Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
CDRom.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
CDRom.dll
Resource
win10v2004-20240226-en
General
-
Target
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
-
Size
170KB
-
MD5
3bc88ab2dae5dd7dc924b64e45a5e831
-
SHA1
abae00114caf6af0927deae70295a62adb8737e7
-
SHA256
22b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186
-
SHA512
96e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97
-
SSDEEP
3072:t8Dsp+FNX1dFOvDlXJulh1l5Hw1PaxwJSY3pS7q/y/Ds1xZ0TAxiFK2HkoHd:t8dNXSElh1lxq7ZpQqa/ExZ0WiEQkw
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F
http://cerberhhyed5frqa.onion.cab/F397-60EA-D90A-0291-1C1F
http://cerberhhyed5frqa.onion.nu/F397-60EA-D90A-0291-1C1F
http://cerberhhyed5frqa.onion.link/F397-60EA-D90A-0291-1C1F
http://cerberhhyed5frqa.tor2web.org/F397-60EA-D90A-0291-1C1F
http://cerberhhyed5frqa.onion/F397-60EA-D90A-0291-1C1F
Extracted
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2204 bcdedit.exe 668 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeMuiUnattend.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" MuiUnattend.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2404 cmd.exe -
Drops startup file 2 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeMuiUnattend.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnk 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnk MuiUnattend.exe -
Executes dropped EXE 2 IoCs
Processes:
MuiUnattend.exeMuiUnattend.exepid process 2940 MuiUnattend.exe 2764 MuiUnattend.exe -
Loads dropped DLL 6 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeMuiUnattend.exeMuiUnattend.exepid process 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 2940 MuiUnattend.exe 2940 MuiUnattend.exe 2764 MuiUnattend.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeMuiUnattend.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" MuiUnattend.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" MuiUnattend.exe -
Processes:
MuiUnattend.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MuiUnattend.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
MuiUnattend.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6DC1.bmp" MuiUnattend.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exeMuiUnattend.exedescription pid process target process PID 2092 set thread context of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2940 set thread context of 2764 2940 MuiUnattend.exe MuiUnattend.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe nsis_installer_1 \Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe nsis_installer_2 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2320 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2904 taskkill.exe 2268 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
MuiUnattend.exe3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" MuiUnattend.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\MuiUnattend.exe\"" 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop MuiUnattend.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A25BBFD1-1098-11EF-82B1-CE167E742B8D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000a09a194e58ea8bd8230c0032b65dc901afac4c73fd5cbe204b085a3e6dd49600000000000e80000000020000200000006b5d022ca959c288a571d10ea153a9f5c63812b76d4b167da2857b459d3b47a59000000029469203901b5add34b36a8e3030df70517d4468ee7a6d45936de7d22e9ba500f0c24b7974787c19d5e42d71c0bcf9a2a8df3d8bf6b63e80c6a4e6696cf63f84c1ba7974abcd331dadcebe647150319497ea850ff5d94fcd3013e19b59bf8514cf0549a5dd8bf381ea02479fbefaeef84a98e63e347f3fc854d7ec7e64b1d0f9af7c7e7ffb9bcc874990aa51d3a5a87d40000000cb2ee6f566cc53b7d70926d606ed4ad709a981a1a34eb5a37c293220e6d059616ce648a7e703fb27a8d86f1f89d09839dee42903317e7dbe41f7a06e18a6f9a2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30431a65a5a4da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000e52331b4607c95975eda29216174953328b62b34f2f5bec858bef26f7ec78318000000000e80000000020000200000000fce5d487c76f7abb0cfe18400ab3d7506e93cf19e079ec60a782c4e100407bc2000000024fce7bfddc5bb50509e7097bd14a9526722bcc058c2c89b073540ba55c04c35400000007678f552c2ff14319518697591f2f41ea7dc0ebfbc126cdbe4ec44bdf97f0d81140db4303434c98c3d2ac24c5758a39cab1385f85d829cff92c36910af3c86a8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2654551-1098-11EF-82B1-CE167E742B8D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
MuiUnattend.exepid process 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe 2764 MuiUnattend.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exetaskkill.exeMuiUnattend.exevssvc.exewmic.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe Token: SeDebugPrivilege 2904 taskkill.exe Token: SeDebugPrivilege 2764 MuiUnattend.exe Token: SeBackupPrivilege 288 vssvc.exe Token: SeRestorePrivilege 288 vssvc.exe Token: SeAuditPrivilege 288 vssvc.exe Token: SeIncreaseQuotaPrivilege 1936 wmic.exe Token: SeSecurityPrivilege 1936 wmic.exe Token: SeTakeOwnershipPrivilege 1936 wmic.exe Token: SeLoadDriverPrivilege 1936 wmic.exe Token: SeSystemProfilePrivilege 1936 wmic.exe Token: SeSystemtimePrivilege 1936 wmic.exe Token: SeProfSingleProcessPrivilege 1936 wmic.exe Token: SeIncBasePriorityPrivilege 1936 wmic.exe Token: SeCreatePagefilePrivilege 1936 wmic.exe Token: SeBackupPrivilege 1936 wmic.exe Token: SeRestorePrivilege 1936 wmic.exe Token: SeShutdownPrivilege 1936 wmic.exe Token: SeDebugPrivilege 1936 wmic.exe Token: SeSystemEnvironmentPrivilege 1936 wmic.exe Token: SeRemoteShutdownPrivilege 1936 wmic.exe Token: SeUndockPrivilege 1936 wmic.exe Token: SeManageVolumePrivilege 1936 wmic.exe Token: 33 1936 wmic.exe Token: 34 1936 wmic.exe Token: 35 1936 wmic.exe Token: SeIncreaseQuotaPrivilege 1936 wmic.exe Token: SeSecurityPrivilege 1936 wmic.exe Token: SeTakeOwnershipPrivilege 1936 wmic.exe Token: SeLoadDriverPrivilege 1936 wmic.exe Token: SeSystemProfilePrivilege 1936 wmic.exe Token: SeSystemtimePrivilege 1936 wmic.exe Token: SeProfSingleProcessPrivilege 1936 wmic.exe Token: SeIncBasePriorityPrivilege 1936 wmic.exe Token: SeCreatePagefilePrivilege 1936 wmic.exe Token: SeBackupPrivilege 1936 wmic.exe Token: SeRestorePrivilege 1936 wmic.exe Token: SeShutdownPrivilege 1936 wmic.exe Token: SeDebugPrivilege 1936 wmic.exe Token: SeSystemEnvironmentPrivilege 1936 wmic.exe Token: SeRemoteShutdownPrivilege 1936 wmic.exe Token: SeUndockPrivilege 1936 wmic.exe Token: SeManageVolumePrivilege 1936 wmic.exe Token: 33 1936 wmic.exe Token: 34 1936 wmic.exe Token: 35 1936 wmic.exe Token: SeDebugPrivilege 2268 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 2272 iexplore.exe 2428 iexplore.exe 2272 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2272 iexplore.exe 2272 iexplore.exe 2428 iexplore.exe 2428 iexplore.exe 2464 IEXPLORE.EXE 2464 IEXPLORE.EXE 2272 iexplore.exe 2272 iexplore.exe 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE 2452 IEXPLORE.EXE 2452 IEXPLORE.EXE 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.execmd.exeMuiUnattend.exeMuiUnattend.exeiexplore.exedescription pid process target process PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2092 wrote to memory of 2588 2092 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe PID 2588 wrote