Overview
overview
10Static
static
331318ee805...18.exe
windows7-x64
1031318ee805...18.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3403-3.htm
windows7-x64
1403-3.htm
windows10-2004-x64
1HelpButton.dll
windows7-x64
3HelpButton.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
403-3.htm
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
403-3.htm
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
HelpButton.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
HelpButton.dll
Resource
win10v2004-20240508-en
General
-
Target
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
-
Size
257KB
-
MD5
31318ee80570c7168708575f032ac63f
-
SHA1
82a8589abd62b469c4ec3c454434a75a63f8b2c6
-
SHA256
849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
-
SHA512
bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
SSDEEP
6144:ewHysO+dCW3EWXJ44UMa6ZhZoXtMQJCIEFTcdGwJ:VO+EW3TXiNMlSXOQJpAcIwJ
Malware Config
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.html
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txt
http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC
http://52uo5k3t73ypjije.8kcfnk.bid/F3FD-14FF-62F1-005C-90CC
http://52uo5k3t73ypjije.csv7o6.bid/F3FD-14FF-62F1-005C-90CC
http://52uo5k3t73ypjije.jal9lk.bid/F3FD-14FF-62F1-005C-90CC
http://52uo5k3t73ypjije.onion.to/F3FD-14FF-62F1-005C-90CC
http://52uo5k3t73ypjije.onion/F3FD-14FF-62F1-005C-90CC
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription ioc process Mutant opened shell.{AF608668-EB34-AFF9-6B4D-E9E9062AAC4A} 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Mutant created shell.{AF608668-EB34-AFF9-6B4D-E9E9062AAC4A} fontdrvhost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fontdrvhost.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3904 bcdedit.exe 4472 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" fontdrvhost.exe -
Contacts a large (527) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Drops startup file 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnk 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnk fontdrvhost.exe -
Executes dropped EXE 2 IoCs
Processes:
fontdrvhost.exefontdrvhost.exepid process 2296 fontdrvhost.exe 3200 fontdrvhost.exe -
Loads dropped DLL 6 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exepid process 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 2296 fontdrvhost.exe 2296 fontdrvhost.exe 2296 fontdrvhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" fontdrvhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" fontdrvhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp117B.bmp" fontdrvhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription pid process target process PID 4468 set thread context of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2296 set thread context of 3200 2296 fontdrvhost.exe fontdrvhost.exe -
Drops file in Program Files directory 16 IoCs
Processes:
fontdrvhost.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.url fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.html fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.html fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.txt fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.vbs fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE fontdrvhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.url fontdrvhost.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.vbs fontdrvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3464 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1136 taskkill.exe 2032 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exefontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop fontdrvhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\\fontdrvhost.exe\"" fontdrvhost.exe -
Modifies registry class 1 IoCs
Processes:
fontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings fontdrvhost.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fontdrvhost.exepid process 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe 3200 fontdrvhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exetaskkill.exefontdrvhost.exevssvc.exewmic.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 3200 fontdrvhost.exe Token: SeBackupPrivilege 3320 vssvc.exe Token: SeRestorePrivilege 3320 vssvc.exe Token: SeAuditPrivilege 3320 vssvc.exe Token: SeIncreaseQuotaPrivilege 3324 wmic.exe Token: SeSecurityPrivilege 3324 wmic.exe Token: SeTakeOwnershipPrivilege 3324 wmic.exe Token: SeLoadDriverPrivilege 3324 wmic.exe Token: SeSystemProfilePrivilege 3324 wmic.exe Token: SeSystemtimePrivilege 3324 wmic.exe Token: SeProfSingleProcessPrivilege 3324 wmic.exe Token: SeIncBasePriorityPrivilege 3324 wmic.exe Token: SeCreatePagefilePrivilege 3324 wmic.exe Token: SeBackupPrivilege 3324 wmic.exe Token: SeRestorePrivilege 3324 wmic.exe Token: SeShutdownPrivilege 3324 wmic.exe Token: SeDebugPrivilege 3324 wmic.exe Token: SeSystemEnvironmentPrivilege 3324 wmic.exe Token: SeRemoteShutdownPrivilege 3324 wmic.exe Token: SeUndockPrivilege 3324 wmic.exe Token: SeManageVolumePrivilege 3324 wmic.exe Token: 33 3324 wmic.exe Token: 34 3324 