Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe
-
Size
364KB
-
MD5
764a3a6827e4d04ebbb801e8f5b95f8b
-
SHA1
6bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb
-
SHA256
091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
-
SHA512
2a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2
-
SSDEEP
6144:3M3Ia4g7E/Rd1WjfqMsSW9ZgsQ6LEme81Ip8/V+9jeOLzZXcIwXHX:qIt4EELq7p9ZgeLDc8/VkphcI
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+kau.txt
http://gfhshhf.home7dfg4.com/BC924546C7D5D9B
http://td63hftt.buwve5ton2.com/BC924546C7D5D9B
https://tw7kaqthui5ojcez.onion.to/BC924546C7D5D9B
http://tw7kaqthui5ojcez.onion/BC924546C7D5D9B
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
pid Process 528 bcdedit.exe 2640 bcdedit.exe 2412 bcdedit.exe 2356 bcdedit.exe 2660 bcdedit.exe -
Renames multiple (417) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2692 cmd.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+kau.html iquwh-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kau.html iquwh-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+kau.txt iquwh-a.exe -
Executes dropped EXE 2 IoCs
pid Process 2944 iquwh-a.exe 1928 iquwh-a.exe -
Loads dropped DLL 3 IoCs
pid Process 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 2944 iquwh-a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 myexternalip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2956 set thread context of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2944 set thread context of 1928 2944 iquwh-a.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\deploy\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png iquwh-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Common Files\System\ado\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png iquwh-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak iquwh-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png iquwh-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png iquwh-a.exe File opened for modification C:\Program Files\Google\Chrome\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png iquwh-a.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css iquwh-a.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt iquwh-a.exe File opened for modification C:\Program Files\7-Zip\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Common Files\System\msadc\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\ja-JP\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png iquwh-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak iquwh-a.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\how_recover+kau.txt iquwh-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\how_recover+kau.html iquwh-a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png iquwh-a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iquwh-a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iquwh-a.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3060 vssadmin.exe 1684 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005596ed1d8024a78cb7b6e58da6ac16a3a4c484c3f43cb1c30b9f2cbacf6786fa000000000e80000000020000200000000f81c47bba6bd87828d5f0d2e6e17a67aa301a014271c033517017cbe88d019d900000007a5abf716e8553a147c8ce1b04a7f0151a8760f5382ac8c0b1581bdbc41e51e985e1a65ef1140be47e419b0f2e026e7fff1b82be7f5980fd288c4b28a69a82ae7e564dcaa6c92eedaf49cef2e243d359a9faae36eea9ddcc998ba098f4482e42ebf46ba38c65c8ebcfe8330870c20919d4e674cbf76f18fe3cceefa7478dd43fe178e6d65297ef9cc7dae5526a1d8dc440000000c1ce7bf62d2654d94c55c95608927bbd04cd8e8a870f8b2e61e2d0047304b76898e0d1e9b769e06db32c3198ae28f185e587c0d2685425b8d812a2ecdefb3f65 