Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
-
Size
317KB
-
MD5
764dde3f1fd9259e60c40b148db70637
-
SHA1
0594e04536101063361d903e7db109a6dfaef85f
-
SHA256
403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
-
SHA512
cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a
-
SSDEEP
6144:J6tiiYyUYE+I6TdpIg+aLUvPOfE2sg4qJLfG7zWBMvKvGB77Z:J60iYyo+JT/+f282sGtw/77Z
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.txt
http://nasdki39dawk.oj998fh4txkjh.com/257D37F36DFFE8
http://awoeinf832as.wo49i277rnw.com/257D37F36DFFE8
https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8
http://zpr5huq4bgmutfnf.onion/257D37F36DFFE8
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_wgjny.html
https://zpr5huq4bgmutfnf.onion.to/257D37F36DFFE8</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (374) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2476 cmd.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_wgjny.html vcwgel.exe -
Executes dropped EXE 1 IoCs
pid Process 856 vcwgel.exe -
Loads dropped DLL 1 IoCs
pid Process 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwgel.exe" vcwgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" vcwgel.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf vcwgel.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png vcwgel.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png vcwgel.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png vcwgel.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png vcwgel.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png vcwgel.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png vcwgel.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z vcwgel.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js vcwgel.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt vcwgel.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js vcwgel.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png vcwgel.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png vcwgel.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png vcwgel.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png vcwgel.exe File opened for modification C:\Program Files\UninstallUpdate.ods vcwgel.exe File opened for modification C:\Program Files\Windows Mail\it-IT\restore_files_wgjny.txt vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\restore_files_wgjny.html vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css vcwgel.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png vcwgel.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css vcwgel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwgel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2728 vssadmin.exe 2796 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FAFCF11-94B4-11EF-9358-7ACF20914AD0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b5a074c128db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436230767" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003cac72e2d5a5adec5a04e420cb4e40fe6ce0d12a0a4c7837ac80ec4db192658a000000000e8000000002000020000000dfa1a7a4dc36a9487f322d2fefd0467dd27567f856ebf3c7a09a809ebb254bed900000008168545f80a31279d67d11b79458a47537b6667fca557078852622ef2a8852a51feef28804e77d805640e3f4bee04b5dc8410f9be145af6ccdb4e852f9f17f53b18c4480c1a84d2f232766dd6d6282054c78b07d6ac01f9886dd8f0bf94e14762525e5f63fa8066b9c28315084562ef5116a82c4d0cad68094d6c211616bf7793de0bfcd2c1e8722f05b343586b6410c40000000cadc43192ddab1572a9ebda37f12f096293ccba3f6d3fa13a71307d214081b46e38ce8e018058d00ed3978ea46c27edcff07679fed2893317003dd76faa07943 