Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
-
Size
191KB
-
MD5
3874199af9bef338ffc8dcd9a9d2dbf0
-
SHA1
14f4aa746d391393bd2fdd112a430266bf20a8f2
-
SHA256
a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964
-
SHA512
38c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec
-
SSDEEP
3072:eyAaQqe90u5DdXJP45JQRCK5Z4AhJvKI+EXWML6KyugTxfvDcO3g+xJ+88aQ4VVn:eyAge9RNOQg+ZP12EX5L6154+N8apiPi
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xmfir0.win/46F5-B740-18A4-0063-718C
http://cerberhhyed5frqa.gkfit9.win/46F5-B740-18A4-0063-718C
http://cerberhhyed5frqa.305iot.win/46F5-B740-18A4-0063-718C
http://cerberhhyed5frqa.dkrti5.win/46F5-B740-18A4-0063-718C
http://cerberhhyed5frqa.cneo59.win/46F5-B740-18A4-0063-718C
http://cerberhhyed5frqa.onion/46F5-B740-18A4-0063-718C
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 496 bcdedit.exe 3040 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exemsdt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" msdt.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2936 cmd.exe -
Drops startup file 2 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exemsdt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\msdt.lnk 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\msdt.lnk msdt.exe -
Executes dropped EXE 2 IoCs
Processes:
msdt.exemsdt.exepid process 2472 msdt.exe 852 msdt.exe -
Loads dropped DLL 6 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exemsdt.exemsdt.exepid process 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 2472 msdt.exe 2472 msdt.exe 852 msdt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
msdt.exe3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\msdt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" msdt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\msdt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" msdt.exe -
Processes:
msdt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
msdt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp957C.bmp" msdt.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exemsdt.exedescription pid process target process PID 2924 set thread context of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 set thread context of 852 2472 msdt.exe msdt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe nsis_installer_2 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2404 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2636 taskkill.exe 2424 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
msdt.exe3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" msdt.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\msdt.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop msdt.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40A1A261-101F-11EF-BE0C-E2E647A5CFB6} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000e9eaefdb5a9843baf0c9e1e67c917e5d76e85ece5332fe74336272f85ac46e7d000000000e8000000002000020000000201b2e15e5aadeba1500bc7a50ff0dd4a12f458025bfa8aab68ee4b8f930b3159000000088c75fafca13617ef0aef8a91066930d2098ba556e9447cd3212844107f8ef462f3ad35c612c1ed391789869e68ee7cafeb2c9792ec8dc0a46795cae28e83614e4fea8c4c636153ba7e2c2f80db203f57519688794f124a0d38ef32ee8e3addac7cf988033e66f650fdfe5a3988c69fcbab0785fa9b0729e20fac51ec81cb0ce893be22c462827b56a99e415ac2596f040000000f75baea0793ae499275f79cf323f46973d65d596ebc37e60f67905382cbc74851f67f32523d212c67381ed0d9e17be7ad9a2ad337533fcdd2acb357cd6edad47 