Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe
-
Size
336KB
-
MD5
c61f29c47fcfa462ea273b231d8d5ec1
-
SHA1
72c9f9428992c9f19a4a18afa2244b8637b11d47
-
SHA256
8a1a7fe83079ac76476b2c67ccd80cfe8dec0807fcd4336a9f5ad9a380a07fcd
-
SHA512
12e97acfc3791ebad0e6befd594de27c1cf30824d4cabe80dd605618f5c32df0c826a0fbb177b7226474ed9c4fd41065c3b6d443fb250a9b371986684d402357
-
SSDEEP
6144:g1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:gi0Uu6ikyjcuk5y0hXaxpKkB
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ftafs.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EE7C04285F9DB
http://tes543berda73i48fsdfsd.keratadze.at/EE7C04285F9DB
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EE7C04285F9DB
http://xlowfznrg4wf7dli.ONION/EE7C04285F9DB
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2580 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+ftafs.html mbgqpcmmuonw.exe -
Executes dropped EXE 2 IoCs
pid Process 2604 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gjqqirsonwiq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\mbgqpcmmuonw.exe\"" mbgqpcmmuonw.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2212 set thread context of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2604 set thread context of 2356 2604 mbgqpcmmuonw.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak mbgqpcmmuonw.exe File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css mbgqpcmmuonw.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Defender\de-DE\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_QuickLaunch.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv mbgqpcmmuonw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak mbgqpcmmuonw.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ChessMCE.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Uninstall Information\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\Recovery+ftafs.html mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows NT\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+ftafs.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\Recovery+ftafs.txt mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png mbgqpcmmuonw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\Recovery+ftafs.png mbgqpcmmuonw.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mbgqpcmmuonw.exe c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe File opened for modification C:\Windows\mbgqpcmmuonw.exe c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbgqpcmmuonw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbgqpcmmuonw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000000e245ed1513c144bbf3c6ee19df952e0000000002000000000010660000000100002000000068855464d1ca79ffc5799b261328df9bc75d4817ad3208f028cd7a5705e03d59000000000e8000000002000020000000c7efb6997cd33b94e52183e708c152e5b27ff31d49415dad47e3c23b7935e47a90000000e404b0deebe4a0694fbf3ac32f508c9812dab16a06d02ba0b854f7a589d2a440fd790ef98949c1fb7f6eb0d7bddf5e1354a7bf58abdae69683831bb3aabd2ad0d43717cd9d99a62e32ef72c5e863646058f1b2c7e642e58e7891f2594bec4897aa7b75484c6bfa1af9dfc19d501a58feb05c7c9152631c901acf40fe7569584a7907626f71bda99b318da52e8b123cf2400000007b73db053e5c761ce160b816658cab3bd922c76883a756480bef202c0134c3db6d58ba8ccafa0ad5809b048e4a94eefcda686523963f003c73ec66805913f371 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1813C731-B2CA-11EF-B945-527E38F5B48B} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000000e245ed1513c144bbf3c6ee19df952e00000000020000000000106600000001000020000000456c7943adf3a3f37cc0e307c8fe54436d8cb12d144e6f55a2a36f0e24b5d179000000000e800000000200002000000073682ddade776bc2bdf1500ed9246d3b434cfd6542552f505b3b2300c2afff9620000000b814c59008417963c4969877433b1741661527a3868605e33767dd264b1b4e3840000000cd371dcbbe1f252acc0a60c401e3ce8ec97e5b1f8c57a72dfa4496bbf441f80d09dfa08d371ccca2ccd1f1352b1a3c3c723ed69768151b07fd4dfa1c09bbd6f1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0beb3ecd646db01 iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 216 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe 2356 mbgqpcmmuonw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe Token: SeDebugPrivilege 2356 mbgqpcmmuonw.exe Token: SeIncreaseQuotaPrivilege 2608 WMIC.exe Token: SeSecurityPrivilege 2608 WMIC.exe Token: SeTakeOwnershipPrivilege 2608 WMIC.exe Token: SeLoadDriverPrivilege 2608 WMIC.exe Token: SeSystemProfilePrivilege 2608 WMIC.exe Token: SeSystemtimePrivilege 2608 WMIC.exe Token: SeProfSingleProcessPrivilege 2608 WMIC.exe Token: SeIncBasePriorityPrivilege 2608 WMIC.exe Token: SeCreatePagefilePrivilege 2608 WMIC.exe Token: SeBackupPrivilege 2608 WMIC.exe Token: SeRestorePrivilege 2608 WMIC.exe Token: SeShutdownPrivilege 2608 WMIC.exe Token: SeDebugPrivilege 2608 WMIC.exe Token: SeSystemEnvironmentPrivilege 2608 WMIC.exe Token: SeRemoteShutdownPrivilege 2608 WMIC.exe Token: SeUndockPrivilege 2608 WMIC.exe Token: SeManageVolumePrivilege 2608 WMIC.exe Token: 33 2608 WMIC.exe Token: 34 2608 WMIC.exe Token: 35 2608 WMIC.exe Token: SeIncreaseQuotaPrivilege 2608 WMIC.exe Token: SeSecurityPrivilege 2608 WMIC.exe Token: SeTakeOwnershipPrivilege 2608 WMIC.exe Token: SeLoadDriverPrivilege 2608 WMIC.exe Token: SeSystemProfilePrivilege 2608 WMIC.exe Token: SeSystemtimePrivilege 2608 WMIC.exe Token: SeProfSingleProcessPrivilege 2608 WMIC.exe Token: SeIncBasePriorityPrivilege 2608 WMIC.exe Token: SeCreatePagefilePrivilege 2608 WMIC.exe Token: SeBackupPrivilege 2608 WMIC.exe Token: SeRestorePrivilege 2608 WMIC.exe Token: SeShutdownPrivilege 2608 WMIC.exe Token: SeDebugPrivilege 2608 WMIC.exe Token: SeSystemEnvironmentPrivilege 2608 WMIC.exe Token: SeRemoteShutdownPrivilege 2608 WMIC.exe Token: SeUndockPrivilege 2608 WMIC.exe Token: SeManageVolumePrivilege 2608 WMIC.exe Token: 33 2608 WMIC.exe Token: 34 2608 WMIC.exe Token: 35 2608 WMIC.exe Token: SeBackupPrivilege 536 vssvc.exe Token: SeRestorePrivilege 536 vssvc.exe Token: SeAuditPrivilege 536 vssvc.exe Token: SeIncreaseQuotaPrivilege 2452 WMIC.exe Token: SeSecurityPrivilege 2452 WMIC.exe Token: SeTakeOwnershipPrivilege 2452 WMIC.exe Token: SeLoadDriverPrivilege 2452 WMIC.exe Token: SeSystemProfilePrivilege 2452 WMIC.exe Token: SeSystemtimePrivilege 2452 WMIC.exe Token: SeProfSingleProcessPrivilege 2452 WMIC.exe Token: SeIncBasePriorityPrivilege 2452 WMIC.exe Token: SeCreatePagefilePrivilege 2452 WMIC.exe Token: SeBackupPrivilege 2452 WMIC.exe Token: SeRestorePrivilege 2452 WMIC.exe Token: SeShutdownPrivilege 2452 WMIC.exe Token: SeDebugPrivilege 2452 WMIC.exe Token: SeSystemEnvironmentPrivilege 2452 WMIC.exe Token: SeRemoteShutdownPrivilege 2452 WMIC.exe Token: SeUndockPrivilege 2452 WMIC.exe Token: SeManageVolumePrivilege 2452 WMIC.exe Token: 33 2452 WMIC.exe Token: 34 2452 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 324 iexplore.exe 1676 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 324 iexplore.exe 324 iexplore.exe 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE 1676 DllHost.exe 1676 DllHost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2212 wrote to memory of 2684 2212 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 30 PID 2684 wrote to memory of 2604 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2604 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2604 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2604 