djvu | dacddfaece889da8a311107c5923313c6682acce5c718b5ae49550a1e15b24d0

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Size

713KB
MD5

bb7b70fcd01eb0903c7ecf2a8a50cbea
SHA1

22694b981fe9c6c9bedd6045299b55e564ebf8e8
SHA256

dacddfaece889da8a311107c5923313c6682acce5c718b5ae49550a1e15b24d0
SHA512

64ac24534d043b01dafad22f79af7649443c5dcd809fadeeac7faa08c04b1e73f33230e9f8d2824dfd90bedb30222c61f8490b7ee307ac753b146978a799c54e
SSDEEP

12288:8d8z9JklKqDlVGzfLPQU4dFC19BqR0o8lPFaV0pJVAyp5tAiRmKz:8Wpgc7yFC19Bs+tpJV5RmK

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cjto.top/nddddhsspen6/get.php

Attributes

extension
.kolz
offline_id
hZcC4PEfaqDNIXxy0ProMPOAk3JS3K1JoUqoq0t1
payload_url
http://cjto.top/files/penelop/updatewin1.exe
http://cjto.top/files/penelop/updatewin2.exe
http://cjto.top/files/penelop/updatewin.exe
http://cjto.top/files/penelop/3.exe
http://cjto.top/files/penelop/4.exe
http://cjto.top/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-18R6r7GGG8 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0252Ijrfg

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-2-0x00000000028D0000-0x00000000029EA000-memory.dmp	family_djvu
behavioral1/memory/1712-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1712-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1712-41-0x0000000000400000-0x0000000002830000-memory.dmp	family_djvu
behavioral1/memory/1712-42-0x00000000028D0000-0x00000000029EA000-memory.dmp	family_djvu
behavioral1/memory/2628-62-0x0000000000400000-0x0000000002830000-memory.dmp	family_djvu
behavioral1/memory/2628-64-0x0000000000400000-0x0000000002830000-memory.dmp	family_djvu
behavioral1/memory/2628-66-0x0000000000400000-0x0000000002830000-memory.dmp	family_djvu
behavioral1/memory/1488-87-0x0000000000400000-0x0000000002830000-memory.dmp	family_djvu
behavioral1/memory/2628-414-0x0000000000400000-0x0000000002830000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 1 IoCs

Processes:

bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

pid process

1488 bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2596 icacls.exe

pid	process
1488	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

pid	process
2596	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5e6add8d-0364-4d8a-be8e-16c128433f71\\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe\" --AutoStart"	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.2ip.ua
3 api.2ip.ua
4 api.2ip.ua
16 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
22	api.2ip.ua
3	api.2ip.ua
4	api.2ip.ua
16	api.2ip.ua

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exebb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exebb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exebb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

pid	process
1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
2628	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
2628	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
1488	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
1488	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
2628	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exetaskeng.exe

description	pid	process	target process
PID 1712 wrote to memory of 2596	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	icacls.exe
PID 1712 wrote to memory of 2596	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	icacls.exe
PID 1712 wrote to memory of 2596	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	icacls.exe
PID 1712 wrote to memory of 2596	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	icacls.exe
PID 1712 wrote to memory of 2628	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1712 wrote to memory of 2628	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1712 wrote to memory of 2628	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1712 wrote to memory of 2628	1712	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1212 wrote to memory of 1488	1212	taskeng.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1212 wrote to memory of 1488	1212	taskeng.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1212 wrote to memory of 1488	1212	taskeng.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
PID 1212 wrote to memory of 1488	1212	taskeng.exe	bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:2596

C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\system32\taskeng.exe
taskeng.exe {D6840176-C4D8-45B5-887C-F375E6C7E278} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe --Task
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
3939e910d0a71e0303db865ec721951a

SHA1
3210dec9db4e11fe9f5b4d44b5930736d3e44afe

SHA256
7250c110c82aeaddbbcf53a58d20c72407b89b36a650fb74b3253548a838a667

SHA512
390fd4b2451191f447c7ef105220dfc22af0c8b46a58e853a17986deacb6eadffa1c05e0a2fc7cd9e06e884f161b4bf8d4edd29cc5983569a8197f5f6152941f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6b639381e891cad9282586fc1cc81c2a

SHA1
9b60c8a4142f155f79b8f6275ac2290d6b5fcf23

SHA256
19d5d1162c9bc4f930409c54dc5110ddef53eff6890227765b00af240e3e05d2

SHA512
c1c14b3c137d471b965d5814c19af45fa10082ba99051d1c3b5ca470f522267017844e16d9f93d347cfdfcbf6f3b21b8dad162fa9ee44a5cd2174e3e21c6839d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
375ad03f9d07ff0d19bafcef73b08aa7

SHA1
c0047831f56461d2419a0eed169ad169751df663

SHA256
c05edd53fc05531b505c1e64c3ceda9ac7004dcadfe7a01a0fd9df62951b9dfb

SHA512
bb07e1e76cbeaa134fc5ba20c7eda97af2bc139147241012952a792f6a1879e5129e53a407443a47b9f955e09c5dae4915fd022c7515676e80f6c33f4a48026c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
7fdb60b35c4453c628b5b8d6cf415396

SHA1
e7946a947213238c9e85958f12dcff6cc4c54abf

SHA256
ee3bfc81e5fbe40ad8df8a1216b8cdcc858fecdfc868845245069f5653714f38

SHA512
736a8eaf86e3e30202aa597b5415ca3cd16aca2e37dea2475e2a4c5be12b6c8ee103bdd2fe7583c7750e089932ae39b4413dbb054a9b5614b8cbc3309bed8b22

Download Submit
C:\Users\Admin\AppData\Local\5e6add8d-0364-4d8a-be8e-16c128433f71\bb7b70fcd01eb0903c7ecf2a8a50cbea_JaffaCakes118.exe
Filesize
713KB

MD5
bb7b70fcd01eb0903c7ecf2a8a50cbea

SHA1
22694b981fe9c6c9bedd6045299b55e564ebf8e8

SHA256
dacddfaece889da8a311107c5923313c6682acce5c718b5ae49550a1e15b24d0

SHA512
64ac24534d043b01dafad22f79af7649443c5dcd809fadeeac7faa08c04b1e73f33230e9f8d2824dfd90bedb30222c61f8490b7ee307ac753b146978a799c54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar316D.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1488-87-0x0000000000400000-0x0000000002830000-memory.dmp

Filesize
36.2MB

Download
memory/1488-76-0x0000000002930000-0x00000000029C1000-memory.dmp

Filesize
580KB

Download
memory/1712-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1712-42-0x00000000028D0000-0x00000000029EA000-memory.dmp

Filesize
1.1MB

Download
memory/1712-41-0x0000000000400000-0x0000000002830000-memory.dmp

Filesize
36.2MB

Download
memory/1712-0-0x0000000002830000-0x00000000028C1000-memory.dmp

Filesize
580KB

Download
memory/1712-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1712-2-0x00000000028D0000-0x00000000029EA000-memory.dmp

Filesize
1.1MB

Download
memory/1712-1-0x0000000002830000-0x00000000028C1000-memory.dmp

Filesize
580KB

Download
memory/2628-44-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2628-62-0x0000000000400000-0x0000000002830000-memory.dmp

Filesize
36.2MB

Download
memory/2628-64-0x0000000000400000-0x0000000002830000-memory.dmp

Filesize
36.2MB

Download
memory/2628-66-0x0000000000400000-0x0000000002830000-memory.dmp

Filesize
36.2MB

Download
memory/2628-414-0x0000000000400000-0x0000000002830000-memory.dmp

Filesize
36.2MB

Download