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4090F8C1-101F-11EF-BE0C-E2E647A5CFB6} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000013f5df9e5d22570596a66b70245251d162d7a0c3bfafb9a382ae7a98dad5adfd000000000e80000000020000200000009956e06827b0b457e95c2f369f0c303032eb6363b4bc3a6bf875e41e4a7939992000000024718d55d7c332e059819759d6f14b57e085726367d0fbe69bd3a175a2bad90640000000823e0565a214c9cc75c2ebe7bf27e055120fd95a2384dc6ef37ef00ad56bc29d3a1c973f17483ecedbd9c12c5d991dd5d28df1277d11c2f2ad1e10b6e4c7f8bd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e63c032ca4da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msdt.exepid process 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe 852 msdt.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exetaskkill.exemsdt.exevssvc.exewmic.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 852 msdt.exe Token: SeBackupPrivilege 2836 vssvc.exe Token: SeRestorePrivilege 2836 vssvc.exe Token: SeAuditPrivilege 2836 vssvc.exe Token: SeIncreaseQuotaPrivilege 2096 wmic.exe Token: SeSecurityPrivilege 2096 wmic.exe Token: SeTakeOwnershipPrivilege 2096 wmic.exe Token: SeLoadDriverPrivilege 2096 wmic.exe Token: SeSystemProfilePrivilege 2096 wmic.exe Token: SeSystemtimePrivilege 2096 wmic.exe Token: SeProfSingleProcessPrivilege 2096 wmic.exe Token: SeIncBasePriorityPrivilege 2096 wmic.exe Token: SeCreatePagefilePrivilege 2096 wmic.exe Token: SeBackupPrivilege 2096 wmic.exe Token: SeRestorePrivilege 2096 wmic.exe Token: SeShutdownPrivilege 2096 wmic.exe Token: SeDebugPrivilege 2096 wmic.exe Token: SeSystemEnvironmentPrivilege 2096 wmic.exe Token: SeRemoteShutdownPrivilege 2096 wmic.exe Token: SeUndockPrivilege 2096 wmic.exe Token: SeManageVolumePrivilege 2096 wmic.exe Token: 33 2096 wmic.exe Token: 34 2096 wmic.exe Token: 35 2096 wmic.exe Token: SeIncreaseQuotaPrivilege 2096 wmic.exe Token: SeSecurityPrivilege 2096 wmic.exe Token: SeTakeOwnershipPrivilege 2096 wmic.exe Token: SeLoadDriverPrivilege 2096 wmic.exe Token: SeSystemProfilePrivilege 2096 wmic.exe Token: SeSystemtimePrivilege 2096 wmic.exe Token: SeProfSingleProcessPrivilege 2096 wmic.exe Token: SeIncBasePriorityPrivilege 2096 wmic.exe Token: SeCreatePagefilePrivilege 2096 wmic.exe Token: SeBackupPrivilege 2096 wmic.exe Token: SeRestorePrivilege 2096 wmic.exe Token: SeShutdownPrivilege 2096 wmic.exe Token: SeDebugPrivilege 2096 wmic.exe Token: SeSystemEnvironmentPrivilege 2096 wmic.exe Token: SeRemoteShutdownPrivilege 2096 wmic.exe Token: SeUndockPrivilege 2096 wmic.exe Token: SeManageVolumePrivilege 2096 wmic.exe Token: 33 2096 wmic.exe Token: 34 2096 wmic.exe Token: 35 2096 wmic.exe Token: SeDebugPrivilege 2424 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1264 iexplore.exe 1264 iexplore.exe 2192 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1264 iexplore.exe 1264 iexplore.exe 1264 iexplore.exe 1264 iexplore.exe 2248 IEXPLORE.EXE 2248 IEXPLORE.EXE 2192 iexplore.exe 2192 iexplore.exe 1628 IEXPLORE.EXE 1628 IEXPLORE.EXE 1968 IEXPLORE.EXE 1968 IEXPLORE.EXE 1628 IEXPLORE.EXE 1628 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.execmd.exemsdt.exemsdt.exeiexplore.exedescription