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2580 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 32 PID 2684 wrote to memory of 2580 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 32 PID 2684 wrote to memory of 2580 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 32 PID 2684 wrote to memory of 2580 2684 c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe 32 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2604 wrote to memory of 2356 2604 mbgqpcmmuonw.exe 34 PID 2356 wrote to memory of 2608 2356 mbgqpcmmuonw.exe 35 PID 2356 wrote to memory of 2608 2356 mbgqpcmmuonw.exe 35 PID 2356 wrote to memory of 2608 2356 mbgqpcmmuonw.exe 35 PID 2356 wrote to memory of 2608 2356 mbgqpcmmuonw.exe 35 PID 2356 wrote to memory of 216 2356 mbgqpcmmuonw.exe 41 PID 2356 wrote to memory of 216 2356 mbgqpcmmuonw.exe 41 PID 2356 wrote to memory of 216 2356 mbgqpcmmuonw.exe 41 PID 2356 wrote to memory of 216 2356 mbgqpcmmuonw.exe 41 PID 2356 wrote to memory of 324 2356 mbgqpcmmuonw.exe 42 PID 2356 wrote to memory of 324 2356 mbgqpcmmuonw.exe 42 PID 2356 wrote to memory of 324 2356 mbgqpcmmuonw.exe 42 PID 2356 wrote to memory of 324 2356 mbgqpcmmuonw.exe 42 PID 324 wrote to memory of 2224 324 iexplore.exe 44 PID 324 wrote to memory of 2224 324 iexplore.exe 44 PID 324 wrote to memory of 2224 324 iexplore.exe 44 PID 324 wrote to memory of 2224 324 iexplore.exe 44 PID 2356 wrote to memory of 2452 2356 mbgqpcmmuonw.exe 45 PID 2356 wrote to memory of 2452 2356 mbgqpcmmuonw.exe 45 PID 2356 wrote to memory of 2452 2356 mbgqpcmmuonw.exe 45 PID 2356 wrote to memory of 2452 2356 mbgqpcmmuonw.exe 45 PID 2356 wrote to memory of 2800 2356 mbgqpcmmuonw.exe 48 PID 2356 wrote to memory of 2800 2356 mbgqpcmmuonw.exe 48 PID 2356 wrote to memory of 2800 2356 mbgqpcmmuonw.exe 48 PID 2356 wrote to memory of 2800 2356 mbgqpcmmuonw.exe 48 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mbgqpcmmuonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mbgqpcmmuonw.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\mbgqpcmmuonw.exeC:\Windows\mbgqpcmmuonw.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\mbgqpcmmuonw.exeC:\Windows\mbgqpcmmuonw.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:324 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MBGQPC~1.EXE5⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C61F29~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1676
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD55b544359821ae4fc35381466dd99a071
SHA188ef96e60e42cd5b73a29db53d82fee67bace26f
SHA2565ff6870e497b37198f41da642fc6c36794c016f407e2c7d2fd13b9ac38408f1e
SHA512524fc2b723f5648f165a534bdffd7422e2967a86166bd3d4c928991753c107fc3088edf8bb1f27160d2b7fbf36f50caf7693ba2741bf1d2fa6d8d491b7ff3391
-
Filesize
62KB
MD52538bf194b1f8e6631ba9adea076aaca
SHA11ecaaafaf7df28240e6875d18bedf7125a25e036
SHA256783cc7b9662225f4a54260c0f08e9db76b172682eb1b9ff6b072061f2fda3c12
SHA51267d4b04c0c56164f12b7a8aa32b118fecb87b710d27e224f4f540fc8a610c3e4b0b9970b3e3c2bf9d130a97c0b16a20a9ba7c464a592274eccdd0f6e6c777076
-
Filesize
1KB
MD53d8f0c9c952597617a0719753031e9a9
SHA183614dcc2a1b1474154f50f7d4f5f9233e53a3af
SHA25639ad44a94df6031b414ca0cbb9f29dbac072a9e926b2ac0acaf9ba31361b6a4a
SHA512c1ce775726c22e45dfadab561756e732082d0371627953dd9e86d185a75d4bdab62816dfb1bb312118928f4f6c7b49450e54be63492082ac221ec338993c9dc2
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5e3b8c4b0e210b66f28964853f037de3c
SHA1f1cf2e3b6f38cdd138ee565207253e33a1c31bce
SHA2569f750908939a31b1ec0a0f952ac340b36cd450577bb53842b637fd5059573fd6
SHA5120c8ded35cc6d315f3ff12f4f0108034b86164b0f3653dc7a678372645b48461a829a5ca1976c1c7f9bde0bbdd248624d39aebd2d0bad714e82a380b4ae95a589
