Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe
-
Size
360KB
-
MD5
9213073f63c1542315acdad27c0b8b78
-
SHA1
77b5765cd37ccfb7608611291d66e68b7d68e2dc
-
SHA256
1356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
-
SHA512
9ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735
-
SSDEEP
6144:YaaRWvS8RStjunQ/ocbbOeEQZlPX6kKhWbyFqoMU2sEEbsOI/4Yi:YFWvNS8EE4+WOeU22bnI/4Yi
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+anife.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/7C29CA99EA48E69
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/7C29CA99EA48E69
http://yyre45dbvn2nhbefbmh.begumvelic.at/7C29CA99EA48E69
http://xlowfznrg4wf7dli.ONION/7C29CA99EA48E69
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2496 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+anife.png knllohcmlmde.exe -
Executes dropped EXE 1 IoCs
pid Process 2316 knllohcmlmde.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ttlxlsw = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\knllohcmlmde.exe" knllohcmlmde.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png knllohcmlmde.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\it-IT\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Services\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Java\jre7\lib\amd64\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png knllohcmlmde.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\System\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png knllohcmlmde.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png knllohcmlmde.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png knllohcmlmde.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png knllohcmlmde.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\_ReCoVeRy_+anife.txt knllohcmlmde.exe File opened for modification C:\Program Files\Internet Explorer\images\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png knllohcmlmde.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_ReCoVeRy_+anife.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_ReCoVeRy_+anife.html knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png knllohcmlmde.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\_ReCoVeRy_+anife.png knllohcmlmde.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\knllohcmlmde.exe 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe File opened for modification C:\Windows\knllohcmlmde.exe 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language knllohcmlmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000868b5e92de65eeac1ab8a0b0680f988b0a799f5b0cadcf483b3031b98db9bf4b000000000e8000000002000020000000db64fe98da1d075a0e5a83b00c121614d47e96f3a597cbe89d593d103cee475890000000cabefd34ff3a6c3ee333007fa9ff38d6b47efa63c2a252d2a1f8d6f73c45bd2cff0e0d5b5db76ae91fa669e6e1bf661eb35d994d4fe86297773eb21938ad8b4a230ba53423c7799675fa10e2ddbc49b22540880ca7c8126dab9bbea110c1b7f3a39081454f06d301622bf530e880a7e948e1c06a021f4b1721b114079837be904e7866218c856014aba913c4985e15c34000000039e5547878bd1520f31c51ec319b57812a2556fdfef66c561939b5214619b3435e13325846d99a367750ab3478c62caada075e2ae7bfb351c2eebb1cd27a92b5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000f81e3ea4f762ea0f104