Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe
-
Size
428KB
-
MD5
d74daee515bd5a77f299151a568cb57a
-
SHA1
68555ccb11104b0bb9243ba3f5f464de8bb701e6
-
SHA256
1d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0
-
SHA512
62dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646
-
SSDEEP
12288:oYV6HO69joWO8UD8KHCeAJlkMAUhX+cblCJxfS6:oYh8UD8cCEtUhXvOR1
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+nsxec.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/D99C2BFB1793EE7
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/D99C2BFB1793EE7
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/D99C2BFB1793EE7
http://xlowfznrg4wf7dli.ONION/D99C2BFB1793EE7
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (427) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2736 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+nsxec.html xcqongnqnjdy.exe -
Executes dropped EXE 1 IoCs
pid Process 2780 xcqongnqnjdy.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\qgwusavkpukw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\xcqongnqnjdy.exe\"" xcqongnqnjdy.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Google\Chrome\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Journal\de-DE\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Microsoft Games\Chess\de-DE\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js xcqongnqnjdy.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\es-ES\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv xcqongnqnjdy.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css xcqongnqnjdy.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css xcqongnqnjdy.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css xcqongnqnjdy.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\DVD Maker\en-US\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css xcqongnqnjdy.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\ja-JP\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css xcqongnqnjdy.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_RECoVERY_+nsxec.html xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\_RECoVERY_+nsxec.txt xcqongnqnjdy.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js xcqongnqnjdy.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\_RECoVERY_+nsxec.png xcqongnqnjdy.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_RECoVERY_+nsxec.html xcqongnqnjdy.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\xcqongnqnjdy.exe d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe File opened for modification C:\Windows\xcqongnqnjdy.exe d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcqongnqnjdy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ced8397649db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439826843" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{652F4161-B569-11EF-8F2E-E67A421F41DB} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001faf457c5197ef48ace716a86bcaf1d70000000002000000000010660000000100002000000047d8c5ea7015146431b60be146bd9e5e4739aa45943857ec6e873e92d1b22c1b000000000e8000000002000020000000f11c792993039bf4ef6b7056228d88631445f365d5b08be1675909c34c8cf8ec900000002e819361b3b81b6b784f1a0744b1ed06f388c4e60f77173c39d63d21e7f3f8baaa3881149f5ba87047e345d90411ceece3976ca99dd505b195e69b89d5c7ef239244b73615ac4bed031740b57033a26d19e9187df01eaea4edb4232d168d122c3f054525612b7ad65ac96a2e7f9d6d18fbfbeb9135e06cfb93ed2db3e5475ff8724ff2d62b655e0de8258523b4f6152640000000033530ca7a7f8476cbddb2c8db60951fe648437d3d032dd913c6d05c9c9bb23969a71a1ffd24585c2e8b9e2eae5165395859664db15a7e287ed75c7f92d7a655 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001faf457c5197ef48ace716a86bcaf1d700000000020000000000106600000001000020000000e495e6b217083381b3367a25cf43034b755198c6d4da0e106523aaf332aeac3c000000000e8000000002000020000000dd5c8738a195865d3baf37a666b0f3e105ca273a68b8b50fa6b539cd78da3e65200000004e91ff752ff758be2a647d67e5de2c5196da0dec70537fc5774653bd25b25117400000003c84ea74a2eab6ef80ec74588a6f470f3fd635b0f3bb5fff1cd2cf8839210e6ceb286891b836d96dc4b7c6efceca42112ca3efdcdfbe637361ccc6f74f9ea0ef iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2000 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe 2780 xcqongnqnjdy.