pid process target process PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2924 wrote to memory of 2580 2924 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2580 wrote to memory of 2472 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe msdt.exe PID 2580 wrote to memory of 2472 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe msdt.exe PID 2580 wrote to memory of 2472 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe msdt.exe PID 2580 wrote to memory of 2472 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe msdt.exe PID 2580 wrote to memory of 2936 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 2580 wrote to memory of 2936 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 2580 wrote to memory of 2936 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 2580 wrote to memory of 2936 2580 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 2936 wrote to memory of 2636 2936 cmd.exe taskkill.exe PID 2936 wrote to memory of 2636 2936 cmd.exe taskkill.exe PID 2936 wrote to memory of 2636 2936 cmd.exe taskkill.exe PID 2936 wrote to memory of 2636 2936 cmd.exe taskkill.exe PID 2936 wrote to memory of 1260 2936 cmd.exe PING.EXE PID 2936 wrote to memory of 1260 2936 cmd.exe PING.EXE PID 2936 wrote to memory of 1260 2936 cmd.exe PING.EXE PID 2936 wrote to memory of 1260 2936 cmd.exe PING.EXE PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 2472 wrote to memory of 852 2472 msdt.exe msdt.exe PID 852 wrote to memory of 2404 852 msdt.exe vssadmin.exe PID 852 wrote to memory of 2404 852 msdt.exe vssadmin.exe PID 852 wrote to memory of 2404 852 msdt.exe vssadmin.exe PID 852 wrote to memory of 2404 852 msdt.exe vssadmin.exe PID 852 wrote to memory of 2096 852 msdt.exe wmic.exe PID 852 wrote to memory of 2096 852 msdt.exe wmic.exe PID 852 wrote to memory of 2096 852 msdt.exe wmic.exe PID 852 wrote to memory of 2096 852 msdt.exe wmic.exe PID 852 wrote to memory of 496 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 496 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 496 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 496 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 3040 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 3040 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 3040 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 3040 852 msdt.exe bcdedit.exe PID 852 wrote to memory of 1264 852 msdt.exe iexplore.exe PID 852 wrote to memory of 1264 852 msdt.exe iexplore.exe PID 852 wrote to memory of 1264 852 msdt.exe iexplore.exe PID 852 wrote to memory of 1264 852 msdt.exe iexplore.exe PID 852 wrote to memory of 1580 852 msdt.exe NOTEPAD.EXE PID 852 wrote to memory of 1580 852 msdt.exe NOTEPAD.EXE PID 852 wrote to memory of 1580 852 msdt.exe NOTEPAD.EXE PID 852 wrote to memory of 1580 852 msdt.exe NOTEPAD.EXE PID 1264 wrote to memory of 2248 1264 iexplore.exe IEXPLORE.EXE PID 1264 wrote to memory of 2248 1264 iexplore.exe IEXPLORE.EXE PID 1264 wrote to memory of 2248 1264 iexplore.exe IEXPLORE.EXE PID 1264 wrote to memory of 2248 1264 iexplore.exe IEXPLORE.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe"C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe"C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe"4⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:537601 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "msdt.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "msdt.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5910aba8f2f455442349c2536fc7590bb