a5e08945d375f7fb9a27402655b2e3a3794a964b713fa000000000e80000000020000200000002ecd8625219a99941f9fe9e97800fef214fe1cd79f79f6089d138447aee38db8200000001a551d94cd3be2d283634ed3b88ca14e84a13e80ccb64f371eb8e5361ac64842400000001d8e263b8f3e0bc6779803ce1d9f1ea35948c10ef216cecefeb5d11c04d7a16bee9522c6bfed77e4dd6956ed74898f0dc2502abd2405c3348183e1f6689ad8d2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438577663" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109cf9c0193edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC5C1591-AA0C-11EF-8E45-E699F793024F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2176 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe 2316 knllohcmlmde.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe Token: SeDebugPrivilege 2316 knllohcmlmde.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe Token: SeBackupPrivilege 2168 vssvc.exe Token: SeRestorePrivilege 2168 vssvc.exe Token: SeAuditPrivilege 2168 vssvc.exe Token: SeIncreaseQuotaPrivilege 1800 WMIC.exe Token: SeSecurityPrivilege 1800 WMIC.exe Token: SeTakeOwnershipPrivilege 1800 WMIC.exe Token: SeLoadDriverPrivilege 1800 WMIC.exe Token: SeSystemProfilePrivilege 1800 WMIC.exe Token: SeSystemtimePrivilege 1800 WMIC.exe Token: SeProfSingleProcessPrivilege 1800 WMIC.exe Token: SeIncBasePriorityPrivilege 1800 WMIC.exe Token: SeCreatePagefilePrivilege 1800 WMIC.exe Token: SeBackupPrivilege 1800 WMIC.exe Token: SeRestorePrivilege 1800 WMIC.exe Token: SeShutdownPrivilege 1800 WMIC.exe Token: SeDebugPrivilege 1800 WMIC.exe Token: SeSystemEnvironmentPrivilege 1800 WMIC.exe Token: SeRemoteShutdownPrivilege 1800 WMIC.exe Token: SeUndockPrivilege 1800 WMIC.exe Token: SeManageVolumePrivilege 1800 WMIC.exe Token: 33 1800 WMIC.exe Token: 34 1800 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1596 iexplore.exe 1152 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1596 iexplore.exe 1596 iexplore.exe 2656 IEXPLORE.EXE 2656 IEXPLORE.EXE 1152 DllHost.exe 1152 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2316 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 32 PID 2788 wrote to memory of 2316 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 32 PID 2788 wrote to memory of 2316 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 32 PID 2788 wrote to memory of 2316 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 32 PID 2788 wrote to memory of 2496 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 34 PID 2788 wrote to memory of 2496 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 34 PID 2788 wrote to memory of 2496 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 34 PID 2788 wrote to memory of 2496 2788 9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe 34 PID 2316 wrote to memory of 2644 2316 knllohcmlmde.exe 36 PID 2316 wrote to memory of 2644 2316 knllohcmlmde.exe 36 PID 2316 wrote to memory of 2644 2316 knllohcmlmde.exe 36 PID 2316 wrote to memory of 2644 2316 knllohcmlmde.exe 36 PID 2316 wrote to memory of 2176 2316 knllohcmlmde.exe 43 PID 2316 wrote to memory of 2176 2316 knllohcmlmde.exe 43 PID 2316 wrote to memory of 2176 2316 knllohcmlmde.exe 43 PID 2316 wrote to memory of 2176 2316 knllohcmlmde.exe 43 PID 2316 wrote to memory