Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
-
Size
338KB
-
MD5
179a81e1174983c3e0daa57cb85d745d
-
SHA1
656b2b7cb178f2cef1ada8dc2197587e680740af
-
SHA256
332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
-
SHA512
2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59
-
SSDEEP
6144:X44EAEGxYSNuwZN+P0GUcjfmlqLErpeKmDXmBSs0AKUEURq7X13SvPHg:X42pYSJ+Pq8+lh/mDXy0AKUHEz1Cvvg
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.txt
http://kwe2342fsd.rt546sdf234re.com/A26515C3C4BCFD93
http://awoeinf832as.wo49i277rnw.com/A26515C3C4BCFD93
https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93
http://wls3uapur3zjm5gm.onion/A26515C3C4BCFD93
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_lotja.html
https://wls3uapur3zjm5gm.onion.to/A26515C3C4BCFD93</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (387) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2688 cmd.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_lotja.html vcwmid.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_lotja.html vcwmid.exe -
Executes dropped EXE 1 IoCs
pid Process 2652 vcwmid.exe -
Loads dropped DLL 1 IoCs
pid Process 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C" vcwmid.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C:\\Users\\Admin\\AppData\\Roaming\\vcwmid.exe" vcwmid.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png vcwmid.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png vcwmid.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt vcwmid.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Mail\de-DE\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png vcwmid.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png vcwmid.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png vcwmid.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg vcwmid.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\restore_files_lotja.html vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js vcwmid.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt vcwmid.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt vcwmid.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\restore_files_lotja.txt vcwmid.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css vcwmid.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\restore_files_lotja.html vcwmid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwmid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2740 vssadmin.exe 2084 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70191e9dd517db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000a40d1ad96c2b5de8ff841a9378a9a97e6012ed78e728c1191dcd2e39e0bb527a000000000e800000000200002000000047913647b25f32bd566b3ee12240ddde6e2da6efa2327be47aef399f1e36b6449000000025b77ba018a2751e19d47668dacce898724cdc509703d27b650bc62463feb7f6bb9e067d70d9a4d5dbe39d5ab5acaf3609ed8c9127876625e5ad6c122c46ac584091c28c95a362491369131fa0ae47dada032a5f48a1fe51626420b209bac5afbc4f5ce0cabb2b213e169443865d5dfefd0578b33d8859602108bd94dc2e3e64b52328ee858aed9329f6b05b8436b7c4400000004b1a79cc5ef7450da007115688caf0830dcf7a0e0edd6f291bb5c19e70c0ef44cd36a21326ac5659ce2375dcd3e205c36a7d1f746f65e192f1a3242a41bda74e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000006faa5a6ccb8aacb8ffa708f093643ec56ecb96f14b3663ef65c8600cf3cf1d34000000000e8000000002000020000000914978981042aa85d269908eeccf843c66b342519dade0cbd72d85e35cc8a10520000000545aba55a3228da694f2d5e2f36d100f1c40f5a21372d6d678a5e380c210e2ab40000000d453d92b241fd850cd741dff042eb4074d9aa2ad589e9d4bac8d2f53488640f275e3548476609a9ac3b7499b15d2dc9f909f28196f98fbb62bf4be27c4f78cdb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8A69181-83C8-11EF-9BF6-6AE4CEDF004B} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434370253" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 vcwmid.