SHA184672cb812499acce4610d94fbe1068d5cf97634
SHA256eec908fd22f838ffc934fadc59f61614444f1dde4b9cae0a0effad888d14a081
SHA5123e43c2555dd1222bb6dcfb9e229394c2e9c866bd66401281f147130512c13a00e36b3165dd71c0831e8d31bdf5a43b3f11311b705f26292b0637be9f83efb190
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txtFilesize
10KB
MD57e70d22dae63c4d2e3d12afd54d077e1
SHA131ae66531d79e77123da99fbe7a9abee5f1381e6
SHA256ece7fb891ea6c7bf5d6bcd1e443c8055d145fd4f749bbe82b6f917b7f67ba1fa
SHA512436cc05964e7a45dc35c11153284a768f4a542064d6499bcdfb34b1e12ea3a47c34be12e21510165f9dd359eea87ececafe6e4a69e1e83188f2f07a19c2a1673
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
85B
MD5b5ccb05cea8257f8138feb75cad3c1ad
SHA119f96b581c0164b37149ac2857ff2635ff481275
SHA2561537b9a7138cbca4ede18bb86e1e0207c1d472ae003fac68fada89c5e3927c07
SHA5126a7be0beeb86d9aab45637c10e72155c2bfa1f7f0ad770eaca3b8b77d4cdbb7c5874400d115b36273a8f0f9cd18b750e79e4545df8ac1c03c58adcff701907f9
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbsFilesize
225B
MD5f6d629f2a4c0815f005230185bd892fe
SHA11572070cf8773883a6fd5f5d1eb51ec724bbf708
SHA256ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f
SHA512b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58dc78de12b3ab6b68f629e4dbc729155
SHA1b00236cbec30bb7ca98789c98b83902094620a12
SHA25672a27464dd1ea59a42aec77ed37087e6e1949a2a8f688d437ccf54afcc0332f5
SHA512be4c3031e1bb3c727dcf419c507ad0d91497c763b4751ce72bfb1fb890e17acd390b5830ed8073548e5d42af4d66a0dd382fc6108bb2c09db73275da20fc1773
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fc592daacc2febea6360ca91f8c066b8
SHA1bf801ce34f2fde9c0b12122829a9154bb31a633c
SHA25691a1e1a9a1b0fc4e09906eeba2f20fb3da0201ff23fcdf6fe07821a488b323ec
SHA512a88e093586b667e78ce515dedf6520bd47c41c62b8cf1c56f7c178d4bbd5ec978069772e2ac67f46eb130fa6a8dc7b62e06d5197e621350b40267172271d321e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58e30a1dccb34132058d6896610386f62
SHA1259b1d6d389cb703bb744acdf0bc63f271c18257
SHA256945f030ae42da16bf871346d5129b6c0354f2991651802d2c5f29efcd712ba4f
SHA512ee67d073cfd2b14c6912f01ddf31b99205c2bf42f5581cbb25a5d2c232a457bf7e265cc3f1863c2a364258bfc205a399d6c2a669158dab91384834ec1d2b4d3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50e1a3c93150d121359c14fec2c19ec27
SHA17ba24a44f770eb0d193ca0e8c3ef26784dc544d6
SHA256799d6d7bc974252b6f9fc075a37407196f0c6b1e03b63c439b0cc0f7779fc52e
SHA512b91db795b4d5f12b29ab8fde5f421ad172920ecce0df532f25beed84359eba644bc462dfdaa1c72d074da0e37894eef161fb3a7429798fa5af97780de0893600
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5526a58670b82831a4c930dc0b5f30f51
SHA1c9586fe6b70e521808c2d3cf167ef2549e9a7d8d
SHA256652b4e2f12dde72115ee3ad6d1626c56c55d4ecc5510593928ebc7b02f6aa109
SHA5127b50713705e461622364e2f3e9dbcd3e59c2acf16b6478d798db510eda01a3b8a67eee8bee45a44ac9249d4faeeaecc447b255e5e2294f8b15fe9beb867b9d76
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4090F8C1-101F-11EF-BE0C-E2E647A5CFB6}.datFilesize
6KB