of 1596 2316 knllohcmlmde.exe 44 PID 2316 wrote to memory of 1596 2316 knllohcmlmde.exe 44 PID 2316 wrote to memory of 1596 2316 knllohcmlmde.exe 44 PID 2316 wrote to memory of 1596 2316 knllohcmlmde.exe 44 PID 1596 wrote to memory of 2656 1596 iexplore.exe 46 PID 1596 wrote to memory of 2656 1596 iexplore.exe 46 PID 1596 wrote to memory of 2656 1596 iexplore.exe 46 PID 1596 wrote to memory of 2656 1596 iexplore.exe 46 PID 2316 wrote to memory of 1800 2316 knllohcmlmde.exe 47 PID 2316 wrote to memory of 1800 2316 knllohcmlmde.exe 47 PID 2316 wrote to memory of 1800 2316 knllohcmlmde.exe 47 PID 2316 wrote to memory of 1800 2316 knllohcmlmde.exe 47 PID 2316 wrote to memory of 2728 2316 knllohcmlmde.exe 50 PID 2316 wrote to memory of 2728 2316 knllohcmlmde.exe 50 PID 2316 wrote to memory of 2728 2316 knllohcmlmde.exe 50 PID 2316 wrote to memory of 2728 2316 knllohcmlmde.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System knllohcmlmde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" knllohcmlmde.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9213073f63c1542315acdad27c0b8b78_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\knllohcmlmde.exeC:\Windows\knllohcmlmde.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KNLLOH~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\921307~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1152
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD52972088c7c7cb4eb14aec721c0dc3731
SHA1365cf8110909bc928768bd583765f0a685230d1d
SHA256f96019fa85063bd19f475d5626c282dd1f4fc2fc3132eeb06ccc35fa46902db9
SHA512aeba7ce990d4d362b55812abd7db1a8970ed335e88b4e3dfdd00b8e8b857378d2a45caa5fff80b530a805b955f6f039c40941c022932ec80f16eb9fb8f42f7de
-
Filesize
64KB
MD597573f20abfe91cba9f43d756a708e29
SHA1b094ae409dd4c1383fa668c57abba6c6e9b709ae
SHA256470c8ae1390e51c87aada9f70e35fc85347c44849041e82c9c791ec62f759bb9
SHA512d883e2f0026894b0d12d8128b0db7830f4a8f6b52ca0ef375c751e27918c120334286bcb6639f691fb8dd797e2b98817feddaf07040ca24794fe34982fdc5bdb
-
Filesize
1KB
MD56c70fe28c89a9a4d8c2bfc5b0dff03c9
SHA145f63cce26419e81132efedbd878c76b4715eda4
SHA256ae02d5b3751e624cc53d5f46fe7988b839bd48d756ce6b6e3694aafa31e8ff84
SHA5124f9f40667ec61dff9f06e55c644cd5e56c8a6eda58eb90f699a7410380d7ab3a2e08916b1eb1c9204f3327329169b6d31bbc4d52d7d8bef4d336833042144c22
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD55f0f7964aeac36f3a63cf7e902b1fe82
SHA18cf220b19574c565e76abf21ff5795ce96c13b07
SHA256ac235da866eff9e302447dc81e6af13ecea5942f42fef99ac8170acdf216572d
SHA5120e44e263693d4b85cec4c102f01270fb00bee8a28e14f964d518b63c828214c1b62bb3c0dcd0a5e79611e99182c3db8c22721e6d1977adb448c16bb0b21002a8
-
Filesize
109KB
MD5e5bb33e12812ffff3aa0527bbe93c163
SHA17d877d5618ba34d63dbc25859ce45c72d0969a17
SHA2561821684695fcb90e67c53d65a814bc4ec82788f369b30564eac7afd2c041fd63
SHA512014eed2864a84cfa4412b8679090df1804baa33b74daf2ace9fc776270f98d890e86c175e40945d0c0f9fef76234260373224150b0955151f89af845a09fedb8
-
Filesize
173KB
MD58d432758f769cc25ff9f78ade90fa127
SHA1e1a4bd48a721b1f93994454d17a1ebb80f54cdfc
SHA256f26e810596a71430d5311607a0bef122b9964b78ea90189cef208bb84e91aa11