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD1A5951-94B3-11EF-8CE5-7A300BFEC721} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3018acd1c028db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436230492" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000a718e7a4b022c36ca54d19794e52c58bd556f7658e3d34cb148f1c0315ecd8ae000000000e80000000020000200000009994bef2a85bc5a52e6f306f465efd22845fdccbdee0d377d4d0874735030ade200000003919e8998adc7b89a8261ac9224ca7d408c92d9663ee1db20716b9247238d83840000000a393815092ee773877759dd8882e72db89e1906457bbe6b6910eb97fcb4dfd98fa5126a985c50153e4f36c0d91a1fddd1f7a2d06a4a519e2656a693ad046f607 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2180 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe 1928 iquwh-a.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe Token: SeDebugPrivilege 1928 iquwh-a.exe Token: SeBackupPrivilege 2916 vssvc.exe Token: SeRestorePrivilege 2916 vssvc.exe Token: SeAuditPrivilege 2916 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2028 iexplore.exe 1992 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2028 iexplore.exe 2028 iexplore.exe 1616 IEXPLORE.EXE 1616 IEXPLORE.EXE 1992 DllHost.exe 1992 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2956 wrote to memory of 2800 2956 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2944 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 31 PID 2800 wrote to memory of 2944 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 31 PID 2800 wrote to memory of 2944 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 31 PID 2800 wrote to memory of 2944 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 31 PID 2800 wrote to memory of 2692 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 32 PID 2800 wrote to memory of 2692 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 32 PID 2800 wrote to memory of 2692 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 32 PID 2800 wrote to memory of 2692 2800 764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe 32 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 2944 wrote to memory of 1928 2944 iquwh-a.exe 34 PID 1928 wrote to memory of 528 1928 iquwh-a.exe 35 PID 1928 wrote to memory of 528 1928 iquwh-a.exe 35 PID 1928 wrote to memory of 528 1928 iquwh-a.exe 35 PID 1928 wrote to memory of 528 1928 iquwh-a.exe 35 PID 1928 wrote to memory of 2640 1928 iquwh-a.exe 37 PID 1928 wrote to memory of 2640 1928 iquwh-a.exe 37 PID 1928 wrote to memory of 2640 1928 iquwh-a.exe 37 PID 1928 wrote to memory of 2640 1928 iquwh-a.exe 37 PID 1928 wrote to memory of 2412 1928 iquwh-a.exe 39 PID 1928 wrote to memory of 2412 1928 iquwh-a.exe 39 PID 1928 wrote to memory of 2412 1928 iquwh-a.exe 39 PID 1928 wrote to memory of 2412 1928 iquwh-a.exe 39 PID 1928 wrote to memory of 2356 1928 iquwh-a.exe 41 PID 1928 wrote to memory of 2356 1928 iquwh-a.exe 41 PID 1928 wrote to memory of 2356 1928 iquwh-a.exe 41 PID 1928 wrote to memory of 2356 1928 iquwh-a.exe 41 PID 1928 wrote to memory of 2660 1928 iquwh-a.exe 43 PID 1928 wrote to memory of 2660 1928 iquwh-a.exe 43 PID 1928 wrote to memory of 2660 1928 iquwh-a.exe 43 PID 1928 wrote to memory of 2660 1928 iquwh-a.exe 43 PID 1928 wrote to memory of 3060 1928 iquwh-a.exe 45 PID 1928 wrote to memory of 3060 1928 iquwh-a.exe 45 PID 1928 wrote to memory of 3060 1928 iquwh-a.exe 45 PID 1928 wrote to memory of 3060 1928 iquwh-a.exe 