MD5465de9ad51fb9824c453232ce9d70bdf
SHA182225e4f6b0a91221d1f241d5bd3a1bf1cfb13cc
SHA256a3a9a73dc199785dc7733e175b7cea50f9671be0fe2d13208e8fce5210889990
SHA512e7863f82d483944dda0729b127d0460c755936e683c450b9f9294bd1deff089feeb0c21c31512a08f8e98d85dfe7e5a2f4b8069b58a0c5951f61ba11c3d0d29d
-
C:\Users\Admin\AppData\Local\Temp\CabABEA.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarACDD.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\14.svgFilesize
1KB
MD5d7d1c6533532e504e092fbfa3629a0c6
SHA1cd4e2a1baa46a9fea795687c671e2b7ef68f5cfe
SHA2562ee5d7f1a317992aecbefb6ae3285a599feb6d0898c378c4fa6096554d9ea18c
SHA512cfa4ef2c6fa42ea7be1c382cdf8a68f3ba6cd073e0431b58a98cc3bc3b17b65fae9e17b89835e4853f0b933849b629dd2dc5e6739b664dcdd6554a4e6a58a95f
-
C:\Users\Admin\AppData\Roaming\5.svgFilesize
967B
MD5d4aa38a90c2dd724b569ae28f314ce9c
SHA19041c2905b6a95f10ff1ce22eec51d76ed008703
SHA25684ebb2d82c7a1ceabdd698fe823cf23c1eaff7c73458b410fb1ce76c8fbb9b48
SHA51245d67e17bd0ac8e9184554d8fb378a952fae4b3654c1baad269cd750ce52a744f55bccf48506042f82955132f6a25c5429a3b33bfff7ce0d4383f7d230b579e9
-
C:\Users\Admin\AppData\Roaming\5.svgFilesize
1KB
MD5757fecfa3662470da55a0ecea6d340ce
SHA1488e3389f09d98aa7ace2108db38f04c076bf3f9
SHA256ca04a696c323a4b3981059fe22dc5f9a8f137e9b0d4fb879755d8d673422b1a3
SHA51230fd845e9c5a00ce1790c534f63b1ee026380e7a12b3af1b3052bb84101043c0f7ea4d6dcce6f355afeccf277bb0705b9837a9eff41f9b6a5cbde61b8a7d86ab
-
C:\Users\Admin\AppData\Roaming\Adobe-Korea1-2Filesize
4KB
MD5ae6e76ce3e42a164f3dc16386372eba2
SHA17f9033a222218108bbeb011f956c672ea50402ef
SHA256c3cc324e8610138120375f8023eca6ba4f6fee22639bc8594cec3412e7796b1d
SHA5121cbf330e1219623060b367d595f0598e47868cd341c110581be4092c1c3b1206075143c5818a361a52ae08bffbdecb23430e9f5e083016c8b4ac69eb5119d662
-
C:\Users\Admin\AppData\Roaming\BaghdadFilesize
489B
MD5c9ef37edfba00afb0e15b457af8c30b5
SHA1e8b4bcaacc6292e57030264fff25bc0739f9989e
SHA2564ab1803957c4629ed07601a3b0ec2780c0336182b56356479d3ec939c1665d67
SHA512bcb6ab1c7784dcabc0429e3d0a9b6c5416e0fdbd9b99a891120724f1b7eaa81d9058717c0e6003574518b49daab12b9293198f1d8554aa2fe764bf27c1581a37
-
C:\Users\Admin\AppData\Roaming\BelemMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\CHANGELOG.mdFilesize
4KB
MD5316d0933205629da92943baa76fcbb01
SHA1b4b9f86a7e3198d4264d78326dcd358f768a0dd4
SHA2568bd629f9a93f04fd38e02515dbcc0e654fd414581a4ea700e8568d7f730cfe83
SHA5123cbbc23549d5eee79a96f26996d3716bde8dee6d7e1bc3ebbc116a1cf24b077ba80c62c08d6863285461d2577b42fc3d4f99767108667d8574458b8624d7b962
-
C:\Users\Admin\AppData\Roaming\CHANGELOG.mdFilesize
4KB
MD5e6f2520cedb0df21cc115a52eb3f7758
SHA127d37567e0739177af8915ebfd1d3f17fe53d52d
SHA256daf6ffb3678d5e74a87aa550af9bd34c6e049562a771b38fcc39d5f8ec1df45a
SHA512ea91d35f654f1275dfd437ffd44ebe8b2ec5690f32ee78c2507ebb807570306f20b18b22085a4592c215458885fb9dfbff5919f93ca19fe8e0be94cd425d8060
-
C:\Users\Admin\AppData\Roaming\Cube Wrap.daeFilesize
4KB
MD52fbce568bf33721ee9a3b169e45e1c6e
SHA1f6843c7f30a7080102f54022378f5db5f9b54604
SHA2566ee6c6b5dd0a5fd77cbf192d34e34c906a5c8d03e8bbbdad844be0b3be0eb244
SHA512d74e7de308caf935100a7e68325dad64be10125ac1f458646967e44b8ebd3308c50d54d05c9bedf4909301cbbb43794ba05a14c3c1343a090691b4c370609fc7
-
C:\Users\Admin\AppData\Roaming\GMT+10Filesize
27B
MD5715dc3fcec7a4b845347b628caf46c84
