Malware Analysis Report

2025-01-03 08:49

Sample ID 240506-y9rwdahh5s
Target 1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118
SHA256 64ae910b63f7b5c9052fc759ecd7cce26cce6e846ac1ea59cfe40ee6e95a3fc3
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64ae910b63f7b5c9052fc759ecd7cce26cce6e846ac1ea59cfe40ee6e95a3fc3

Threat Level: Known bad

The file 1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Renames multiple (249) files with added filename extension

Deletes shadow copies

Renames multiple (261) files with added filename extension

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Enumerates connected drives

AutoIT Executable

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 20:29

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 20:29

Reported

2024-05-06 20:32

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (249) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\UYJKJKKQNV-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ClearConvertTo.asx C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SearchInitialize.otf C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SelectSync.xlsm C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SearchSplit.wmv C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\b079259db07922736e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\UYJKJKKQNV-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FormatCheckpoint.css C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GetUnpublish.aifc C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LimitMove.cr2 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UpdateBackup.htm C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\UYJKJKKQNV-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files\UYJKJKKQNV-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BlockSet.wmf C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\OutTrace.vst C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\EditSubmit.xhtml C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GroupRestart.wma C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\UYJKJKKQNV-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GrantMerge.M2TS C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetPing.TTS C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PushDisconnect.easmx C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\b079259db07922736e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files\b079259db07922736e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConvertFromSync.mpg C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinExpand.mp2 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RevokeOpen.odt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\b079259db07922736e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b079259db07922736e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompareSync.sql C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompressReceive.pps C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DebugSearch.emz C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 1180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 1180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 1180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 1180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 1180 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 2652 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2652 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2652 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2652 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:80 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:80 www.hardrockhoteldavos.com tcp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 104.26.7.206:80 www.belvedere-locarno.com tcp
US 104.26.7.206:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:80 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:80 www.morcote-residenza.com tcp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:80 www.seitensprungzimmer24.com tcp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:80 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp

Files

memory/2652-1-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2652-11-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2652-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2652-2-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2652-12-0x0000000000080000-0x00000000000A8000-memory.dmp

C:\MSOCache\UYJKJKKQNV-DECRYPT.txt

MD5 9fdeaaad7da79ecd4354c0780fe1342d
SHA1 e56a2e75704729918f9e04fc2cb79d94533af42a
SHA256 3bf83193b7c7cbe4056014fa14b13a087d69d3ae76188f6198e2d0aa1998a00e
SHA512 2f0a6576d5c14b69de081d2d669a56cf36ab0a8272ba67e86cb4e8eeec7ebf91928c2d6119608f14d6116a1a47b698360bdf69af449e1c2884f9dd9659ae19f2

memory/2652-26-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2652-675-0x0000000000080000-0x00000000000A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8F66.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar97C2.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a785d9328da285bc5884a5ab9881420
SHA1 8ee64adfc7b3e3b6a106acbad6e3d05378b5bc14
SHA256 4004bb2386c64c6bf449e4042b64f1ce7dea4059af21e98fde60ad98e273e3db
SHA512 21f72c6e0a9eaff5557111c565a63f63f7020d40ee70fba4f767b592f849036b4f43aa3a4a2eb751013a1adf9964ce295559bbc2aec35cf8e8d7a717d4ce5d25

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 20:29

Reported

2024-05-06 20:32

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (261) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FIKQRSZHI-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9060794490607eaa6e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\9060794490607eaa6e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\9060794490607eaa6e.lock C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FindSubmit.crw C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SendHide.jpg C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ShowMerge.php C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\FIKQRSZHI-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\InitializeWatch.dwg C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UseOptimize.mp3 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File created C:\Program Files\FIKQRSZHI-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\EnterExit.xltm C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\EnterWait.wvx C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\InvokePush.vstx C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResizeWait.xlsx C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestoreGroup.pptx C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5168 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 5168 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 5168 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 5168 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 5168 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe
PID 4552 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4552 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4552 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e3c5e1eb15d1773663249e7cd96c49e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:80 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 239.227.15.195.in-addr.arpa udp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 122.226.207.38.in-addr.arpa udp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 7.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:80 www.hardrockhoteldavos.com tcp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.36:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 16.88.207.18.in-addr.arpa udp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 hotel.hardrock.com udp
US 151.101.3.52:443 hotel.hardrock.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 104.26.6.206:80 www.belvedere-locarno.com tcp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 104.26.6.206:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:80 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 206.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 63.18.132.18.in-addr.arpa udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp

Files

memory/4552-1-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4552-7-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5168-8-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/4552-9-0x0000000000400000-0x0000000000428000-memory.dmp

C:\PerfLogs\FIKQRSZHI-DECRYPT.txt

MD5 7266067485ae54cb3b86894a8df29779
SHA1 f81bd0c2f682d2532f80b74f711d5bc26882a717
SHA256 ca5bbcf3b8502f9e0fe105bdaf402c81deba550f2cfd7c04da1708fc72bd644c
SHA512 b5099f0e415d5eab088c2ee983b941c99ad08540b6cfc7d029702df41af6b471cb08236f8e2f774a3c34378f10aa80e70dca4111dcd3681a9c4a0188a4fc09f1

memory/4552-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4552-693-0x0000000000400000-0x0000000000428000-memory.dmp