45 PID 1928 wrote to memory of 2180 1928 iquwh-a.exe 51 PID 1928 wrote to memory of 2180 1928 iquwh-a.exe 51 PID 1928 wrote to memory of 2180 1928 iquwh-a.exe 51 PID 1928 wrote to memory of 2180 1928 iquwh-a.exe 51 PID 1928 wrote to memory of 2028 1928 iquwh-a.exe 52 PID 1928 wrote to memory of 2028 1928 iquwh-a.exe 52 PID 1928 wrote to memory of 2028 1928 iquwh-a.exe 52 PID 1928 wrote to memory of 2028 1928 iquwh-a.exe 52 PID 2028 wrote to memory of 1616 2028 iexplore.exe 53 PID 2028 wrote to memory of 1616 2028 iexplore.exe 53 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System iquwh-a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" iquwh-a.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764a3a6827e4d04ebbb801e8f5b95f8b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\iquwh-a.exeC:\Users\Admin\AppData\Roaming\iquwh-a.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\iquwh-a.exeC:\Users\Admin\AppData\Roaming\iquwh-a.exe4⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
PID:528
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
PID:2640
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
PID:2412
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
PID:2356
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
PID:2660
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:3060
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:1684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\iquwh-a.exe5⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\764A3A~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1992
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD50794ac99a6f60eb0e737a2e9cb1ab4ec
SHA189d31ef1b6e2d41655123ac0e76a4da3401ce796
SHA2569894bf3d7044ced3910bf242282de2386a4af5ff3247fb982f1c749a808b73b3
SHA512dd160ebb99054be2c47b1ab271408a86bb72a0f9434b71ef6314a0244361ec6db650a8afa40e0946b6c4d332f2ad37b648ecc06805da4a83bfcacdde03652e37
-
Filesize
2KB
MD5148f92ad3e9e94860edac78a1cf11538
SHA167364632d152c05e99d6ff81a4ad7c793a8673de
SHA256206b3974f77e98783e9a3d2d16b0400a911170cb3fd1cd0bb6dbbccfd89b9227
SHA51201dd7d42fe1f1ee3b2a1bbbd7486bf97f8c65fe0e521e37741b88b4c9807966e577442722e276d33666606940da66c182c2caeb42d4474bc8b80b2929ad77608
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5e54aa028e3de94289cfdffe267e019a4
SHA10a3630e5adb9edb5aa68ebe7a15e8c81c6f2f3f4
SHA2565687e31b80f3c59d142130c68b8053ed00ebaa9f96c45580bc92be648465be05
SHA51271a8f0ed802df2a321f440a52f2da793e9e2fb27ad849542a65448155380ca57f155dec583c163e15883f2014008c48eb9c5d05d1b0a7b30daf65e6fa83d4e8a
-
Filesize
109KB
MD5166f6f456a1a6872f3773bf8418846ff
SHA12c328390bcaffed35ecf59ecb1976754d25ff482
SHA2568f220bc06a83e03f303e8ec0545f8d38117b3fbac63922af8e48e7cb20b15525
SHA512a2fd985842f5c033a197971ff555019c5dbac93bfe623614423472e3e9cda19c7b6baf7b5a9e82705b3b6c325dee9d5573bf0cfd3e0f6e8894e239a7f1089000
-
Filesize
173KB
MD56c4fdc53cf759ce56ebdbbb973944453
SHA16f949962c70291ea43d45f956ffec09d315b6d4c
SHA2565cc35d60aa4ee3499f87f51ac13ecc2a3845916473ee43d00b0723deb4431f1e
SHA5120db741ecb5aa9af4525bbfa350cb0531734a4987c80a44acaa8ee8791094460f4e6ed09a103cc137309ead4898a0829c35f0788ff926a504a370ab4b91730ac0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55de7135b51b4a68878ab48077214c761
SHA1e0fc56f8cc1addba4f6c6c108c6bc26b3acf2f2d
SHA256e325675e819d4d6c14ddca13268c82042251d2344afd158a28dd67b1dd970539
SHA512a305ec061f348ad7a0f5189e90469f9dcd46fd65d0f227bae033eb86aefe4ec77a7d807f100e4d04f30cf44849756a2abfd3ef6e87c14cb884d2c625c600a7d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50cf36a00e4ddb127ce114aced3e3d80c