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000000fc0f08d9c2822c7fcd4972a5d6408b748ae4ce4fc252180c0d334543a93786a000000000e8000000002000020000000ccc8c6e4247a320b25a71c2f80892081409012e85ca2b373d493e7feb66ea335200000006b889d64271389414a32699374e80150e0755aa8adab8efbe376c39fdd49f68e40000000578218710fabd1c391305076bf38cfa79565fe7193710b4e95833cfa161c0115f79d463f6f5f48fffba4f8884bbe19681aa9dbbc5c240cb53d9e5b28e63006b6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 vcwgel.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 vcwgel.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1748 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe 856 vcwgel.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe Token: SeDebugPrivilege 856 vcwgel.exe Token: SeBackupPrivilege 2616 vssvc.exe Token: SeRestorePrivilege 2616 vssvc.exe Token: SeAuditPrivilege 2616 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 880 iexplore.exe 1104 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 880 iexplore.exe 880 iexplore.exe 1600 IEXPLORE.EXE 1600 IEXPLORE.EXE 1104 DllHost.exe 1104 DllHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2332 wrote to memory of 856 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 31 PID 2332 wrote to memory of 856 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 31 PID 2332 wrote to memory of 856 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 31 PID 2332 wrote to memory of 856 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2476 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 32 PID 2332 wrote to memory of 2476 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 32 PID 2332 wrote to memory of 2476 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 32 PID 2332 wrote to memory of 2476 2332 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 32 PID 856 wrote to memory of 2728 856 vcwgel.exe 34 PID 856 wrote to memory of 2728 856 vcwgel.exe 34 PID 856 wrote to memory of 2728 856 vcwgel.exe 34 PID 856 wrote to memory of 2728 856 vcwgel.exe 34 PID 856 wrote to memory of 1748 856 vcwgel.exe 40 PID 856 wrote to memory of 1748 856 vcwgel.exe 40 PID 856 wrote to memory of 1748 856 vcwgel.exe 40 PID 856 wrote to memory of 1748 856 vcwgel.exe 40 PID 856 wrote to memory of 880 856 vcwgel.exe 41 PID 856 wrote to memory of 880 856 vcwgel.exe 41 PID 856 wrote to memory of 880 856 vcwgel.exe 41 PID 856 wrote to memory of 880 856 vcwgel.exe 41 PID 880 wrote to memory of 1600 880 iexplore.exe 43 PID 880 wrote to memory of 1600 880 iexplore.exe 43 PID 880 wrote to memory of 1600 880 iexplore.exe 43 PID 880 wrote to memory of 1600 880 iexplore.exe 43 PID 856 wrote to memory of 2796 856 vcwgel.exe 44 PID 856 wrote to memory of 2796 856 vcwgel.exe 44 PID 856 wrote to memory of 2796 856 vcwgel.exe 44 PID 856 wrote to memory of 2796 856 vcwgel.exe 44 PID 856 wrote to memory of 2416 856 vcwgel.exe 47 PID 856 wrote to memory of 2416 856 vcwgel.exe 47 PID 856 wrote to memory of 2416 856 vcwgel.exe 47 PID 856 wrote to memory of 2416 856 vcwgel.exe 47 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwgel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwgel.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Roaming\vcwgel.exeC:\Users\Admin\AppData\Roaming\vcwgel.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:856 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2728