to memory of 2940 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe MuiUnattend.exe PID 2588 wrote to memory of 2940 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe MuiUnattend.exe PID 2588 wrote to memory of 2940 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe MuiUnattend.exe PID 2588 wrote to memory of 2940 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe MuiUnattend.exe PID 2588 wrote to memory of 2404 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 2588 wrote to memory of 2404 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 2588 wrote to memory of 2404 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 2588 wrote to memory of 2404 2588 3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2904 2404 cmd.exe taskkill.exe PID 2404 wrote to memory of 2904 2404 cmd.exe taskkill.exe PID 2404 wrote to memory of 2904 2404 cmd.exe taskkill.exe PID 2404 wrote to memory of 2904 2404 cmd.exe taskkill.exe PID 2404 wrote to memory of 2636 2404 cmd.exe PING.EXE PID 2404 wrote to memory of 2636 2404 cmd.exe PING.EXE PID 2404 wrote to memory of 2636 2404 cmd.exe PING.EXE PID 2404 wrote to memory of 2636 2404 cmd.exe PING.EXE PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2940 wrote to memory of 2764 2940 MuiUnattend.exe MuiUnattend.exe PID 2764 wrote to memory of 2320 2764 MuiUnattend.exe vssadmin.exe PID 2764 wrote to memory of 2320 2764 MuiUnattend.exe vssadmin.exe PID 2764 wrote to memory of 2320 2764 MuiUnattend.exe vssadmin.exe PID 2764 wrote to memory of 2320 2764 MuiUnattend.exe vssadmin.exe PID 2764 wrote to memory of 1936 2764 MuiUnattend.exe wmic.exe PID 2764 wrote to memory of 1936 2764 MuiUnattend.exe wmic.exe PID 2764 wrote to memory of 1936 2764 MuiUnattend.exe wmic.exe PID 2764 wrote to memory of 1936 2764 MuiUnattend.exe wmic.exe PID 2764 wrote to memory of 2204 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 2204 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 2204 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 2204 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 668 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 668 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 668 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 668 2764 MuiUnattend.exe bcdedit.exe PID 2764 wrote to memory of 2272 2764 MuiUnattend.exe iexplore.exe PID 2764 wrote to memory of 2272 2764 MuiUnattend.exe iexplore.exe PID 2764 wrote to memory of 2272 2764 MuiUnattend.exe iexplore.exe PID 2764 wrote to memory of 2272 2764 MuiUnattend.exe iexplore.exe PID 2764 wrote to memory of 2644 2764 MuiUnattend.exe NOTEPAD.EXE PID 2764 wrote to memory of 2644 2764 MuiUnattend.exe NOTEPAD.EXE PID 2764 wrote to memory of 2644 2764 MuiUnattend.exe NOTEPAD.EXE PID 2764 wrote to memory of 2644 2764 MuiUnattend.exe NOTEPAD.EXE PID 2272 wrote to memory of 2464 2272 iexplore.exe IEXPLORE.EXE PID 2272 wrote to memory of 2464 2272 iexplore.exe IEXPLORE.EXE PID 2272 wrote to memory of 2464 2272 iexplore.exe IEXPLORE.EXE PID 2272 wrote to memory of 2464 2272 iexplore.exe IEXPLORE.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe"C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe"C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe"4⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:472065 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "MuiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "MuiUnattend.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txtFilesize
10KB
MD5dcdef4a832226e31054ba5a392c78549
SHA10257e4b02ec54a691fb25a2b391ffc063f8cbed1