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe Token: SeDebugPrivilege 2780 xcqongnqnjdy.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe Token: SeIncreaseQuotaPrivilege 2168 WMIC.exe Token: SeSecurityPrivilege 2168 WMIC.exe Token: SeTakeOwnershipPrivilege 2168 WMIC.exe Token: SeLoadDriverPrivilege 2168 WMIC.exe Token: SeSystemProfilePrivilege 2168 WMIC.exe Token: SeSystemtimePrivilege 2168 WMIC.exe Token: SeProfSingleProcessPrivilege 2168 WMIC.exe Token: SeIncBasePriorityPrivilege 2168 WMIC.exe Token: SeCreatePagefilePrivilege 2168 WMIC.exe Token: SeBackupPrivilege 2168 WMIC.exe Token: SeRestorePrivilege 2168 WMIC.exe Token: SeShutdownPrivilege 2168 WMIC.exe Token: SeDebugPrivilege 2168 WMIC.exe Token: SeSystemEnvironmentPrivilege 2168 WMIC.exe Token: SeRemoteShutdownPrivilege 2168 WMIC.exe Token: SeUndockPrivilege 2168 WMIC.exe Token: SeManageVolumePrivilege 2168 WMIC.exe Token: 33 2168 WMIC.exe Token: 34 2168 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2588 iexplore.exe 2156 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2588 iexplore.exe 2588 iexplore.exe 2844 IEXPLORE.EXE 2844 IEXPLORE.EXE 2156 DllHost.exe 2156 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2780 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2780 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2780 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2780 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2736 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 31 PID 2656 wrote to memory of 2736 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 31 PID 2656 wrote to memory of 2736 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 31 PID 2656 wrote to memory of 2736 2656 d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe 31 PID 2780 wrote to memory of 2740 2780 xcqongnqnjdy.exe 33 PID 2780 wrote to memory of 2740 2780 xcqongnqnjdy.exe 33 PID 2780 wrote to memory of 2740 2780 xcqongnqnjdy.exe 33 PID 2780 wrote to memory of 2740 2780 xcqongnqnjdy.exe 33 PID 2780 wrote to memory of 2000 2780 xcqongnqnjdy.exe 40 PID 2780 wrote to memory of 2000 2780 xcqongnqnjdy.exe 40 PID 2780 wrote to memory of 2000 2780 xcqongnqnjdy.exe 40 PID 2780 wrote to memory of 2000 2780 xcqongnqnjdy.exe 40 PID 2780 wrote to memory of 2588 2780 xcqongnqnjdy.exe 41 PID 2780 wrote to memory of 2588 2780 xcqongnqnjdy.exe 41 PID 2780 wrote to memory of 2588 2780 xcqongnqnjdy.exe 41 PID 2780 wrote to memory of 2588 2780 xcqongnqnjdy.exe 41 PID 2588 wrote to memory of 2844 2588 iexplore.exe 43 PID 2588 wrote to memory of 2844 2588 iexplore.exe 43 PID 2588 wrote to memory of 2844 2588 iexplore.exe 43 PID 2588 wrote to memory of 2844 2588 iexplore.exe 43 PID 2780 wrote to memory of 2168 2780 xcqongnqnjdy.exe 44 PID 2780 wrote to memory of 2168 2780 xcqongnqnjdy.exe 44 PID 2780 wrote to memory of 2168 2780 xcqongnqnjdy.exe 44 PID 2780 wrote to memory of 2168 2780 xcqongnqnjdy.exe 44 PID 2780 wrote to memory of 204 2780 xcqongnqnjdy.exe 46 PID 2780 wrote to memory of 204 2780 xcqongnqnjdy.exe 46 PID 2780 wrote to memory of 204 2780 xcqongnqnjdy.exe 46 PID 2780 wrote to memory of 204 2780 xcqongnqnjdy.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xcqongnqnjdy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" xcqongnqnjdy.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d74daee515bd5a77f299151a568cb57a_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\xcqongnqnjdy.exeC:\Windows\xcqongnqnjdy.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XCQONG~1.EXE3⤵
- System Location Discovery: System Language Discovery
PID:204
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D74DAE~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2156