SHA1b3459c9b2a68463602a3f769b2962075fa3c2d42
SHA2562564270afcd49a83d12386c375fbc5e55bada15e8e67b0c96adfc976fe84ca83
SHA512aec0ba5eda8fc69d6f87499e2f8988a13d90d7b99fd1d040bf667b6e629723336627c13cf5425fd4fb15b8462dc03d580a76e9a5a7c42e1dc879c5f0d0f3b2b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee0aa1b5e93cbe3b3262d612e525af34
SHA11f7af529a1cb68a0b03f4fd4ccb6c3876a04adea
SHA2566c8fdc00d23e65d87f18ee0267f0081ef5b89a549f64c8f982e0248b66737d2c
SHA51213be6872385ebed2c2a7176bbec9bafdd4042d61041a073e2c01f5262ba4b5aa24fa55f5f3370fca2ba7441dcc4b654017a35efc32c891455356fdade1400219
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD543e4c4e94ac832273c514e8d63af3465
SHA18d167e7c2efdeac957d2d0a5fd127e7133ea01c6
SHA256db4576c146badbf22f3c15c13fc93a2ad8a1e5323c4aa3c81bfaf58ac862c268
SHA512e9db3c22969369021488a1d73fb41d5ccbdc3f18cf2793ad8a6df2cb1682da2ee9e35b674a71605790565c71fd6e14eb465f70fd8bb448f2076bb1f545e87c93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d83b5d4f009a765919f4abb38c418ce
SHA1429ed501ec410776f0fb813dddca7e511fc0156d
SHA25687b79b5b358a6cf97e7f41bf6b023142c2666b9ba2917c7203d2a6ed15d4da2f
SHA512e8b1d1ff926dce29c3d7c1ad859b4088a1dff5939cbf6cd5abeac284f1eae35324843a24589f04621e37afb4432641ec56d7f3299b638b25f23b8ae374723cae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f582fe91a6dc67ae114994192e56942
SHA1cfee7efd1f970f7750d8c342dc785b8e60ac6715
SHA25606e8839df290d1ca3d070dfaeebdc4a49810177b23845d214caf9959435a8a77
SHA51261d782d1226022be1c72a83ab38588ecc4ca5c937cca03a06fe67f56b15400d71c35c03c672cb1051d1db5b704d9fb959980094240e415e4ad4592cd37be2220
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59aaf90baa50aa261c66fd779e147847c
SHA1f926b25e4f933f1193ab7980822b3da603b8ec70
SHA2568f5df2482ad591c384de719c02b29e468db3ab932bd3414712487fcb6f01ccb0
SHA5121e312f2a5714559a397f344ff28a4c1285b5c68682cffc5d03835fdfbbdf58b4793f6a0aa515d09106d6155429cdb60ba0ee3c6d8575162a647945bb0e561f7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aa3f60be9db59b9f7dc6abf2b149227f
SHA15f1d744b4e69e6277e7685be0883ed17284569e0
SHA256fd72d34bb4b06a3d544f108934d369615a1c5e2884b536624dc529a3966428ad
SHA51288406eac1e6a82e4a5b76b66b45439ddc1b9126114cc0fe8f65614b79948216cb6b2d449691663c0b2e1cb55bb95773388e5e9949c0e36c68f706fe07c9464b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58dd578b6f34368bbc51fc66a8c1c2a11
SHA180356234173c64f8ab59d464d152542787dfa91a
SHA256b8199b730cd6882c3fbc0c12b5f54b4bd4133008e451e8c1de91d72dcbd10d31
SHA512ec18fade41342bdae9e95cb285a60bebb5a71b457a57fd97af36ff4b102ca16f81f324f066e15f47e386d8d78ceca00a50cccc6560ad154ce0bd0d3b818a0c92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD536e66ef82d60face7dc260aaac3105ba
SHA1e8fe314d6eede1e5155ab0d5636eeeeb759ecae3
SHA2569cf1c1e2e06e2346a69a05e09e61a6b1c0b70a647062a4c22a2a2288a30263d1
SHA51252a8b2564ec1a0e7926f660ea8f08415cbf4da7baf2f457a403f4f09da8258ed61397f1579d5095ac8f2f661ae6e102fcd30160d0388fe8bfc896bb9557784b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4a47dbcf4f14f9a522c941c9536f156
SHA118c825261be413f4edfa1e9b6806f91127c3db00
SHA2561e0e2c76d7fe54deabc8118799928e56fdafb6823d39b084be190f82ddc8ab94
SHA5123c29d8ff7d36943a419f815ae137c2338b834395695f8743c5c3a9c37717c829aa937d9df8b055be90a248279e7dec07f5c502a1e6c792d661cc6a5741983bef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b50031b453ad5f65c1ba3360ff5a4f4f
SHA1e8c11d3da00b593eb758d84a439f7d1ba1eed9f8