SHA256e1706dc82ba43cf99dbb68c2cfc4a80fb08a70701c3081bf0275afb2855a7b5e
SHA5129c61a135a6b9a928f2ab3f22597c5f8d73659d9eb9e1347461156bca8d4d7d55519c0001f9543eabe4640e8d004787d9c6ad36f1957ece24315b97d3e60eebdc
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
83B
MD5a42b14cd005245ba3a3fc50e2a834336
SHA18cbd1295eef95509e3665310276151104ec4cba3
SHA256ed3cc55d39420547e23b9f93d6a2b7ec536052271d28573a69b793fa4b0ab378
SHA51227ec033a22096207721fbe84ea4012d6dcac7a01d10a5efb3ae62fa492a6e567424502353a4dd171588d293be06d04aa72db2511970dd3f76d8504ff257ba8e4
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5eed067f81c69135e85018c5d87e986ea
SHA106634661db59ee83da2355d3f511def22870061c
SHA2565737919403c58ed50ad6a209e6db10f037ef6c0777c8449f0d416502a4e2ca0a
SHA512b94a5fb422784af7c472d43aff74b1d6458c0d349ea4dbea7090bda1cc08ceb1f5d72733d8b5e06cc76b803aa4921a97c72002ef6da025220acf6a5d483208b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5bd6928fc5b122f77c08a0ee8643475f2
SHA19aa9b56b561ee2147baa0bbd0ea92810295207fb
SHA2568ba679d2beab470a31b3df97024271adeef0c5596cb7672cde59c8e756639c2e
SHA512a9e9db5a1a943ec87c16fc82133dc1fcd48c0154b90fb49d69e6b3f872d3db7fa64df13213c7c6b8e4c6cb51e0ee9b7e6fe969201ad54f3c0d816227384025df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD525d818b84049f20eb6dce8d77193f38f
SHA1850e01b34ee4cc50f50c4fa17833845f13e04ef7
SHA2561687915b7aed1ebefb595d7dc7edfe9168eebe576bc47baf906b378a4ec596be
SHA512bb0d423f2953fb4072d32a48f7690eca05ab2bb9b67560e9510a97c3b705e94b0b56b811c4237cff837bdcba8060068432ff242ae761d02ec94086a85d1b7192
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5cc320f4b7afc4d45c34277e764c1e230
SHA19b4fcb330a7d26bbadf0fdf29ed7f0d89488ad09
SHA2563535c0a4f472bc535a94f2987076da586d04882618db072097268ae86d1436d7
SHA512e8153af9c7f757201bc3aacd55847fb1ae1261db8a0a62b0dac628263b068c76c4895185e5c6e851675351ba3f3f7641d60323063f012c1db8a0593a8169a1bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5f4d6219610811d9d9d80991e591e200e
SHA1f29d1b03578b36fe382edb2f9ec72b38671229d9
SHA256d6df74653209156b58e545a5014e4f91849e4e3fbf48a92a2239825147df8169
SHA5122d7dac56cb007bead0e749e2e7014a8895a17fc8101b058bde90e74c328b274e3f4c3b8c8bd80ed5ef99b7e29c383fd6d396f3e375fb31bec7cf0c2075c9314b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5cbdb0b17cdc94e36a755c8b1bc2b99ba
SHA11d1c429bc1b444e6f5e1ba2276e66ada6b62beed
SHA256d65eb9232c44ad1d736edc5e60d68a209537ce1afbdb62b82aa3fcdce1cfd585
SHA51278efa1eb4f2be37054419ddf947df03adca89d681af051680e49b8e43601521bf12a12817902222f1c0ad3f1a715c4c3434a53ddc35fed7a2168509badbf01b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD561921e4395a8f7bf9852ae2e1c4b4c92
SHA1734a9652417f88441193bb7e3a765993d70560f4
SHA256acfd8b95249a8b4579f92fc9d46c8bd7569d5550fbe403edb67edb25ea51c1be
SHA51227f2d128c9c4f56539c176da55c2af14c4a295c4dd85be7f4601be897f25879b0b8023fc9942b07ce29bd91a386511348246f3293772957572af387cba6ed05b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD50a2891fe3e8a9321e81bbe84a25f87a2
SHA17b15ae984df1441ab52621e6cb8d1855b944ecca
SHA2567d88f97a31f6da63f11830ce0fb07651571c77d8e88bbf5dfc3debf8b9585a4e
SHA51205c0587ba9fe1f58b241c163051debe9fab8c36d4e14a5d4ccaf90277dcc130933d948293610097497b6b562055fc406f5eb867729ba70fcf7d383bcc00dc684
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5e874a45d288e95dbce598fc2cd6ff03e
SHA10851a631401d891db27a7f7fe25c6b58490b187f
SHA256d9d10e7879825b76e8e79b1d942ca47595cb003daeda8e18a9738e6ccca8aedc
SHA512c0096519a28d2eba3a3bf84e90e55d152cbf24cb64a1095411f4b3a9e55cdfd975fcba967ad9245ed3784b67a4f17dd94cd51db7ac7383db27b00f1d497ccb56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5299ab9b44697d42eee82a848a7dcc240