SHA11b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA2563144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA51272ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662
-
C:\Users\Admin\AppData\Roaming\LowlandJade.9Filesize
1KB
MD5ff4bf91598146d03cd1509a5a8e573eb
SHA11fb7cc8826cb01ab125a8ded4e81362c9f00c39b
SHA25614f3c22b4eb2a917f7d88595625ce17dca8028d7e1ab59e887ff8de649f9187b
SHA51242e8f92f3db305ce3dd8541fdd98390af80290edd333652bd4624f7d0bbb69a7848d17749cfa07acdc8e86be546531a133d7b497b1b0d1304eb15f0f1d6cb649
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\msdt.lnkFilesize
1KB
MD56d86251f2db18110b700ac8c21f6f519
SHA1b2fe5b97f042b14b5e6c54d1699acc5943b4982e
SHA256c79e14abfa67c8dc574f5f452259c3b5aad149dc87ecd423d3278a2aee2072db
SHA51225cc1f8fca9f819b3e0e540377b9caa0d569a49d992f07b375a2ad48f356ecbf39a2282ba928286e0a7fa245e0d5c6c377e1da4311d8ac8caa23a2dd0858be7d
-
C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.pngFilesize
3KB
MD5a7e29dfb14752aa51496d4481c16fd66
SHA18adc704c9e114fd41e799ec88dd14e0eac70dba6
SHA2562547989292007a538218e507c3a62665bdd10bb5020145fd3be4130a29f2afae
SHA512c7fd358b405063c897e09ef35645839a1908a7ff2347af20707d24a8197c1b8a13cbc4930babe50eac24cd9d7f6b789c595cf8b314c29b9f7c64bc044db55762
-
C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.pngFilesize
3KB
MD52f5da6ef0e4770691fd130dfb87448db
SHA101590c3ab8cccf149d4733c67224bbff86877150
SHA256e280acf94ea4effc559485f8a1b6a879e04cf1f5d7c2b7388a132dddf22a8afd
SHA5129aa0e3783dd2439db06abed8a1604a8fe24cd52a9d62d9feeba0cd9e1f4a25f1c7e7c23a417b650fa0b90e4ee55f1ab108d17a3d6d4a4fc35e0eb460a4285c2b
-
C:\Users\Admin\AppData\Roaming\admon.graphics.path.xmlFilesize
1KB
MD571f6c3f678dcff31f094c2064f4248f3
SHA15f12a05ccbc96ec8981ae4485b0add68c052575d
SHA256fbbc759260f66fe9e4a60f3afde3fea06250a0fe56ff02b050fd1b4cba8c1b76
SHA51299dc7d864898cb4ec9a5fa7fcf1ecb7dff571e826b366a3454e87eb63da165e19fcac0455f407a49d6feeee634ed05ebd3b3fed7fece4a87f12983b67f4d69e8
-
C:\Users\Admin\AppData\Roaming\admon.graphics.path.xmlFilesize
1KB
MD5acc6fac45115b2d4030ae09702754446
SHA19329ac3e4884d2b8639cded9c7770f625e860f52
SHA256dc2f6cf27e787c9af6ce69a16ecda15a43b91e3cf937e50472ca911fa9841e2a
SHA5121b261357a756bb561b8c5b7c8f6ec0910f9764b222c115522590ecb64f33f9ebe6f74a31b5cb81bb3fbcdf4248552a36d55c0c79e0cbe0eab3f0b7c1584d0165
-
C:\Users\Admin\AppData\Roaming\arrow.gifFilesize
144B
MD50b31842824faacd1751abbb01ddf5fa9
SHA15674b77233b89be37cdcc2f869072f453c485534
SHA2566cd839340040110df50a75eb6078718895a178b09769daf36e70978ec6ce4c73
SHA512cc65c25adbc41813461b15716558ebef11faadbefa82b2afd16b610e54f3b978f8e4736cb7be495aaa8eec7aea295b983dec888fb1138101480d1cd816ca0d36
-
C:\Users\Admin\AppData\Roaming\aspnet.configFilesize
1KB
MD58aa2398eb508075d6092e6c5b0ca9fdd
SHA19d9ba333a3376e9daa04fa99069d2e8219e71da6
SHA256854b2b0fe534ec3551a5c221583c26281c4cbdf539be9253a9a452689b6968e4
SHA512cc1ce888246c61fbf6b803d05b98be1255b6379dd7d577629fbb717a16f0ae7eac7595ea042bcb170091c97770a47b33a8b1107fade80423a820b06e4f765f98
-
C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xmlFilesize
1KB
MD53cbff1f2a4ff61dbd5e429062244c80b
SHA1a3894b7495784f2784abd5bb308bc5c2c65e9b68
SHA2564258d4c1f80a138d2ce4a27da538d0bd57b40e3986787368fb6222d0aba026e3