SHA5122b12e049d802ae39b54195364ced450241064ef5ac7a3dfc3d0f942e34c9a9f70fc11fbb5d94530658db22a5657c503c7569d5ebed161a770ec2def532a17ad0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afc09aaac29dffc8a80210e5a79a2797
SHA1d62ddb478a7dd14a01d2816fe5be5df45c5c1dbe
SHA25679bdffd07105deff1a958f37e479bcd38ee5fbbc3b2f0a002b2fc43f80670c3f
SHA51289c9d0194d83a3aa842005279c2b858233b71b008d306cdd3bd922c2e88ed34056adbb896ab22862bfd4f4f3112615c36e37be6d2a94dc83681a36fba961d3d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e48c133b9feddd48cfa4901c75bb1cf
SHA13b950dde9dc5a8f1cd95907a34ce37bc3b1fd05a
SHA256902e9df7e79e10bc1cedb0c8b8cc1b4a1e7e2a498896c7b2c2ebf244068e8fe5
SHA5122951a493a3d9e08e71d8e3ecd4797bf28a35fcb8ac982c9d6cce4de6729a6150837cbc944846b43a28dfc9802ba59ccaae14c65f0e51c905b9ab33ce549c96f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2bfa969aa800b2c0aa07b063a8729d6
SHA1c8f64454a31f6fe7bacc324c031947e7785b628b
SHA256fb7b908254b658af2d292c94de1fbc108b962ee56eb89582d974901ab55b6867
SHA5126454d5ebd351567d510c1ea0b2d7fd1b34943314a1033afe74264be2edc48deca418aeb2995987ab2549a55df3526e435c80cd9452e7e5669b43550d05e73750
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1f954ea93e979d2c3c209f8ca9b50d3
SHA15247c9a4f52cbc026909893ca249e78feb9d2be6
SHA2560ece321eea1510850b7362b8427c01ace52403bb0c6d254daa0b4a74cdd44776
SHA5124403cd75c450f2992ef6c20ab27c1d4d748b1eca754fb863df9d1f36a887ff7dec0d1676ffb8ab97056702c5e2d39fabbfd72a4734787c20d83c8b0e6ad95c90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50be498942c514f0d6aa3eb2c355ac41d
SHA1ccec8d9f8591ad72c98c12625703e7a08a747cdf
SHA2565e18578858d4731a912ba177c15c4baeed9e41629b70cf66e35fd2b31325e315
SHA51265d1a7ebd23719d2a70c076016582513aa6228f9063eab509fd140e6a90bbe099c5cbb679ed984978ae6a7d072b3b31dc48ac8f1c537ca872c13adeb049e26f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5384ad2e8384c52804cb81423237559fd
SHA12040625ed12b5b4bee516e9c2b6babe756c001cf
SHA256ad9fe8cf7e8687d54a1b1317b48ca53be6811c807de9560f04f5f4b86e4b410c
SHA5127fdd30278103b289b7365d1641b0b07344eefbe724a96f6817b5c860e591ece6aba636d0dddf8fbf59f8bae6346e33146f8cbae871c72ebecf05c584e3711819
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59df27ca92b38aa832ba7b7a60ecae565
SHA19654d028a46677ef1a9743433332ea7db27b828f
SHA2566650fa69fcf36795b0eff12769f3db986e3ae56ca484d50d1c4f11c34bdacf66
SHA51285a103b6b3c59907a8dffc2498e62b8f67a535c39e0face8af08d92239b4946102d03b045185267141d43fcc04ab269a7999501c5331f568c4e7bb6f2c2ee573
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD589b7f552eff066abd78795a6ddb04541
SHA136d4f987a1a90d2a8ef7b8e1d8356dcd10de7368
SHA256d39b0295f44b90720ed380621eaf1c02820075e584f148eab99fe33038feacad
SHA51241f11a603d4f77b6410666ac72c9effa7c0707fe29d45df6798b0b45d2e1d8773258abf72e9ee9966611135c3ffcb6682f3c61a27a5965428043ca8d821b55e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD532e8824c2a8251b3a055a7532313583f
SHA197f0247578a6afb4237bab299fdf3e4607dfafce
SHA256d166f0dbe6eeb6e80de5ec72ee9524e0e536a2135164299fd29ac7dc4f7f3885
SHA51248018f7b9a76afe29a4e80c02fd7d335213b85c2412b80e2876504e165fd677dab998a359c5cdbbb0d28ded556817e8bfa6c658660d7504b338312859d5ff394
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4e23d24ce12066ce6a440a15b44c134
SHA19f2971e91b569bba3ef67043b46c276883c298b1
