Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
-
Size
326KB
-
MD5
5fddd166f5b5931b2ab328cfd40e420a
-
SHA1
fa92f4074a2ee7166b9dc9081707ba7a4e8956c4
-
SHA256
4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
-
SHA512
57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c
-
SSDEEP
6144:kt8UOo3u1PmgxfxNJpXSDV76nu9Ni/n5s5ojFHf9BW:kt8Po3utmgxf3JRSDJ6u6SWlo
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.txt
http://nasdki39dawk.oj998fh4txkjh.com/60B995ED1F28B6F0
http://awoeinf832as.wo49i277rnw.com/60B995ED1F28B6F0
https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0
http://zpr5huq4bgmutfnf.onion/60B995ED1F28B6F0
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_xcafi.html
https://zpr5huq4bgmutfnf.onion.to/60B995ED1F28B6F0</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2300 cmd.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_xcafi.html vcwtij.exe -
Executes dropped EXE 1 IoCs
pid Process 1824 vcwtij.exe -
Loads dropped DLL 1 IoCs
pid Process 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwtij.exe" vcwtij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" vcwtij.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg vcwtij.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png vcwtij.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js vcwtij.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png vcwtij.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Java\jre7\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows Media Player\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\DVD Maker\en-US\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\DVD Maker\es-ES\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\FormatCheckpoint.crw vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png vcwtij.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\restore_files_xcafi.html vcwtij.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Media Player\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png vcwtij.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\restore_files_xcafi.txt vcwtij.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png vcwtij.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png vcwtij.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\restore_files_xcafi.txt vcwtij.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwtij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2148 vssadmin.exe 2312 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435552233" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000084617ecb5d42d0b40cec5cb4e7ca044edff6b9c1c972762821b801788893d42000000000e80000000020000200000008adc981669b72ac6d452a9ad03394c6cc4490d251c43b475722fb706c8e556ba20000000a834c30168bdca3b18624025159cf74a85c9e3266a25efd908a4dc700cd3c0f0400000005a8c0028a5b545fee514443ea1e35e82fbde88e8ebe362a842d399e537848e3e3bfd93c360dbb4e360111c352f98dbe481a808b3fc0026d1c9701a906189f74d iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0adc49f9522db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000003cf1269d69c8a3f5323ac8452158ac7883db15d647769b491b5c797037943116000000000e8000000002000020000000ca5fa440bab37e127f112ba79fcb12b58a3cf3d4ca1d2929b8db394d56ffd4e8900000004f231dee1dd952faee1250eb0b0fcfa39660117fcb4e16f27ad5b25dcc22e6624a584eb56c3c5ba00685984bb60e2bd088932a627c9ff28ebcddf0e894c5055057adac4d0e813b4fb913111ceba470ef22c077bafc95ce63db751bd39ca80e2d1f78cfcfdcce7fb9fc3cff8e81f2a3e0311fdf0d3b38d4a9d3d1d780bcf8778771bf36b6ceb217291231e0ea9086a6f540000000589a8932ba7f4923fdc64bc385a69f8ce3e984dae196741f2c6874807fa111a9ac964e793c8da5b28a069f8f380e10fed96c35736e22d779cb619ee8f9aec4e1 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB486331-8E88-11EF-A6BD-E67A421F41DB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 vcwtij.