wmic.exe Token: 35 3324 wmic.exe Token: 36 3324 wmic.exe Token: SeIncreaseQuotaPrivilege 3324 wmic.exe Token: SeSecurityPrivilege 3324 wmic.exe Token: SeTakeOwnershipPrivilege 3324 wmic.exe Token: SeLoadDriverPrivilege 3324 wmic.exe Token: SeSystemProfilePrivilege 3324 wmic.exe Token: SeSystemtimePrivilege 3324 wmic.exe Token: SeProfSingleProcessPrivilege 3324 wmic.exe Token: SeIncBasePriorityPrivilege 3324 wmic.exe Token: SeCreatePagefilePrivilege 3324 wmic.exe Token: SeBackupPrivilege 3324 wmic.exe Token: SeRestorePrivilege 3324 wmic.exe Token: SeShutdownPrivilege 3324 wmic.exe Token: SeDebugPrivilege 3324 wmic.exe Token: SeSystemEnvironmentPrivilege 3324 wmic.exe Token: SeRemoteShutdownPrivilege 3324 wmic.exe Token: SeUndockPrivilege 3324 wmic.exe Token: SeManageVolumePrivilege 3324 wmic.exe Token: 33 3324 wmic.exe Token: 34 3324 wmic.exe Token: 35 3324 wmic.exe Token: 36 3324 wmic.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: 33 1628 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1628 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe31318ee80570c7168708575f032ac63f_JaffaCakes118.execmd.exefontdrvhost.exefontdrvhost.exemsedge.exedescription pid process target process PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 4468 wrote to memory of 1208 4468 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 1208 wrote to memory of 2296 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe fontdrvhost.exe PID 1208 wrote to memory of 2296 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe fontdrvhost.exe PID 1208 wrote to memory of 2296 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe fontdrvhost.exe PID 1208 wrote to memory of 2284 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 1208 wrote to memory of 2284 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 1208 wrote to memory of 2284 1208 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 1136 2284 cmd.exe taskkill.exe PID 2284 wrote to memory of 1136 2284 cmd.exe taskkill.exe PID 2284 wrote to memory of 1136 2284 cmd.exe taskkill.exe PID 2284 wrote to memory of 3068 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 3068 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 3068 2284 cmd.exe PING.EXE PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 2296 wrote to memory of 3200 2296 fontdrvhost.exe fontdrvhost.exe PID 3200 wrote to memory of 3464 3200 fontdrvhost.exe vssadmin.exe PID 3200 wrote to memory of 3464 3200 fontdrvhost.exe vssadmin.exe PID 3200 wrote to memory of 3324 3200 fontdrvhost.exe wmic.exe PID 3200 wrote to memory of 3324 3200 fontdrvhost.exe wmic.exe PID 3200 wrote to memory of 3904 3200 fontdrvhost.exe bcdedit.exe PID 3200 wrote to memory of 3904 3200 fontdrvhost.exe bcdedit.exe PID 3200 wrote to memory of 4472 3200 fontdrvhost.exe bcdedit.exe PID 3200 wrote to memory of 4472 3200 fontdrvhost.exe bcdedit.exe PID 3200 wrote to memory of 2748 3200 fontdrvhost.exe msedge.exe PID 3200 wrote to memory of 2748 3200 fontdrvhost.exe msedge.exe PID 2748 wrote to memory of 2616 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2616 2748 msedge.exe msedge.exe PID 3200 wrote to memory of 2476 3200 fontdrvhost.exe NOTEPAD.EXE PID 3200 wrote to memory of 2476 3200 fontdrvhost.exe NOTEPAD.EXE PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 5056 2748 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe"4⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5ae246f8,0x7ffe5ae24708,0x7ffe5ae247186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5ae246f8,0x7ffe5ae24708,0x7ffe5ae247186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "fontdrvhost.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "fontdrvhost.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x470 0x2f81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD573ef5a5613e13809e593f8db5d08b71d
SHA117b8af105e46ce521427412c7123dbb8769b4e45
SHA2566343f1fcd8f3bb13d22f8f9a49ccb1af77a34700ef77a309b16523646f7a9354
SHA5122faf9dad29d5fe39666754214707ed57096c0b97665d752102a768708ae46b635294610ee0788dbdbab8aa66d6a8384634013dd9ca1604030c6f87add9c438ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59518858d6208742115d7351297512c21
SHA13408d5b5db52faf6fec729159419c3ae97be2c83
SHA256d26a32d730e241416ac34267e91a8a2e861f635a588f1c281f13ffbbaa6edbca
SHA512fda535bd02059756e24fb2fc107498212692273c6021710ae77e67be855f9f3d5ec617bbc329a07ee54bff089d8c5edac0a75458b5735916ad9b7fab95d09720
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58c8a714edd48c04309c982c7f3ab18da
SHA18f612e78c6b01b3261d32ac626281185385aa260
SHA256e180e185db78e01464c18f7a29df41eec93af71652a60991ad1c4486438814ff
SHA512b7de1e76ce33b8981c6e7f2ad0db1534135a1ebd402c04b0323fc1a90b4b4d7b69cd8b4d9c1b26a15d9ca6b1329d4c98025a5d15ce1380462003f78900e5bea9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Roaming\403-3.htmFilesize
1KB
MD5c7df00e9e0609d4216bb7404dd9c12ee
SHA13aac5a61dc12fcf9fd23280d8fc6361ef734c524
SHA2569fa88627e300794f3f5f657aed1a58a447d4cd5ce6989d49d62dca9507c3d9de
SHA51287427aca49cf20aa8d36541f589940b23e42d60eda72965f75ebdbb8342a19198c8625b8d4f9c71b4444d14ca99816d314991ff1e870da3437cbc15453d8e47f