SHA512a35582afb3c0be80456b9fdeac031e554a162f9a2399001654565a665d59ecd80f8b196074c4fbf8d24292302b66865a410c90ed8ebf8705a9c1dbaf17e4d4f5
-
C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xmlFilesize
1004B
MD5c1cf25885988504b0f6f90f1cb545382
SHA15e1f1c88ab034e14dd6f3aeb9da857f5815b4c6e
SHA2567808de9b4c36f737a88e309454101d3655597393323cafcf87d42e4411baa7b0
SHA5127adf12507347a9dbc84c93bc38a14c3dd42ba1e2c2f0f937b0915066d437288103b831b33f5dd99ea252a9f2a0a1e6eaf6289cccb04090b8a20ae00cd652660a
-
C:\Users\Admin\AppData\Roaming\buildMenu.jsxFilesize
1KB
MD5ec19d87bf31be0f9022d069803f67073
SHA1fd8fbc60713955a4a895904da7970f13f815acd7
SHA256e7b4fea1f0f74e66664301e1a34e4a6017fcb04aa6d249a38b901f8dd8fb3732
SHA512df5bc4aefaa26ef5d47d2902c494242d1167cdbbb34e661894af0ca0b76192e00c27bdeb7d2d5dab01b3452e109c11824ae8715a0c5113dbef124829e9574b3d
-
C:\Users\Admin\AppData\Roaming\directories.pngFilesize
1KB
MD582142ba9138b7b0849d2079a70a8f3a2
SHA1cf8f17e2bc3e2832d9ba45ca606f2b5d88569bd4
SHA256afb3077d6e75785a6a14f1196e36c39e23fd610b8cd88bebab3ec6b5bc0bcea9
SHA512d308fec0b23aaf8d408a52cb25998f82510b5f17142b3154d8105b342084890fc14beac40d6f509f0a3172615ccce25b55650e7410e718917b6210dd50342360
-
C:\Users\Admin\AppData\Roaming\directories.pngFilesize
1KB
MD5b8431ad28846eedb63a0839d378a0367
SHA1908301e17f7f34e0b452e7cdbced92c1278307a4
SHA256b981d068c80d4b1a60d9c010516aeffb43b8a2afaaa0731bab7665ffcd5cd208
SHA512d4803aee4c3dc8b041565cc2b3050303d4d27815acb547219947a5672862015e91b4ae15c663f2d62ee2c73fbf7660cb1f72cad5e9e52b4de26bf71fd3f4494f
-
C:\Users\Admin\AppData\Roaming\f37.pngFilesize
1KB
MD5446a6ee8969bbb6743d4ed22d343e541
SHA169010f652fc701d3f505a9c416b6ce09ddf9bb93
SHA2568c8e83025f6a61d08194e852269a5b45f33f0313b59d41140cdb679757356fc3
SHA512a58555fd9abb577ebb6eeec9cb138dbc67aaa4b5b1ad99397f0ede4c63f447a6f4e9af0e67c46e5778a3318676025430efa707c555c37ce19d624f9cc4b1ff67
-
C:\Users\Admin\AppData\Roaming\footnote.mark.properties.xmlFilesize
1KB
MD5f7813114f7e6ba1b377b1b02242ad9a7
SHA1422598ffb70fd5e138ab8b9293332d43ade81b59
SHA25624b42dd9fb2410027bc91dd03191e3d78a1d705d09f96e595e19eda7933b53dc
SHA512d393e9f4b92ab144a88dfaeceb4efc549ad8241da6ef602a018f9aee6e43b4b2375dc5eb55fa20415640fca8276f8b446779df6bb878dddc2ad06eac618abc47
-
C:\Users\Admin\AppData\Roaming\generate.index.xmlFilesize
1KB
MD57af160ad2704d87bd0ece9a19fdc9ee8
SHA121fda1c6f96eaa402fff9f361dc256a97da1dc7e
SHA256b555fd5b2ef9c3dd9e13d412781fcbdbf3b97a6b18dee985bd8da86e391e4950
SHA512ea415816adbd47554f4215d0ffd741a0045dc9cdda0624e4b5d0553f893c954b2abd8a90db0284659a14dce0f5a80f15e8353295ba4da2156e2d0a2905cdd1ae
-
C:\Users\Admin\AppData\Roaming\generate.index.xmlFilesize
847B
MD5dac670dc3250ec2a38be195646386c89
SHA11373182d015c82b47d4bbc5dda88da5fbc1bca3a
SHA2568c4591b205a866468afe6779ac4af70e54e37a105361671fd448895a06c351a7
SHA5120b08bddc4b4723f39650acd68ad14b75783d739e473f64e9a692142b2ecb2577e21f0b41376d5d0de3b6e30744c5b390d9d4d8b74ad05c3060bea4ca393b1d18
-
C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xmlFilesize
1KB
MD5a057463e49cc7a282b9de9bd1f98c940
SHA117f203dd324b4dc61fc85a2848b93f0941946d4e
SHA256ca43ac52dec0ed1083c006678f4e1e0b7e6c2882e8bcc66e76bc776b7340bfe8
SHA512b18514215cc196d457629ee48c08b05078aa7b61dcd26a540ef9aa107e4231a27a80de11e068a03611c85966fcb511bf22f0ab40fc8e461cb817a1caba9c0734