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a640c7d1803a71b4f2b28564450d8b7b
SHA1793047e8ef9770b29facf322f2895fa08a0c10ae
SHA256bac8d3daecf554a836cad763e8f7eddb4a89f909741f3b88e50117ffa38a0acd
SHA512e19abda6b1e4672963631885d4c4a0c9be8e9de372ede58fe2deb752ad21b446ef7c7bfec4fb9d316f835327ded7394b6b4b6ecfc37db3ca02442d8fa85cf28d
-
Filesize
64KB
MD5648a094b7716b1efc97a701c84978d04
SHA1a32cfd401e5c9172ee52bae6283e111cd1413d30
SHA25641c5e8abc975724ef1fd179fe0d353fa45f2f837c2da43ae491e86d625c5890f
SHA512b7e70561479141d985ee5e26525114ab1354b1eafc6189cb464a2475739fab5ab97d0076a6aab609859b4927df632d4f13296660ca62fcc83c74e2b5ef0d6280
-
Filesize
1KB
MD5922b2f65f114965e57e94308b63bfb86
SHA1df37d85fe764bce70230247afe5e9c87dc002cac
SHA256ba00088a2d3a79d492c3c16485727e08800d0edd46dae3e66cc8ed529028103b
SHA5125b8cbc381976835836855612ab07ad35bec2aaa7415fed2a4704857fcd54df1ea6cfd4309020b4c57d434907f0d0ebef6dd05b075cb6e01a8adeb743b1644a50
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD53603c09b79c160405b26c6fdfb292ec9
SHA1f20629765006e24b36d23c604dcc96b657882cac
SHA256e73eab24f47fc9a5a4844ad15f9c7d1c5fa59fc4c6189f7bcb26945dcac32b74
SHA5120221efec92cf8c36c7dc5dda3cb33feae600a5f077269499388790822076cfda316c5213a991282947560b9dcff055ab3fc1136e22b5dd6af662a96988f17cf3
-
Filesize
109KB
MD5f80ddafedefdde3c9af729e98a9ea761
SHA147d73a400e4899093c269afde8770bbc0ad1e005
SHA256c37d97c1ddb2eec20ef3c9cb9fedfeedab930c74407298f67c7172f3f6ea87d1
SHA512b4f20f3f1eb61219d2a2dd98309da0d8d9eacfba027df31a40314d0b8977077b81d5abb099b8368c027b13a8d557c1cd13ea5ba736a5cb4d854eb9b1770864d5
-
Filesize
173KB
MD5ebd901a178ad1084e940fc5da5b423b1
SHA1ecf39d36998fe312fd1ec8ae05562ea1e2e32d5c
SHA256570114d56534a7cd2e9ded90d5de09c91e898c0a66fd27a580af8d99a4ef79df
SHA512b6a06101fe98d6b8a956f2468d28f0803a622e09e0c34030bbba3307179ddc7efadc8747f0eb26c29ac5f1d2cc6f12efa7d68517501df92a9a0835c777cb2341
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53224cf99eb83c523c8d981911108e9f5
SHA13050b0d2e7bd8f6f317d21044f2f6620e757a7c5
SHA25649e6f1b18f923b26e2c80cb16f74bc54ca819aadb5b175e3344a2dae83a05e12
SHA512bb7ec3d7625ef76f1080587a7439da01175f9ec2f0e3d752ce2dfcab78ab0687f246d99c3010e6754b338d0a72946efe5e5f68d84717704ee800ecb2da3061b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58ebc4430812e547b0e22f9b5e619d718
SHA1b0259c380dc2b22d35a8b923da37edb3d2289601
SHA2568b23439e244ac1cea8c7381fb8d251a323dd25dbf1ba9636e5e609af3f317599
SHA512952b5acafe2246c27c7272db40bdf15b1b0033ccc43a00033d9de787864c3d428a36aa5408244809273dd13be34eb077322b870be08a8d4d4c30094e7556c77a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0e16e254a4be31a0b6d9ebfb352e44f
SHA1b5fc1452a7842b65fda153341246d2da60185f1e
SHA2564262bb583da636bc7866b347953aacea6fa6d996f443f86eaf914242203d151c
SHA5129cea0bac9f26e5ee30b463bfb41106cfcb6dcba7110188dca5ff290d3960b2205643abdd05eadece89d51c83d794fb099187f172facb2b5f6dbc79f2ae6867e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f869ff157398d56b8bf3780237c398a5
SHA1624424eb98efb246b3baef97566bc7e8a46e74f8
SHA256c407dfc474caed7b0142024b793c6200be14ba614109c65c68e4403dd3760451
SHA5120fc0e2a179bf6d30c7be795619494c887cd10574c8866f49e6000ce960531a396c7bdca72243ef7468082ac6ec9c30b6cca5ff16e9dc410594e31b6ab6a056e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a823da03609a8e508c4fb3ef0f4c5bcf
SHA16c31364329d7f288c7b6f3c4b658255fae4c2b2b
SHA25625a7ab73bfa38d000ece908775506767ebab7c129ce68db58bef7acd23d38d57
SHA5129fde69ca49b0d4ea72362886cf52b1a0fbfe9e7754eff542539956c2518fee8d37223e4f38bc7a196e9fb655146ff02bcac07ec7ae685166c100a7d401558f53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567657a157925ae63fa6c55d47755390b
SHA14ad3d36e2d25f0f414f9ffa601321a732a29b808
SHA2560f16b7000d74020661e52e48327250f50995f85275a3e0bed10934928c974931
SHA512a22845139f4ea912a2725edd44bf4dc61f6d62e80f58b903fe01c55acfe6101640d6e16cddd849befa8e15b7fa3383b0d20c884e05cc0b8189aa9d86bc2c5eef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee05ce4bdf6435e8f794a6fa35280ccd