SHA2566536b6a0546834f396d405a44b696cb8752baa7e8f5c656aa1f74ea21c3be251
SHA512e558c25c2788d95b409a27bb1f203f62fdf9d42e5f504da0d39b17e5a80a8ca2f3555f63b3752110d32455259fc40f0ed4c6b4491b36291131afbe5a4aafd9e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff7435b59b87ccccdff9e97e1523ae3b
SHA17cc59c3fee4ac707ed6f76bcb43b5ff7b3340e18
SHA256bcc637207e79f8cf6321a1a7c42a2c914291d094de3984e3af94494b91c8952d
SHA512e8a317a500fd762e2bf410cb528fc625d0425c38426e449f4058ed532f408a74a813bbe8105f6dd5988cc30c3fa7d19cc2afcdaafcc37649a9c03a6751e7e24b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5446d7b4e133a15cd2d588e121737f8eb
SHA1ee00c17871ee000e6e64339ac326566c1ba69039
SHA25667b15b33bcdd6cd96ab71206e5276ce34e8812013f79690f896824fba6592a3f
SHA512437c171162c091e311f120fd1f62499aa94754a69661b6ed3022ca0d20b90cc027cd6b214360917f46cc2c60fdf6ab007ae34f0400fdcb777b489e107c9a0522
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547f1071780038821d55d5bda14f50e93
SHA1052c5a534c1d4ee8a017b4a5f9a7d7ff78790ec3
SHA256786a698714927bd7eb67646be4cf96ed40c3b716fc808de480905bab65cb4301
SHA5125b8e7a50d72f3369c775f2e79e978de8699c2f965b681e2b752fc47f9be6a0bf4e1f1889e3495dc2d454fb674eac0d0782346ee5881e298a91de5f6cecada922
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c9445430086106b75890e79e4d7ada1
SHA19be38032c63a477b5fce4915617bf46ad1f3a649
SHA256632edf3eddd30d68e1c252888372f6a04cbfbbd1132161ed5c08be69424131b8
SHA512d698ec11f932e64a9288e9a5fe10c145683ace76c8fdda2340c10be2217e82a1f966c00702f513126c08d71027f4e64cbc6b5e0dbae335039e05d32d3f2052b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4f955698e7399246c8cc8fae064ac99
SHA11d2ca53f5e69990db5400e535aff28eea03aeee1
SHA2567abd31e252a02b742eeac00151aa8fecf17805324d86783bf2800f27386c5d35
SHA512a2782c6a9f15f6327240f544948349a7e6316926eb624a8d4f7f3d3e25c4842b61d62f1f7876da585cf515d9ad45acfddda85631cd1dccfccc1ce51a394c5a22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e1d9bfbe23c530b2cd8807ba05eb48b6
SHA1bb8e0edb1aed22c1fd92dbb2c664f1eb1ad9e8e9
SHA2568ad3287775cfe2bcf0fa65e3255d3e10b627e58aa5b91cf465299cd2c44724fb
SHA51252825efdcbf8b038189348a42b63574cf3d7545273284b32120eccbde7a31aa3187012b597f27960ceca5ccfe600dc5e115a6f7af94eb1527bb7a43ccf5d4491
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8b4d7ff5665c143282d9d9dc6321015
SHA10385f9768540b953e2952cb86a0b36804d89a26b
SHA2568ce38c02cd8a416461c5fc2df41bd1a5cb23a2bfa9f97f94cf9a0bf8f106d6d1
SHA512ee5b47f24667c841d3ff7936119386600dd37248f024376b3b0f32f2700d5c4e1d1a40655cc0c27e76a4dcd93b2ca5cdc16bf09b9456c471291dd4c627063798
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e17109ddaa85cc2e9b02a0c06362ba19
SHA1921b89a98ef70de0d51b91179ebc1723041aab34
SHA25617ee9978f7eb7688dde9c5513636d3e3c5b04fdaa3e02e6664b0add30e4fc7fb
SHA512d3cdc651cf842d11c02ba9c46be3afcaf8f95f8b9633f377401172fa7f725478ca6eb71d0115a80ec11a3fa68d781abc390ab548a9d1725c281e9b907f09f4ac
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
360KB
MD59213073f63c1542315acdad27c0b8b78
SHA177b5765cd37ccfb7608611291d66e68b7d68e2dc
SHA2561356acd718a156e106163e91fa87a415e4f6855606d2712d8408d65190a95dad
SHA5129ae5d76345825b0cd012d4ce8189a1b6864b3d76be93ae7fad22eb28387097346213d7763a989098ae2dd5a921afd3ab8ef72cc308d4d9bfc8e7e7efa3a92735