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 vcwtij.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1588 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe 1824 vcwtij.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe Token: SeDebugPrivilege 1824 vcwtij.exe Token: SeBackupPrivilege 2720 vssvc.exe Token: SeRestorePrivilege 2720 vssvc.exe Token: SeAuditPrivilege 2720 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1004 iexplore.exe 2336 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1004 iexplore.exe 1004 iexplore.exe 2336 DllHost.exe 2336 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1824 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 30 PID 2168 wrote to memory of 1824 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 30 PID 2168 wrote to memory of 1824 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 30 PID 2168 wrote to memory of 1824 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2300 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2300 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2300 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2300 2168 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 31 PID 1824 wrote to memory of 2148 1824 vcwtij.exe 33 PID 1824 wrote to memory of 2148 1824 vcwtij.exe 33 PID 1824 wrote to memory of 2148 1824 vcwtij.exe 33 PID 1824 wrote to memory of 2148 1824 vcwtij.exe 33 PID 1824 wrote to memory of 1588 1824 vcwtij.exe 39 PID 1824 wrote to memory of 1588 1824 vcwtij.exe 39 PID 1824 wrote to memory of 1588 1824 vcwtij.exe 39 PID 1824 wrote to memory of 1588 1824 vcwtij.exe 39 PID 1824 wrote to memory of 1004 1824 vcwtij.exe 40 PID 1824 wrote to memory of 1004 1824 vcwtij.exe 40 PID 1824 wrote to memory of 1004 1824 vcwtij.exe 40 PID 1824 wrote to memory of 1004 1824 vcwtij.exe 40 PID 1004 wrote to memory of 1728 1004 iexplore.exe 42 PID 1004 wrote to memory of 1728 1004 iexplore.exe 42 PID 1004 wrote to memory of 1728 1004 iexplore.exe 42 PID 1004 wrote to memory of 1728 1004 iexplore.exe 42 PID 1824 wrote to memory of 2312 1824 vcwtij.exe 43 PID 1824 wrote to memory of 2312 1824 vcwtij.exe 43 PID 1824 wrote to memory of 2312 1824 vcwtij.exe 43 PID 1824 wrote to memory of 2312 1824 vcwtij.exe 43 PID 1824 wrote to memory of 2832 1824 vcwtij.exe 47 PID 1824 wrote to memory of 2832 1824 vcwtij.exe 47 PID 1824 wrote to memory of 2832 1824 vcwtij.exe 47 PID 1824 wrote to memory of 2832 1824 vcwtij.exe 47 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwtij.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwtij.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Roaming\vcwtij.exeC:\Users\Admin\AppData\Roaming\vcwtij.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1824 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2148
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1728
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwtij.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5FDDD1~1.EXE >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2336
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5dfc1f99caeda9f1caed116c2cc0c0a6b
SHA13b20f1f199d99e56f3e2368a7db540f9a82d66a8
SHA256e7780198231855b5c208850b68b1d60076e3fd8fda2526546c1bfdc9c27544d5