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 vcwmid.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2300 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe 2652 vcwmid.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1632 iexplore.exe 2516 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1632 iexplore.exe 1632 iexplore.exe 2328 IEXPLORE.EXE 2328 IEXPLORE.EXE 2516 DllHost.exe 2516 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2652 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2652 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2652 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2652 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2688 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2688 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2688 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 31 PID 2080 wrote to memory of 2688 2080 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 31 PID 2652 wrote to memory of 2740 2652 vcwmid.exe 33 PID 2652 wrote to memory of 2740 2652 vcwmid.exe 33 PID 2652 wrote to memory of 2740 2652 vcwmid.exe 33 PID 2652 wrote to memory of 2740 2652 vcwmid.exe 33 PID 2652 wrote to memory of 2300 2652 vcwmid.exe 39 PID 2652 wrote to memory of 2300 2652 vcwmid.exe 39 PID 2652 wrote to memory of 2300 2652 vcwmid.exe 39 PID 2652 wrote to memory of 2300 2652 vcwmid.exe 39 PID 2652 wrote to memory of 1632 2652 vcwmid.exe 40 PID 2652 wrote to memory of 1632 2652 vcwmid.exe 40 PID 2652 wrote to memory of 1632 2652 vcwmid.exe 40 PID 2652 wrote to memory of 1632 2652 vcwmid.exe 40 PID 1632 wrote to memory of 2328 1632 iexplore.exe 42 PID 1632 wrote to memory of 2328 1632 iexplore.exe 42 PID 1632 wrote to memory of 2328 1632 iexplore.exe 42 PID 1632 wrote to memory of 2328 1632 iexplore.exe 42 PID 2652 wrote to memory of 2084 2652 vcwmid.exe 43 PID 2652 wrote to memory of 2084 2652 vcwmid.exe 43 PID 2652 wrote to memory of 2084 2652 vcwmid.exe 43 PID 2652 wrote to memory of 2084 2652 vcwmid.exe 43 PID 2652 wrote to memory of 2440 2652 vcwmid.exe 46 PID 2652 wrote to memory of 2440 2652 vcwmid.exe 46 PID 2652 wrote to memory of 2440 2652 vcwmid.exe 46 PID 2652 wrote to memory of 2440 2652 vcwmid.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwmid.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwmid.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Roaming\vcwmid.exeC:\Users\Admin\AppData\Roaming\vcwmid.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2740
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwmid.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\179A81~1.EXE >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2724
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2516
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5852d7d4451cfdc5286a2a93946e77858
SHA1db217aa1c7314fff02558b456c4657f8fe2529f2
SHA256ecb048544abe6fca12acd5ac0e85ea62c90c3554a782dbbf2635fb556f2b2143
SHA51205fd1aecd09340fdd093b9a6f744844ccc074a9c182741bd063fde81d210f5f0a26bf5eb76d9a50ad200989eaf0962343e1de4e7083838725d2f29ec0e193e30
-
Filesize
2KB
MD5b5fdf2d579d45f12248d4a8fdcf2a86e
SHA172c901eb8fa27c1e0d8f7ed4344ea74203bead9e
SHA2565ad2df968aa1dd0dd7fb56c2e43c70d45beaa143045a5e61591cb9bfb1c923ed
SHA5127a58db682938e1971358defcc80882ebd0e1fde115f718ab3b02dcc83906ce76805f2f88ef20473855f6ae781a87a6b534405d26ec47a4f7709a086543142051