-
C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xmlFilesize
1KB
MD5a626c5a8c265d96c010034638f43e34a
SHA1d83a92c1598ee53829ac98bdbd18883b9d3c77f9
SHA256c76077bfe25d85d98b8b351875e6822f0e815cb726a18809ecec32234800b129
SHA5128947a71d7b7c0c5e0e0fbd1d169e721757d541a561fbc5bee7705ccc72f10e8301f76a7b0dd163d931177781133aaf7fc33e198d5c8aaee6dcc9de24c8259ee1
-
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csvFilesize
727B
MD52a2bb6e24be66b74f0a8fc256a6fd5f0
SHA16e80db667076704ecb753d8921c873cf90128f70
SHA256c03c0859d17296986028e5bc16ca6f5167f2d6c966bd03b499619fb25de93da4
SHA5121f054451c4d86bc1d35f015c754cf5c8d5d3e6a2908217b6383e1e8085e1bdeeeb3e4e5b981599e4c5b2cffe5e2fca6c4ea8fb50744748b07966bd30ea5e423a
-
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csvFilesize
315B
MD5e7b835efd565a6bd02237591a64416fa
SHA17ea8027ff98e318758a48907a1f69b1b35f63c72
SHA25667ca7823ea8b02127ea8e4c198585e8442530e7e803b2832666257c4050ad605
SHA512911bd83c92eaa36464bcb00c45102bc1b5eacfc83cd8d7ccebf920874fd5156a975d1c0bcfe0d96ca0461ddb287f43c2c8204722d93c6f0ea8663d8f75e14f81
-
C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\msdt.exeFilesize
191KB
MD53874199af9bef338ffc8dcd9a9d2dbf0
SHA114f4aa746d391393bd2fdd112a430266bf20a8f2
SHA256a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964
SHA51238c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec
-
\Users\Admin\AppData\Local\Temp\nst6B7.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
\Users\Admin\AppData\Roaming\Dialogs.dllFilesize
27KB
MD598041c3b26ffcd6c4371cd6922cc9dfb
SHA1384bd07ad9523353d9c67337af7369834b52914d
SHA256c000e9cc700265ee10be1c811fac455fca938cb5b5144e431eb5286520af94cd
SHA512a2bb8a799dc6c4e25624fd3a6a21ad890c9bddca6fe0a698455c486e4525180cd6767f66db9b5becf06105bef38d924a34179c2416978adccc2707999183f9c3
-
memory/852-141-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-559-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-143-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-152-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-140-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-150-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-147-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-148-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-555-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-563-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-153-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-566-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/852-145-0x0000000003600000-0x0000000003601000-memory.dmpFilesize
4KB
-
memory/2472-125-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/2580-49-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-51-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-63-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-35-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-37-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-39-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-44-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2580-47-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2580-41-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2924-33-0x00000000026E0000-0x00000000026EA000-memory.dmpFilesize
40KB