SHA25687772a7b9d9a56bb46a98e105e84836e0d66e4d2ff12b17a59827b4a0bc67ae9
SHA5124f937f51f29a9623060a6ecef0fcf7de0d41c8a42ecf1532a14fc627791ceca564070a29df599404b11356d8f9ad125fe7ed02f6a26b2e9950ad45f445daa8f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59379ff00310de84c34ba4ecb11bd7070
SHA1bbb3cf696da9ef86a1c4470ecf5c1696e7480aac
SHA256fca5cd62bbdc9430d044c6f8fa06d08a0c8c6678df36d3b4a6391d691cc1480d
SHA512a8d697c80a33e34dcce8d1bb7f05c7b1024c41923c0ebd7dbb1203328685e360ecb12fbecc110333b32915b07620bbeeef213936b619b50de20c37864e82bff9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5687cea0aa5e152280e12ac1ae7be2867
SHA11ee71e3c3c391574be5ac220e239d052024a02fc
SHA256af6c80bc064b53de3285db773d18fc6bcc53fc331cb3705b0871f5ff2226f52b
SHA512a97716be11029a243f0825f560b1559dc297afd7d990880394773d3422cb422b8cd441cb10d555a601d65cd78b8b6beac1736fab244d9da236d2a74ee386b749
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e834d86b3c32c3bd591e38542291383c
SHA11a1a814d9d97dbfb4a535bab4f5c1d262160e8ed
SHA25690921886f633a7e21e9f125810ac925780aec71579c87aac6880280bb3c1738b
SHA5129a43a88842068bb5fe603b60fea5f1fa09ae8733758627c8941440f8ec86328b3031b668568aa50d3ef18bcee9f4c0f3d34197629054d1aa018b23329d76588f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5756956d495bc0b2d4474fd6894575d96
SHA179dab64b305640453fbbb6a7d3de241ddfea46d0
SHA25616c069495c7e428e829e88b0f8e2a8fc52d08ad6834eb291e425857c452d3b3b
SHA512885b8330c330d61e70dda2dfe3ea87c8bb17346b89278b2dfbfb9a7a1d1b81c4a1a818e6020e6b81e0036a1d586e989280439d987fc748694950d85dd972bb8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51939359c1f66726c190cf582e68328a6
SHA1e9b36d1c95a882871e3ddf315845439006eb1633
SHA256305a53c05e1b604aa5241a0f75b9eb3aa870bf340cd40764b698943006d8db2b
SHA512858b72d20b9cb10479de212c5bbe9409fa4f295edce9f8bacaf40f9485111ed4cf1862efac2827b97760086bcc175acc159ba836c831f598a08c58693f392c00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d60cc289134d6f241c6e0a63f4089dba
SHA1357b0e9ecd47bfb6cb397c466f20915cc6d8704a
SHA25635e2db4c7cb676dcc4aa86f5143b30d30e30c0c9c5c60632d2e85b66f65c8148
SHA51249656aa1406ae11b592f739c89cbe92d9c6637a660de1f0a408ef67dc1acb804506076764ebf4c81a40ed1fb83e980b307cbf4955517c3a04557c0816a9c8a33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540f339d4ae4e1409caeedf344586e8df
SHA1ee6a9f3702247364a48f52f67998beff9cde5c22
SHA25642b3fa4373de5c358555e15539ee5b3b32fb82f99dbf2cb36884f916123302f7
SHA512084d905bf616bcd41846462b0f97598519f4fc7b446d08c9e0f2f8baa138c58c459a3cc140ac527ffd3bcfde57af9d47e2b7cab6b9b7482bf6c74c34cfc22989
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569c5f88e3953227e53139fb53cd330e8
SHA1484817f7090aa6e190cef4adbe55ee7dcfe6abe5
SHA25639bf2b88fdb10fb27043c819371797fd32eae6767aee756201c47a01d0452996
SHA512a78d648ea29ae07743810f77062458f2152cd9433fc5ac4ed51a7e92d82efa2fb70d71fd75068c968a8157ea7cee3b2fc17683988c8b25413adfd193a941b1b7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.3MB
MD51666a00bff6235739b5d06cfa331e517
SHA12dd42a1c40ccda81ebc1102f1b920117ecc76841
SHA25600102c61a4cbbfb1ca06c78248730af25eb970a089c21e89e53040cb5a8c9408
SHA512f9d7ef3d4a49a21f16f084316e0aa19df7a98200ea4fbc6683ad406442040e8f2cc73c5f77534a04313afe6f98db7d91201042505643c49dd604d6b030477694
-
Filesize
364KB
MD5764a3a6827e4d04ebbb801e8f5b95f8b
SHA16bdba1a36f825e2b6cbe2c71bfa2e31ad148ddcb
SHA256091a2ac2c8e821715490400c991ed7af94a6cb48462c24f4fce5142f93b906a1
SHA5122a05444918da6ac9e400c1b7c5f58e60187035b4533be28b4b516f8002edfcd9b1eaa9207b820e26f6cd08c51a7ca8610dd4aa785d3b9ffd2dedd04a8aa197f2