SHA512b7bd69667448355bab83d7857e8bccef90fb257cf81fbe3ba57c33125745349537b15da3f3e2319329fcb83d3eca312bc0960446900475874eb8eb3e72fb0ce2
-
Filesize
2KB
MD5daedfb359adbb7a56d7f476e83305399
SHA19a66b26bc81ef21590a7db9aae18c31dbddc70b4
SHA2562c5a0fe75edbb387fad51dc0735af49a25013870e0febeb2a57d05b4fdfcae5e
SHA512a4279552e7596c465304d60851ce250408778cd8df1c0e150b7a2bc3ffa288e7b7bbf0d97cbd7abed5b07392631d3d0f3ab90357bea7aea7d309712b3946ca64
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD54cbe7c052971d018aaa583cc7065a6a3
SHA134d8bd86314b0bb4aaf46ac3592c836dd9a323a7
SHA256a978d768a88cfbcab1549286b23223673c1391f7965a3444553dec561ba20f96
SHA512069615a6927279256ca200c48283dbd0e7e942f79da1f38ea99a56ed5a92baa20f3210742f45f598278db4a5a5dd191a04fb7a27acead7d343f00972beebc72e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58624a484206006183aa06e5de9f29bf8
SHA121d0b56ba396f345ab6079a2cfaed37cc92453bf
SHA256cd5af388df20d81efc2f3b2408ff28347290e022debdc5fea9b119d896aa7361
SHA512a33c41a65b9dd3d11e65ef374329b28e2484dc6633cfeb541273fd629d5b74a9edcc626a73e49489e8f1b75a39e870a8a8c8d4ed2729328d8506d643c460882d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a77de13b4c8e16d3ec7f81e5f5f9a988
SHA13d7ccc370a47bf6911276eb466df39510740b19c
SHA256dc2717c2aa3ea7dae0545cc485586869b48b73b92cdb5c173ad2121a85f7801c
SHA51226bda65a745fd95404ba145416687474ef2c72c480289100afba13a6ff6ca3baf091859e2c39dde88107e94081ef9fdde20605469cb9c60686d4c01e2ec29553
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8107179bd45b46fef5ff89583f7640e
SHA11ab6eebca3e72ae33efdfcfc915ed400102c9cd2
SHA2563c59a424c91a5ecce77d22365c3c2f80e05d3bde519c127f160e509b8510b24f
SHA51256564b8ebc343dd3c79adce6bd01c40319081ba82bb14e552ca56627bb6c9197add6a7224a34c6d005304b916f31dfd9eea020b4d29e377f3489b682d6050373
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d3b70913d4f0c06245f6ff2fad9a45d
SHA1f69026057cce773f147709f7ea08459a6bf7479f
SHA2562d52ccef2877e5207bef8747861c45581e4e1f1dca909f212dd9b54c4bb3404c
SHA5127fd546e35824dbe6f008dfa0a98d3fbdb44f28e5b56751d83430cf58690b369b1882312f607ef6933fa83e7ed24816cc39d8881480e651c63bd2b2a052e8d0e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5423ba3d7188b7e45b73db8aa9598087f
SHA14868a3e33a5ea296b9b101ba829de390eeb121d3
SHA2562eb6daa94224fcea30bf4607678e260edde219db74c62bac807586a356f14dc6
SHA5121282b4a1db7ac08a7e884fc02915e6cbb02f37e72bea6088f5078898dd26535bfc2ed82a3468f9240cf80ea56e6b76d07194a11de31b8a23575cfa65f2d1d357
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54400e9092d10cfafc68195f0db73c398
SHA1bbd39dbf69462abe43f7d68b34c94914b3444a6d
SHA256f52db401574e91cfd93fb0ae2c23063bf5c4ed756c06fd015a3ae8e1126f2592
SHA512f34a8980f452374c537bb9d1f5496fa302f6cf737162d1be169604157164e3f5daa4758ec9aee427c09cb631d85e223aeb88975b8eb507b00a3840c03db167bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5fe829b76d39bb70c7bca573790f52a
SHA13b347e79b1b15ba560191b0b3923e11bb6eb3e7b
SHA25672f03ecdb474e7c40ccde5e95bc339484a7e9cf3168bc34997d38a4ce4f2d886
SHA512884be5a08b8280798f3194794269407e6be4592d9b148bdc772142a5133df6d95da973adce5d6d3c3e29d02ad4c0d852e87b40385152bd7639ec745328f4d64c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b74168ec93132896e3705b206bcc0b00
SHA1edca686bc7c19fa3fbde5c10dd0a4af0a554a0a3
SHA2565ebd696c59cd86ed775830c4b3226a9732a64bb07dee85021399fdd4564701d2
SHA5120a0f21d9e1f4c9ba817601e177a2d010792a4a481a4df50adc78b8ce566500257271b55e7b92780a4b2a3c3186ea82a66060c7684b1167a5f2b973ba99b863a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa642a92ac80704afe123f935c357551