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwgel.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764DDE~1.EXE >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1104
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ec8d28083308e33e7f725a85db34af22
SHA10b8f542c9e6282c4918eb9470768d6a491254d5b
SHA256cbe1751f442cf202680c8bb6d9d69799fe1a8d34efc55a2de44355c2e9379cd8
SHA5127f1f9c2f5984d97e272761ab8f432531f86bacdf71074e39e8cc89caa4d8cee9e94301e67ec7bf36ffc626a0c3557436fd142ca260528414ae319d57ba72eb11
-
Filesize
2KB
MD5d32ef9d9b1b541f8d72b0af47e8f13ff
SHA1c01748cd525a22ead396b1a619b98da3ee9368f8
SHA2563178ae48133fc4ced39f84912bcfa719e1cde87c8c00e2e1cc528efc2435d67a
SHA512f7aea41e1bf671cdde6077f2a657c21c8ba8311c1a5b5ba4b02aead9a2e2cc081e5eceba3daa1a5657e993d448ffc7bafc7f87be39a577b418eb984c01c22fd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b5af1e0cd4924093c67b4ee7623d375
SHA1e8abf0b1488e96918ab89e51f3cb781c4122eed9
SHA256fcb07295bf3b633b95a57fdfa0490d3c8afd366e4a19a0572a1287b989a6b44d
SHA512b38f32381c859683ae56e389aff4da6c5ae9ae9c820fc4a1ac1395cda2578f0c67a9852b9cf21a9cf6b8b8017e7837b8550d131e247515d1388028850e38ba23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5838bd13eb172126734e326e6e3d30af9
SHA1ea9c163a480967ab0ab773b3ddaf76fbd95781cc
SHA2567da945b21b2614b9e1b54235701a4312f33a8e6263c19334cbde671b514fbef8
SHA512d474a685872e749b3f4d7ea756f0daeaf059a2facb90e0bc58d1fd77b50ea009a937c4b42d32880acb988dcbb999ca917859050499fa34d5623ce59d86af7a75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57479bbff0591f3ff210f20d774a671b8
SHA172c8c77e3f18080e78da7612b151c5a786a68773
SHA25633751ebc0395b36ac15dee4f96a0b1ee07e26d942861fdc2ad55e2c3a89a8266
SHA512bfb6b4eb3e66436d49f5e9cab885dd9a93b8793cc8383c0212a0a516a0a991fed268e13f2dc0ce85941b7c65c6f7772a5faa43d4c3ea9f452759bc8d22fc71d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e5a660fbdc84de122fa2516adac1aaf
SHA119eae5eca0c968b487ec1651838c7ef94c7009b0
SHA2563e593f87374e12919264d473095942b7d4bc47f9ecc7bef1aa0aaaaf7d02374e
SHA5125d170f774f566152ff8bce9638c99fce7a63b2ada5dc7194a4110dd673975c599c93a4377128f1f9cd9d74572273a38d306726e7da0776648acb9585d3356840
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55179cabde433326e734b42f32faa56b4
SHA105a3894b2d4d02a6a8c24b2b338d8f8fed751e46
SHA25664885b8b41b0c1009875382f7b0d8de219df4e3eca862e09f94afaee7a276f4c
SHA512b4f56f62f51cca5c4b71e04185952347fc294a68a69d594a601f8e38746cd50fdd37ee75f9f336a3d117152ba8011205a8bf65bb15fb55b4acd1345403a49e1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc85e1f7869383d30d6f0a2bf382d200
SHA1ae24a4279427157b5e5498fc2c16f2b1156b8cf8
SHA2562d72e3b9c3d9f9a7c5ec76ef0323a7cfba2105c27dbbbbe12e343e1ec9a89275
SHA512bb7b7139ea2b4d39f3fe52077db965d63e17916085d64d311f7cf0d74e3828f054321d9f0947350d106c0a3ea67dc5856c871d336bc2130a55d2aa8af4c409f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5023ec209280fcf5dbc2410b491848261
SHA143014e9f2135ba5fc90db266821821f453b60b7e
SHA256576fd10ae2f9351211919db4407a07a099fdb891ce5bd4193b24729bc00cb4cf
SHA51284c8b0fae30243fab40c211c3ba23909a4c52cd0b3771fa732ceb3f6bd8aab06450fe5b6d48b6a481ee258814a307f7c66ac1855e9eaf987f8613d726cc56b89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58f843d3062a8bb4ef2bb2c589f9dfc22
SHA149bf6bd4f9fedc387d7132c96c8b8bd24a329d18
SHA256d5d5725885c390125ed2047671869a6398c2d5aad79d0a7cf9834b4c450d38f2
SHA512520f92519a0f6bb37490ac568a298a3c62646cd2c9ab4410608b0736ac3aacf9d965fe1af0a3316145827ea97b675c56c44ad00f20d057dd7b3292bfd4be4416
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5081eb611b3c92ff08ac54fe4c08e785b