SHA1e791972d9e07da596f93faefc9eccd18ea67d4b3
SHA25602e8e0902716ba27608d041e4920a7908d2ae0fb078ad56bc0936b4123881cf0
SHA5127c09c9535b65e55124c4bae029b0ee2a8a303bd8b0ba0f7afe886e07db00f350586cddc92038cbdd7a8b92da1090e4fe3b81d1cb83296bd1776015f55cb9c21f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A25BBFD1-1098-11EF-82B1-CE167E742B8D}.datFilesize
5KB
MD5cfbe17f82da3890c33964aa084775672
SHA18da7ab11b5c20df4f18d560df71b0c56315944b6
SHA2565d3acaf5ae9a32371444c5e6b10ad36e0bfb0c81a0055601f7d50267515cd94a
SHA5127f4f271a3bd068decae644b7a69c6c7b0047f5ed8a3b937de282622f2d36df212a54fe503f96dd3a3f0625816ef8c370dc8dddce4591d422482104deded0d111
-
C:\Users\Admin\AppData\Local\Temp\Cab846D.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Cab853C.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar8550.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Lustreware.29LFilesize
1KB
MD57d198b33fbcc5c4ca09364a1d403ba26
SHA1c98ee26d73ae6348354592aee7171ae0b9a8126b
SHA2560e1c39c1b96dfd186e1656afdd6faa70473c4e4165ed4a822feffa9aba3107ff
SHA5120c0063f01c9e6cedaafc11a8b97fabe9c88862570ffd0af9345bebf0f754bd549a486fc622089efb74b8835b7f5fc2759624f80ea2d49b731749c7ac7e0d1112
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnkFilesize
1KB
MD56ca682edb76b2f4a31cef7980896721b
SHA1f2e45fcf706200f4d4eb8847ba990f4e68521d31
SHA2561686b161ea352ac9917614868f795a2f40741eefb54b50a522f7d14679bf7b2c
SHA512cc605b8d181f32eb80e3d7fc844bcf2dcf3a77e239514565514b554a217379b4d71c67b037bcd84231a9f3f9e9e8a7ac073c26e635ee42437f419b471bc81ff5
-
C:\Users\Admin\AppData\Roaming\PuckBoutique.AMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nso1141.tmp\System.dllFilesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
\Users\Admin\AppData\Roaming\CDRom.dllFilesize
26KB
MD5f65d5bc68f1fb11619ba6b464913dce2
SHA1b67b2d285b64209eaa6a7011f244992f39509d22
SHA2567b342d996d54d971e4910d0a53e7b120a926c01a3fd173d98bf00e8d52e32af4
SHA512331eeabf497202aff3dcf1c8c9545b9ee60a6f02c3cb13cd827410a9b0fa63f2c29896db2ab50c06abef8a31169490dc487021ecd4c3ba51acc011af61f2e769
-
\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exeFilesize
170KB
MD53bc88ab2dae5dd7dc924b64e45a5e831
SHA1abae00114caf6af0927deae70295a62adb8737e7
SHA25622b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186
SHA51296e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97
-
memory/2092-23-0x000000006C980000-0x000000006C98F000-memory.dmpFilesize
60KB
-
memory/2588-28-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-44-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-14-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-11-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-22-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2588-18-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-16-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-12-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-26-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2588-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-75-0x0000000002FA0000-0x0000000002FA1000-memory.dmpFilesize
4KB
-
memory/2764-70-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-468-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-470-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-73-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-77-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-83-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2764-82-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2940-67-0x000000006C980000-0x000000006C98F000-memory.dmpFilesize
60KB