SHA1e042de8c4bb533c116e9de704ab94a79bb26e8f2
SHA2568c5c1b9eede70fff653431b81d0eb41d55b760eab12400a38fa8ad054d3a9fa1
SHA51235696ec74b61ab4bc1ce36e2213ffce1382d88581c91b5966abf9432d60f5d2173ab468f4f80a7d9dd9791f366f54ae509057479b37b3978ad50240ecb1a0c17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f28482fc857d07fc81d5f86cc78f507e
SHA1f78cf3c7dbf8a0b1e896f6930bb53b0b2a9b2d33
SHA25610de88dab129d024bb364f882a5c87e8be4105b0794551aedfdb80c1b6db4063
SHA5123da0e0d6de00fbfa3ccc7ef4bee430637a39e6e62a8cebf7863fc202a154117ef0604a69abe55821b131cd939e11af24a5cfa13afc17f25c6502715e537c624a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e69011b70e7fcfdaa5e63fd9a74197b8
SHA10c9a1be230244d3c5a435646ccaf4554e7d1e07d
SHA256337a80989da6508d7766b072c30fb883c396c130ea0e82a0722016d8d81fbf1c
SHA51271185e76f52643253c1aec939a488a6c6b9870eefc232dadc114148395ff658320f9136d2059464cd0cde9a2206f24837b0d789e47c4c0f78e453f2683d89b09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f73fdc65607f5ffe0093b404013b607d
SHA1cb567032545ae3de466f681da86604b4fa0f067c
SHA25646ad4a1c5cc477be05b7495a09d9eb92e905c9fd88fb4fe43ed56b3cfc98a5f7
SHA512fc6a276c8c56cd821dec845600293e403ab8f2d35fc4b1445553f249cfb583beb4c9f08acf7d4fd1c3e024df35871b68f1af5e081c96c09d975800859934428a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59074e302b6fbe941c0d3c8cd089b4439
SHA15cfe47de4f804b8adc272ca40ca2a9b305e51ecc
SHA256f9f6c30234ef7c01e072909c6b1041fba477806fedccdf205e2415f7d4ce6092
SHA5123fa398fef18a18c7b7dbd53de01cece0ab8ff8c04bf5e9aab2369f1fde4c673822b051b9ea685ff07de05f7d8c0e343fc3952603c4e7435b64c2087c5f047f65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56712c299c84481174451f1a7293fa0ea
SHA10cf944a03774bb74410c252f04c397c9d34996c7
SHA2568508b3a8046d77b9bdf38a668ae0230ca7201a85bfb890dc962da187fa1f9570
SHA51264a31944c72d9c81b9c1a44c49c66089d5172c605b623cea621108cf6554ae3fbe8e8ddc2279156e97b304d261b6f2d0a62a3033a0f2dbaf1924f8aee226c3b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f3a0c73962909e9e353e8967850b75af
SHA113f765c818c7ef670e8c88e22b4d660ec19e2f9f
SHA25671cd31172037209ba79738e141fc72e44b2247f80a470ae9336dd6ccc4f30428
SHA512aa29b06703c7f393c3994152b9de6f91ce556ad5ac13591c3f42def92da35951b33a519702eb1b7ba470bcfdd10def353c4eb69931e48176de9827d4941531cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5bf65e5f27e0c8de177d6a140c477cad3
SHA1e9e876d5398d9be83a4aa92902f912e834ad5e6f
SHA256ebac88ec42fa42b92355a616036db55d4541deaeab8733c8713067607181190c
SHA5126e24a87376bcb9579b680c3c1e4c8cc7b987b103ef886d35c76c0cfc28e212504071f615e3771bbcd58f14a462dfb31cdb4bec8370718067e112ddad841b11b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD563d698c6ed3ada0fb04bdecc16b27810
SHA1199f28eaf1a90967486a68a72d442a475d31813b
SHA2565d6295f1e3d0b8fe61a8b8bd7d50ad890a0e6b54d0869702a387f0ee7fa82c2a
SHA512dddfa233b78eb553afdf776cf018c1b1670a6b0531f360781817aa84f14e50e50e0edc9b12d90201ec7228ef67cb2cbc310cfe7a163d83ead258b0cd77a847c7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.3MB
MD583f953ede5aa47a9e3dcff1a69b55179
SHA1d6ca8a94b5da3e5550d4d450019f06184bfc1a07
SHA256714a8c262f2fc43ed8b56ebc0f107deedf3e86019815ae3774c09d5756f3f972
SHA512d77110cb2fb958e36555e5ff2742a786f3c77a8b71833e58c5255a574f1cb21b6945be1dcb4257fb7aa8f01f1a38c8dfd93857065f057e2a0c062a470a918f0a
-
Filesize
326KB
MD55fddd166f5b5931b2ab328cfd40e420a
SHA1fa92f4074a2ee7166b9dc9081707ba7a4e8956c4
SHA2564f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
SHA51257aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c