SHA174b96e24744e419c9705e04c9298c80519fdeae5
SHA2568918bd36f9fc097fffbc65c9392851eb45482dfb0478a552055fa89b5e8915b3
SHA5128d75eedcce53f769c2463d78f883dbf32dfb3c9193b35c6b210fd7c21a1b8cc0684cd3f9eb928e9d39292b1e28d97f3da0a02f1fc757db00449212cc7d8b3d01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bcb80063717cb14b6670fb17f26f82b8
SHA1c94f298ae51189e3c0c27cd23861e06be5db91f3
SHA2568b6e1ca28a49b071265803dccda8e8b63509e6ceca970aa36cbe4942c3b42253
SHA512a4a6dbb9ca2d142a882bc5fe81231219fe4fcc52a1408378bd67b5330165deed257b0e10d808b4523bc200a2bad69111ad0881bde8fad3c223ba84e9fce396ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9a32d585b25ede72fa465701aa5508e
SHA1959581e79262a60604c9f5b47c6f2ab5cff46d59
SHA25634319fa018d872cbcc2d02cf44f55f50bb60cd679ee8d96deb4ad76e530c4e80
SHA512a46cdfce4b13c52685e28077a3bee729ca740b2ac4078447a94a8b39a94bfa428720940745a05fbc99e7510d3a1a8f23c7b4228fc899e86cc33a3954091e8c75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56201ff5378953383e5c92e688ea9b688
SHA17dabc651b858a275142bb34d32bd6cc0406b8ee9
SHA256e0e85452f745cbb925f35c3c2863642c08940a79dad41f2bb73d923044949667
SHA5122415ab528945f31252148d5305c14d217e731201a0d04dc841658bf99e71169513b010eda501779d77f0e5030460dd1fadd5cce9670622e7f8bb5c1a593be77d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57cdb242026a768495ac0e251bf00ddc6
SHA155c197f07a971999ebad6a836715a50d5732ef3a
SHA256cd92c83afb17f8acf42328300651b9c929a090bed7fb1c5ce05df96c91645ccc
SHA512c38886c515822e6ac20d70039a1519428e41ca45d78233b5a04ee242d6cff92fb05da73aaf6bcd4910f23a55666908a809cf54f064c8065702f3221c12c5434e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d36736a8b3c5b888903509a59e653d4
SHA16aad1c109ef53e83e54f7e44201c0a802a1f8d63
SHA256aa818e6d9608a2fd2abbf3d74a0eadefda695f08d58b635844d5d6798b1fc21b
SHA5126169c8d7d589c0ef7e975b0bc0f8e6eb69c73972942fb12657f22a44a7c036cac9ae64dcf4e0c893e8f4980b97ddd070b9f4d9bf1457d464de3d5c19b1cb9fce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a367a5e6eb1a1addfc91a6b923383433
SHA12c08c59cab903f2817c531a89f55a83075e31b71
SHA256714f64b7afccc810f00b4a0e8eb951d766ef57fb3398a3614ef991369e7b2b60
SHA512f7c7c6ca6831c1c1965b5199afa4569e7ffa6d5e36109d282fbcdc5e8722583b431eac09198e2bfd70a6f660afe26460351d3aee54e601ff58a970c93363ce48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584808b849a9a51a8197757203dc8db9d
SHA1bc213de09f039d2fee1cfa1b1767b705a707477f
SHA2567cd42cf3b9a15ca9432a60ccb7ced6271eb3b3dc7565df085f8421c5ebd32725
SHA512c1a25412c5de7a6d08ac9d4bff9dc1609633f00820b7629ade61ee92c1124d84d6d00de13b96d40816567de08d7391231e7391038e4ffa70ddc8921a032c8ab4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5511fe68b19fd29aab0bedaddf620d645
SHA16d588a0c7fbb718f2260a58174c3276b7c12990a
SHA256ac66c6dd2f33eb0da3221c1d8727ba2b668f83125ee59f804a021d6111ecc5f3
SHA512200090ad054736bec2dc69776196836ea90b13bae2b8d0d8f865761a7599e1b3129bcbbf50c7546027197616b612118f9eb0908d34ec16f5103301e68dde6e86
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.3MB
MD5a787aaa6b67e4b5f9ee3d74af06d4d63
SHA13e4fe77c59ef60cc3a7abce20017bbe4cb3cff11
SHA256a9804ac914b54558a1ffb386b5197d5040569c9713311f4bc95558cf120aecf0
SHA512830850a677cec710df2dc32a1156d0e8491c62a5744df915f6e110b0ebea00387dc0f2afcb60479552fa2ac0bac3c9880412f3d6955f77cc789c5bcb560c6e21
-
Filesize
317KB
MD5764dde3f1fd9259e60c40b148db70637
SHA10594e04536101063361d903e7db109a6dfaef85f
SHA256403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
SHA512cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a