-
C:\Users\Admin\AppData\Roaming\ChiPollywog.9mWFilesize
207KB
MD5b4129e70e3bfbe686825a7d5ae5b3882
SHA12020712b26e98c5e212c816404ac6f57bf7fe658
SHA2569e28161075db33792a94422525dacd286d78efcfb581f16ca762a7bbfdcdbd15
SHA512259650ae89d4edec29e72b65fbacd7432ad80b835731e507c37d30f18b07bdd7981ec32bc083243d3a410428f7756ae849a578c03b7dbf6044e5a9fca237b04f
-
C:\Users\Admin\AppData\Roaming\HelpButton.dllFilesize
68KB
MD527a5e7b6a25949beeae9d66ee66759b4
SHA1c98d27eb5421cc0e12f1736d8cb6da952df25635
SHA256ca1469a748c0805bedaa6bbcf87cfea1772a004ce5fb1ef1e5f62998874d4851
SHA512426dd583044d651b790e006189d2ff42dcb883851dffa61cef2b4badaa43fde5a718e8ec4415ac928a39b81a6507ab54d2a1d0842bfbec4db89656478b610bea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnkFilesize
1KB
MD577215cc060044c79676901f906d0cbee
SHA142ee469217999edbb08dce61df4344feae3d09cb
SHA2561c99f7a5385a2b3ae66f29a28f7f5cc76de3adbd9804b1f25ec8f109311f2c3c
SHA512d70f67a9ba0ba6bfb7de1f6f434ab11b8d0cdd8b71b7d2aa29113c7da702abfdcb79998bbdcd9c4ff76d29c4909e0379f4dd028b87e7bf6f8edae88161e067a6
-
C:\Users\Admin\AppData\Roaming\Phenothiazine.aLpFilesize
4KB
MD54cd6691685530a80f97c5633b75a8d81
SHA1a2d8a60847c6a4c0df2e87ac5964b98806d3a2e7
SHA2561e8ea471a61594fbf877acc9c2cc26cccf2eb6bd1da7c7dd803a1b154d632c6c
SHA512d05c9d9c870c885cd7a964e669f775e5e4c9da99cd97cc1509f7e08af61fb13d97688f337fe5b9ac6c9c3c6cd14c95df4689b2715fdc531eac3d58133fbe2c48
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
914B
MD572d925da1cf45aed93d045853a5281a8
SHA1354dc025c187395a741ff630aaf6ca9ddf2d0d47
SHA25619c79b8b4731e5a4f1bff40db16c6bae24fc7d299243a45ccd8998290247413d
SHA512685081bd6829d3f825f2b50febd0df1c0db602bc9ea68c425b9bcc07b59e3860b91fbe918f485ac650cfbc14ea08f00dd98ad287d013190af829813122572c68
-
C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exeFilesize
257KB
MD531318ee80570c7168708575f032ac63f
SHA182a8589abd62b469c4ec3c454434a75a63f8b2c6
SHA256849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
SHA512bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.htmlFilesize
19KB
MD5e3969a054802d987317f8c70526d1810
SHA1b18bcd0c35fd9249cc1ce8d334a5c1698e5ef98c
SHA2561966b2b806cbaccdb089e7f1badfbda946303e1cd825359072e4a187fd904387
SHA5123e069a0ec92a2cbaa239e8ea7b88dd69ba8f00854e49ab994105c7687c6795c532b790acb89518b78d1f189005c8f4bb9b398846a8ca25e2670e0dc627f670fb
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txtFilesize
10KB
MD58f5204c6b8ab0d323d2e301876ab0c9a
SHA181542b358d590052eb38e5885433d5af462288d6
SHA256706372b54a5b359d3902889eb73d308e0aad5aee5e1440ba0248e8319069b046
SHA51203d5ce9d57c0db070b109b4757710f363f088a5b41dd121483debd33218054557908f2f2959648c653747cc175512e3ea6f4c472f7147c043ddf57ce38ad9af2
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.urlFilesize
90B
MD542c31cdb6da79878b0aeebfb7771e8ae
SHA1281b5650c02013a11c06e242a31da0bb55a080b7
SHA256687e04615514b169e99cd2ea02c3d5cfc8b1344362cd2273bda7ffcb54ff8ff3
SHA5121db62b9ff1b54ff32ee8f6c28a923c645b51a11ccf450ac2a27809239079e56194217c45397f4fcb24d945b30e3a6e541891acae6caff07d2afbdb6e9821fb96
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.vbsFilesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
\??\pipe\LOCAL\crashpad_2748_BZIBQDJCWXPUKYEGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1208-33-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1208-25-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1208-23-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1208-20-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1208-18-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1208-16-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2296-54-0x0000000002F10000-0x0000000002F22000-memory.dmpFilesize
72KB
-
memory/3200-850-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-820-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-817-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-853-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-823-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-826-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-829-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-835-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-832-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-838-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-859-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-844-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-847-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-841-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-856-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-862-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-71-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-67-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-895-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-899-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-901-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3200-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4468-13-0x00000000026B0000-0x00000000026C2000-memory.dmpFilesize
72KB