SHA128bf9fcad424ef78dae775e6321b53ed235dea20
SHA256cd6ac317034adb8d4492220beff2427770f665c4cac6447b59b7a3110c06915e
SHA5121ce2eb705c6857f5a9ec818969729a6af754a0ff1469f654df42298c205576719be6cd53bf3701446bde8d07b9ea8db99ca03d9a261833c3eaf6c2ee1f59a1be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb0e3a0c3119f440a16a653ce01c60e2
SHA10088fee630a4998d9ce3a64fbcb5398eeac68ea2
SHA256ebfd35cd3a20c9302b91a26f1bb4a0cdcead1a734d04dc9949c9b5bf51c0e3ae
SHA5127ac8014bf82c5615ebe60124bd70ab354898403ef5ea96b1dc2e1ba874a8254c078b228a77b6aa3287ccff6312a2c5f3fe53a89584e73a6bcd06e45f44bf366b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff33e1afe5d9d29a8e215dff1d1fb142
SHA1be82e3a76b470770fae816107257fbe84ac64cc8
SHA256c34022a8dd32d4ca219118dd968ba66babde19e498a7bf05cb8e56f1aa96ba50
SHA51298cc4a3f7b8552704e02cfa156f97569704ebe2955163b6a3e9e9a5813187d72e44ca16772714d0ba0a4035a55c2a67b573edae66ce9c5e219aa97aebe46bc1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584d95e3a2414891c60450eaa9db8f0cf
SHA139e05f73aa1bd34cf94c22052b619f7e24785d26
SHA2565f1cb61dd777db137c9acae41dea2b4e82478c65ed999c3f27cbc9c2e132a72f
SHA51213486686b63717daba85c3d51cec9ccaa174f51270194b0ce0aad075308db2abe70af7bf47e3c9037695022d7436df56ba2f367724566f7fa7c520c21d3cf175
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d1ace550f6d0480aab733533801b1dd
SHA108c3208b4c3bffd014cf5117d4794f7ebc21b0ea
SHA256be97e15ab1adcd4055cf14cd907a41a96a9c3689004fc5789152c1d5db2b73c5
SHA512997d7e1c3a208584e5d9344a6b7ab065f896996ad716f11ff3c1d372c6eb60cc6f473e220dec7bfbfdfe853b9a1f16399c2e0a763cb4ef53b06ad4634a4b45b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4cd1cf335defcae96b290d3b8aa88f5
SHA1e9207747f59eb04ec2ac35862e854fffd85d8767
SHA2566065c57f46d2557944839ca34df8047c04cdb3bd98fb4e46044c65f8322ff5a7
SHA51207e1bf792cbc12f1f3e7ee5076b963475401756e9bc73cbf5bbb09cce415de1820378e1f4d5de4eec37863e36175abc050c754d9b66352dd7590da31ab84b66b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6e11699d3c20c743dbdade4c6eb45e4
SHA1dd55ab6cd85ec602f8dccfac9c16c5c4849696d1
SHA256a6b525a5441af8b8438ea19835ccc829f50c079dfcfd99856e3a6469c1aaeb85
SHA5128efa357233d5f0d6b1570deb5d3b7c5f04bbc8d7eaa28992ebf220f487195b24c83497f04cb3bc350ba6ea977ccfde33532f80ea2270cd74cb90bd14f292bebf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d89792e2d4127dc5b15b75b9f0522757
SHA131391f8a22340c460e68a2ce7cc90c36819048af
SHA25631863e4c5f2382f87258fc4cdd65b1811bc8c692300a6679b909900280c90111
SHA512e261dcff6fe86a79565bf4dd72620392b64274ac955d9026ce0587ccb37d35e48f9de3ec386795b0157f7de53c55f115d4c585fd42e65c986959df7adce68620
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551647dde48a89b984586d587f9266a5b
SHA1b43136f49ff9bf7cb510895c51a02f0803be79aa
SHA2568964d3c2d28fd343048b3048143180a91d8007d296d664323dc4b2b37e1306b7
SHA512d9f223f139dfc1435c1c18e3da8cc86a2363c342219c90c6aa6555230ca04bb501d6ce1d44a4828c3b2f48df8e9627f027587c1bfa219bbfbbcc5849f39d5c29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b04f293028a1b59b247c49ad68b6be3e
SHA17c4d2e30e988702a0096e2b27aa576c746c64239
SHA256e6c3cbb7800e3b6e9d48b5b91ff9ac432c6d87b62de9ea49f7e3eabf790f757b
SHA5120eede8656279f2573f3eebee93cf6e8b0ac426eda7530f3d81e10df40b1736d42b16aa1ac3b2da38778d11ad989fa742233943519b38f7074f7c908b6a3f8b2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b32e40d53096440cb57a67b3400eb9d1
SHA1bbb1b893555bdd70a8802a899afd11313a42727b
SHA2565b25f52f3fcaa945205186bd2ad7323fca4e558857ee06e8dea87cdfe554613c
SHA512752a84f1d84aa2200c182ec1bebb86caa189b42380d3d987575078174b9db6874152e823938c3a353e1901a14aed0b9f1a973590ee0b00f6faffdce720f96d76
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
428KB
MD5d74daee515bd5a77f299151a568cb57a
SHA168555ccb11104b0bb9243ba3f5f464de8bb701e6
SHA2561d8ce53b219771b49d743424498747af3f4201f194dd1020247bb4a492156fb0
SHA51262dc4d6d0d2831bf55247e6c87cd6b6a5c2798dd1aaea072140146598b9f07921b5f53af2a4c93d5430e54002456a1abc57a00acb2f57339ed827a790febb646