-
Filesize
109KB
MD57de24e05bb89a4a465f9f114f73baebd
SHA1fcf7f155200117f5826aae31019a65ebfa725d44
SHA2563cc44a110eea9fa6b3caa3d969504d0a1b0eab26eb10ffcb5121bff6b6d7a1eb
SHA51205ff99f14b78d146d60c9ee565afc656dfd7af64ca005617c43d7b746217cdd511e451b07d4494eb1d4103b9734493f96fb910e8eec08af2edfded9c9e9cd215
-
Filesize
173KB
MD5da2087dd0ff01b7caa2b06eadc6dea5c
SHA1a82ae3a3060be1431414d8a4eace6fcc9f36b188
SHA256671c7e5bc9bf4e73cee342db5cc6902c984ca880f59a8be2f1e9e67294405f2c
SHA5122d6dac7ee17cf40c9621bb2f69705e72ba8d2f54ebf4dcff2cf7a5cfd46aa2e53878ce5067d98689066ff1c397ea340ab7620136043a9bc66b96a136fed93393
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52640c75477a0a4a129909e9c6678eaf0
SHA1acd3172cd32d368c4eec7612e016c09be30b4d32
SHA25619f347c7f10df445fa01be332c81ef142074ecd24ab8283eece950f155dc0410
SHA5124a718cd8da3d9cc8e850efa248e430edc4f50e792fb9d6c1bb41a87f06aeb73884eef2e5fd4a450b4011360413f2632690e453fdb88afa3ae3da8a5771378e1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588c1bf2b9a7d1124d0427ab515286386
SHA196f82866cec30c7761eee5f83f2fbed8c53f4b8f
SHA2568b8f8abb272cab20675ee448a4ccc83bfd1523821a6bc7b061a8b5e4f05feaa0
SHA51235e3649d265bbec4887061fdccd07dfcf749de3f36cc6ae381d1b853c81f95cba95261bdfd5ffee831235d377ee367c5a400b8e3a8eaf03728790c545307bae8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fd6fc3b5d9f2419179f40bc2eea14e8
SHA1a2f8ffd732e3a2a3ecc446e478d7bdf84d378736
SHA256c5fa6ada8cf067e65fac57ee4add2d44772eb22ff5271a2097a0ce6f8c6117e7
SHA512b61bea7aa84f6b4e1f9d22baaecb8d0da61f72a11230fbaa23a0b5500fcd8db54cbf5d12bbf12e6822925cf53101fc0c308c3e223317ed3e8d6b12d8fa5cc7d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffa816ae19744aaf8846d0aa5d10f020
SHA10b7fa3f7110a85dfa86ce3cec31a3ccef895623e
SHA2560695318cd0a9b595d1b01cbcb4819d05105279bf7928ec175d305432aa91524b
SHA512af1a30c90b21e05127ad2d19d7c87f7c26a4382d96bd34a16f9586dc5268ead21c8bbd99724c1f6526832ff079e0b2deef3951829ab5e5c3703205060be5533c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587ef8f1ae1c1d02e1e70b9073d65edac
SHA17d8ef26aca471094de7792e7432d1411401ddf7a
SHA256c645c4fd59e5a07c673776744fe4f5fa0ceeb7ba31ca231e1321f099b49ba70a
SHA512fc41a350fea74d239c2c0ecba01390b6c2ecd6b9732927e755ab2807833054eb276f8c1100a1e0a34ae1cd8c848f606592c6f77d54ee3ed5f6ce5be8b333f981
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce524096bc92fe72a12d8f42793fa247
SHA160e6fc3511de168dfdc3521999f3273475198e47
SHA256b0674ce7562d0a3bc9cd9a41ca314b1762e21e19fb2d79c66424e5e84ee5dcb5
SHA512355556ce32247a3d76b9a5732f40127dc15120c888b9b275fc46bbc22959dced3c0d44eb23830d6908cd3d27db44236165a9256bbd374fb1232819aea1165dee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56fd26184d56440cd425b633bed3094fc
SHA1f5612ae751fac03c74510758a04073c9baca442d
SHA25667faa6756c31c58cc0edf1247c4e183593cd14a08585d0eebc4e44ae4c04fad9
SHA5125263d4012492478cfcfaba8c23f0fff1513d76b76c1483b4f406f5e71d9874efd19ddd9de2da542b4db5bb2a6b8d487604b279da4bb64ac41d7b83163242b87a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50936805f1c970e63a25250eaae9ff0e6
SHA1a1514bbb09a3ca6e61b94a885d5a23773ed90247
SHA2566128154d53c774975c0ef641bc22e3276e75477f0ccfe8e7c67563eb272b5d4e
SHA5121303983690995046d92172a2115bcff6083fb02ecab7572733c4b0cc5e11e137fbb271ee95523feab4860ff4222a5f652ab126f75d3dfb6d8f690d76ce83646e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
336KB
MD5c61f29c47fcfa462ea273b231d8d5ec1
SHA172c9f9428992c9f19a4a18afa2244b8637b11d47
SHA2568a1a7fe83079ac76476b2c67ccd80cfe8dec0807fcd4336a9f5ad9a380a07fcd
SHA51212e97acfc3791ebad0e6befd594de27c1cf30824d4cabe80dd605618f5c32df0c826a0fbb177b7226474ed9c4fd41065c3b6d443fb250a9b371986684d402357