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d170394c5aa7be6304e7c6bc39849c02
SHA17c6fe3fe15d4fbf99179841706e29519a82f4f95
SHA2565c0b80d2e83a41e39a8e094a5187e9dcbce46f157410504a4fd0ac8b0792031b
SHA512e0ffa7c3ab95d53f036d7af2611ad79d7e05c470e99098e9b630a6c148f5d461c6a00e37df690d43ac58b4ed2b3d0c4e0916992cc2fcec8bd6124ee7035dc820
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cddd25cc9c4a1221f1d51b9b3742819d
SHA14a0199deb90e2aaf3c9243289699e0266df7f80e
SHA256194e5ed77bcf0c0312a8736936b2ead194fb014d3427ba2c8a6eb470ae65a91b
SHA512aed3efaee5a4824ab31844a3a5f12c9a2fb89b8daa46bd7121fdcd6235f18c6647d1e8cd83dc8499bc2d9062994139202787063384558040359f2dcffe3e2a91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c751c3701b44449323663b89f0e8455b
SHA1d4d91e507cea5aa5256117e83822c83b944f0509
SHA2561d05b5e36977b8d4d1aeec4fef0c067cf3e2e1be6ca24cd66f3366e33510a0c5
SHA512eac5799a4f7f2e698fe8159408aeb6b7ad31a6a7e5543f96cc8bcc1bd36e03c253c5d3a74f6f6ac2f1049022670eb0628cdd307086eb70db094c7abdfe7382c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e48af88b0965e3314895bb4dbfe44b92
SHA1df734ba140afc64bb2e720e035fe97052fc534b0
SHA256104c6ed27d9c661cabab98a928916451cbbdfdcfaaee15f49cd2ead457ea9e7e
SHA512f1ea5e37120b1fbe1e4cc2d033473304c0ab628dd75d59528d9e6ccd5b78d718f98715484dee3bf5cdfe3c801ff970f009549fee01df52618c2e9e92e70965ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da8c9b96c7965401b1bddf3333226c4f
SHA16d405f1fc978623231318857747f035d0895d34c
SHA256665aa9b7a9a7c964b5d5852ff01fc8d56d7bf444ceab6679d948b298c5264b86
SHA5125a888cef96e52414eb169084ecaa0d54d14f57799411dbaa8770a78b170fe23ca5bca33784f1284669077ef10cc3b50532b84c9f456665ec49af6a32195f5ebf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51cddcc1608e648d947efacbc115caaef
SHA187431bce0a3d7b7b592d8d705e9ffc42d1a4ec2a
SHA256cb605dce95a5da619c69490d798dfaeeaa01303f81ae772b74777a2b2c4ab3a9
SHA5121496e9e9347ae0794f19c3a9e2285cf7e9fa83c5681ced1763f6fbacf94a90a37c47d11744ea6909de4ed3d80a00718e580b4a74357b8b69cf8630c12d9de150
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546edbad0f561b0053dbcd148458aec46
SHA176cd81fc19300b8a1c8e9eb4d12a4a9123b61601
SHA256e87ced27f29c8e793c6e1ce3745c3b442479267df1beb0212b8eeff1fe51436c
SHA51296621ade5654d873d828fb543497e232e7c9cc79a7f0033ab3950c62042ec7ac2aa6e11a35b3c715155dbf6fe7c6a3b5e1ae2dcd97b019ae3ccddad0d16e36e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f07cca52929ff762bc95b2e82899296
SHA1e43f9eb804b6d31f2b85cef4d2ea87d83003bdc1
SHA256300b6ccd4eee50f435a728a3d8cf0845ed6f694446c55f9fc5b4c5d4bd9c915b
SHA5123acdfa212fedde12686800abdcb45a6224d4d9e33cefdf90b44d7da1f412a4206ffec422fb23167db9f79df977f43a463a9b715b056c52aebf5298a5b9718d69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5157ab78d0f1fc22b24a2024bba8a15d2
SHA1634dd7aa99ffa8fc4330f252ca4eecc62fe62f9b
SHA256f1a25d65353808f81b72635d1eb7e0be48a16d145f905fdfc42bc3a39578c0d0
SHA5127af7e9b3433c0023e106029de02c456df496b1cc6a1041a8490c0086d285225bf3160aa28223a0a7510d38f5ab5f68236f0ea234750a311a07035cba5ab5584c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.3MB
MD5fca3287478e487981e201c3984386d8e
SHA1c75954a0ac279a7a752e4bea41b35739793ee561
SHA2566c839b4f1ceb90834cd6d1272568693b0d61c619942897c6104ed5ac4fceebb1
SHA512f709e8a57b24c7550431fc4fbff8d01c085576680d16334644ff625cd73b3719f4f54481d9061b6a0e62ab9e5a6c2a8ef7eadfba6a9f43cd755bb19dc0717cb8
-
Filesize
338KB
MD5179a81e1174983c3e0daa57cb85d745d
SHA1656b2b7cb178f2cef1ada8dc2197587e680740af
SHA256332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
SHA5122f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59