff54c6d1679cefe437b3e7358f51
SHA2567b038e9bbe5550d47dd4aa226effda32ccf88ba927bc6ef6634b60ee5c45a23a
SHA512ff3cb646ccce7995fe422287911d4f9f2e585b0496e755b07237d630c75e6bcda2377c2c10ed755584c329044c8b79331c814fe3fde9941539118921526d4492
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597f8c07e8107ecab1870e82a23da6ef9
SHA1ed86cbec5199867eb86843aad7441c59802455bd
SHA256f34bd2b747c2a014cbd7e318f5b8bb8974621dfe8ef196f19744433bacbab27e
SHA512fc94dcf94ce3f758010de3ef45f485e2e908708169b42defe0d33dbb7b3c2af716bf9a12df74840d89538add420171c7eb6045b7f79893f8ced41897808ea92b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aa5cd3450df11d1bc166c93b44ac3ed7
SHA1fec1ba37098888240434dc67e2807590546062b4
SHA256a6ae0cd3f05389a9f583bab1e917c7c34e96221ed1b36b01299521b31d9dd26f
SHA512e1f6418a80638f9a3b6216e34f9d9c91d60fedf289438bc0e22a60011eba4c000a1a5b000548009e48c902d834da18d2e572de34481bcde49f4dc59dd5f57902
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e96d736e72ff4a5c8234593b08dbf910
SHA1aa624dc050ca671b7a37c4ab786730706ac8c5bb
SHA25625e33b97b9ca574b3a885987c7c20bddd9c9f07d1a888744c5a270b04f1453c1
SHA51206548c1f0828e325380e5642fc4b70c432e579bf847d7d4fcdfec60f73a2a1e3b2ecdbd5a858e4fc028ca1abe62d350fd7dc6ed01e1dced2ff91be99c670027a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c758a2efd84f8305d8a5032b1970eff
SHA1c9c5e13692aacfd6295958ba89bda50d398e1294
SHA256213889d2665f7abd6ada83cd5ee2b8a0a7ddd683053aa51b48c7a6712826eb89
SHA5123edbc4f7904a7a0fe5adb6eb3e336eae390819d52ebacde65e65d0a8421d8d740448cfa4551a2c56fe3a659af17b7be912bb8f82ebe500abc72dad5c24bcb9f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d5c7b6361760f4ecbe441125f1ccc84
SHA17ddc54d383262e33dfe8d6714b278aace79c03b3
SHA2566ae6a5c4db22ea5fbf0e96bfb16b23ece2ef9c3c0d938e6128edf49311fdcdb0
SHA5128fbfa1ddb98b4bbe42ef0d66b384ac8ad52ca911e615fc0e104fdcdb7f408e120b8ed1b1435379ed39ae29757d6c68d001be1eedad5d5246ab4e951bd03ca7b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c961bf3a83c118f1938c7ad3c8fb619
SHA148a6c6185099cd2cd50cb1583fdb0d76a47dce10
SHA2560c19f05535c45ef9aef8dae48a7cb3fefd86fbc6fb18dfd8ad694d70dc81f575
SHA512b4d1533b5cc20336ac87765368c3bf0ef77ccd63c4fc0bd629f7ce8dcd3f598254b296615584abf3da9f8e4cf4ebe05050c97a38ef71b7506995085acb4ed1a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8bb58993c37076cd356f82c27afff5f
SHA12774da3250e4e27faa170529c70dbb6fa7fb0c8d
SHA256d399f6a5a085890b632184d4a50e6b38e69cfa953b245b05186b0ef36aa69f10
SHA51257088ffa9e22d7c050a5b6333f7c7b7e1df680b8e1000d942bef4aa0a271ffbc919aef007e3f971c4fada235d79888e0f3b26088fcf6ab678e7274ecab6755d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b40c62fce61c5d351cf9e28f276066ed
SHA1136354b7590dc79d0dc4f68e59c09a46293ce776
SHA256913114acd3a7be8cd0648b1c071c9fafb0f5a342e42023dc79c9e13ecdc68c27
SHA512818c489bfa9ccc089969ad46f8e7ec298c2abd7efb5ea2bec12d4f862d6f63d77cf1016f6b7c5c9691066151556363e5894c5f1fee171a917dcc6e5217cdcb64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4ebaa7c6fa3716231fc29f6c333b01b
SHA166c496cad91e5d98e49dc026fda977d9a4402a38
SHA256429e5277fc897d82aaa6571c6fdc4009d1a892932fe6c012a419d079b460a369
SHA512719e665696475368a52c910b8cef5603eefeedeb8ab8bc05b404f4bcfce076bbeb732677e023ad8394719e7b0ddf33ce1090d5aae32f378f2c557292209475b4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
356KB
MD55ef1fdd422951c153db8c39b87e84e5d
SHA1a89966004343653b2d20c06b373b1390ed0450d3
SHA256b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
SHA51294a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871