Analysis
-
max time kernel
146s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
-
Size
713KB
-
MD5
bb7b70fcd01eb0903c7ecf2a8a50cbea
-
SHA1
22694b981fe9c6c9bedd6045299b55e564ebf8e8
-
SHA256
dacddfaece889da8a311107c5923313c6682acce5c718b5ae49550a1e15b24d0
-
SHA512
64ac24534d043b01dafad22f79af7649443c5dcd809fadeeac7faa08c04b1e73f33230e9f8d2824dfd90bedb30222c61f8490b7ee307ac753b146978a799c54e
-
SSDEEP
12288:8d8z9JklKqDlVGzfLPQU4dFC19BqR0o8lPFaV0pJVAyp5tAiRmKz:8Wpgc7yFC19Bs+tpJV5RmK
Malware Config
Extracted
djvu
http://cjto.top/nddddhsspen6/get.php
-
extension
.kolz
-
offline_id
hZcC4PEfaqDNIXxy0ProMPOAk3JS3K1JoUqoq0t1
-
payload_url
http://cjto.top/files/penelop/updatewin1.exe
http://cjto.top/files/penelop/updatewin2.exe
http://cjto.top/files/penelop/updatewin.exe
http://cjto.top/files/penelop/3.exe
http://cjto.top/files/penelop/4.exe
http://cjto.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-18R6r7GGG8 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0252Ijrfg
Signatures
-
Detected Djvu ransomware 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-2-0x00000000028D0000-0x00000000029EA000-memory.dmp family_djvu behavioral1/memory/1712-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-41-0x0000000000400000-0x0000000002830000-memory.dmp family_djvu behavioral1/memory/1712-42-0x00000000028D0000-0x00000000029EA000-memory.dmp family_djvu behavioral1/memory/2628-62-0x0000000000400000-0x0000000002830000-memory.dmp family_djvu behavioral1/memory/2628-64-0x0000000000400000-0x0000000002830000-memory.dmp family_djvu behavioral1/memory/2628-66-0x0000000000400000-0x0000000002830000-memory.dmp family_djvu behavioral1/memory/1488-87-0x0000000000400000-0x0000000002830000-memory.dmp family_djvu behavioral1/memory/2628-414-0x0000000000400000-0x0000000002830000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exepid process 1488 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5e6add8d-0364-4d8a-be8e-16c128433f71\\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe\" --AutoStart" bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.2ip.ua 3 api.2ip.ua 4 api.2ip.ua 16 api.2ip.ua -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exebb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exebb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exebb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exepid process 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe 2628 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe 2628 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe 1488 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe 1488 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe 2628 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exetaskeng.exedescription pid process target process PID 1712 wrote to memory of 2596 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe icacls.exe PID 1712 wrote to memory of 2596 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe icacls.exe PID 1712 wrote to memory of 2596 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe icacls.exe PID 1712 wrote to memory of 2596 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe icacls.exe PID 1712 wrote to memory of 2628 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1712 wrote to memory of 2628 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1712 wrote to memory of 2628 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1712 wrote to memory of 2628 1712 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1212 wrote to memory of 1488 1212 taskeng.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1212 wrote to memory of 1488 1212 taskeng.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1212 wrote to memory of 1488 1212 taskeng.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe PID 1212 wrote to memory of 1488 1212 taskeng.exe bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {D6840176-C4D8-45B5-887C-F375E6C7E278} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exeC:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
1KB
MD52365869258df7a66a2121b802ca4afd9
SHA173acc30a2edeb9d6830de559bb8a74f35168135d
SHA256d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed
SHA512795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12Filesize
174B
MD53939e910d0a71e0303db865ec721951a
SHA13210dec9db4e11fe9f5b4d44b5930736d3e44afe
SHA2567250c110c82aeaddbbcf53a58d20c72407b89b36a650fb74b3253548a838a667
SHA512390fd4b2451191f447c7ef105220dfc22af0c8b46a58e853a17986deacb6eadffa1c05e0a2fc7cd9e06e884f161b4bf8d4edd29cc5983569a8197f5f6152941f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56b639381e891cad9282586fc1cc81c2a
SHA19b60c8a4142f155f79b8f6275ac2290d6b5fcf23
SHA25619d5d1162c9bc4f930409c54dc5110ddef53eff6890227765b00af240e3e05d2
SHA512c1c14b3c137d471b965d5814c19af45fa10082ba99051d1c3b5ca470f522267017844e16d9f93d347cfdfcbf6f3b21b8dad162fa9ee44a5cd2174e3e21c6839d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8Filesize
170B
MD5375ad03f9d07ff0d19bafcef73b08aa7
SHA1c0047831f56461d2419a0eed169ad169751df663
SHA256c05edd53fc05531b505c1e64c3ceda9ac7004dcadfe7a01a0fd9df62951b9dfb
SHA512bb07e1e76cbeaa134fc5ba20c7eda97af2bc139147241012952a792f6a1879e5129e53a407443a47b9f955e09c5dae4915fd022c7515676e80f6c33f4a48026c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD57fdb60b35c4453c628b5b8d6cf415396
SHA1e7946a947213238c9e85958f12dcff6cc4c54abf
SHA256ee3bfc81e5fbe40ad8df8a1216b8cdcc858fecdfc868845245069f5653714f38
SHA512736a8eaf86e3e30202aa597b5415ca3cd16aca2e37dea2475e2a4c5be12b6c8ee103bdd2fe7583c7750e089932ae39b4413dbb054a9b5614b8cbc3309bed8b22
-
C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exeFilesize
713KB
MD5bb7b70fcd01eb0903c7ecf2a8a50cbea
SHA122694b981fe9c6c9bedd6045299b55e564ebf8e8
SHA256dacddfaece889da8a311107c5923313c6682acce5c718b5ae49550a1e15b24d0
SHA51264ac24534d043b01dafad22f79af7649443c5dcd809fadeeac7faa08c04b1e73f33230e9f8d2824dfd90bedb30222c61f8490b7ee307ac753b146978a799c54e
-
C:\Users\Admin\AppData\Local\Temp\Tar316D.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
memory/1488-87-0x0000000000400000-0x0000000002830000-memory.dmpFilesize
36.2MB
-
memory/1488-76-0x0000000002930000-0x00000000029C1000-memory.dmpFilesize
580KB
-
memory/1712-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1712-42-0x00000000028D0000-0x00000000029EA000-memory.dmpFilesize
1.1MB
-
memory/1712-41-0x0000000000400000-0x0000000002830000-memory.dmpFilesize
36.2MB
-
memory/1712-0-0x0000000002830000-0x00000000028C1000-memory.dmpFilesize
580KB
-
memory/1712-3-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1712-2-0x00000000028D0000-0x00000000029EA000-memory.dmpFilesize
1.1MB
-
memory/1712-1-0x0000000002830000-0x00000000028C1000-memory.dmpFilesize
580KB
-
memory/2628-44-0x0000000000220000-0x00000000002B1000-memory.dmpFilesize
580KB
-
memory/2628-62-0x0000000000400000-0x0000000002830000-memory.dmpFilesize
36.2MB
-
memory/2628-64-0x0000000000400000-0x0000000002830000-memory.dmpFilesize
36.2MB
-
memory/2628-66-0x0000000000400000-0x0000000002830000-memory.dmpFilesize
36.2MB
-
memory/2628-414-0x0000000000400000-0x0000000002830000-memory.dmpFilesize
36.2MB