Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
4741333a78be539951c661ddbd47442f_JaffaCakes118.exe
-
Size
225KB
-
MD5
4741333a78be539951c661ddbd47442f
-
SHA1
e642cbf75a235b76f2f7ec6b8222d21ec518ed98
-
SHA256
5fb92c512e17ae11f78d2c8eca04440fd89bd32e0b0bcca3d86784f7ab5581e4
-
SHA512
2b159ae11a567060ac0e17fa85da98ac334cdf1b6edc1d4179bfa879116e15349003d657abc2555b1b13240e40541c3bd3e69ff282cc1b4edf6f1bc3caac3a24
-
SSDEEP
6144:Mg1KQjoGwizt5vq/vPWLbxOSin2cNUt+J+gr:SGws2+LISi2E0+Jxr
Malware Config
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A
http://cerberhhyed5frqa.gkfit9.win/0431-A279-F511-006D-FE2A
http://cerberhhyed5frqa.305iot.win/0431-A279-F511-006D-FE2A
http://cerberhhyed5frqa.dkrti5.win/0431-A279-F511-006D-FE2A
http://cerberhhyed5frqa.cneo59.win/0431-A279-F511-006D-FE2A
http://cerberhhyed5frqa.onion/0431-A279-F511-006D-FE2A
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16404) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" ieUnatt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ieUnatt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation ieUnatt.exe -
Drops startup file 2 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnk 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnk ieUnatt.exe -
Executes dropped EXE 2 IoCs
Processes:
ieUnatt.exeieUnatt.exepid process 4784 ieUnatt.exe 2816 ieUnatt.exe -
Loads dropped DLL 7 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exepid process 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4784 ieUnatt.exe 4784 ieUnatt.exe 4784 ieUnatt.exe 4784 ieUnatt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" ieUnatt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" ieUnatt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ieUnatt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDFEB.bmp" ieUnatt.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exedescription pid process target process PID 3076 set thread context of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 4784 set thread context of 2816 4784 ieUnatt.exe ieUnatt.exe -
Drops file in Windows directory 2 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exedescription ioc process File opened for modification C:\Windows\flophouses 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe File opened for modification C:\Windows\flophouses ieUnatt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4880 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1724 taskkill.exe 5340 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exeieUnatt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop ieUnatt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B57C951B-33C8-2D1D-8AA8-20866904D814}\\ieUnatt.exe\"" ieUnatt.exe -
Modifies registry class 1 IoCs
Processes:
ieUnatt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings ieUnatt.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
ieUnatt.exemsedge.exemsedge.exeidentity_helper.exepid process 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 2816 ieUnatt.exe 5548 msedge.exe 5548 msedge.exe 5192 msedge.exe 5192 msedge.exe 3596 identity_helper.exe 3596 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exetaskkill.exeieUnatt.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 2816 ieUnatt.exe Token: SeBackupPrivilege 3192 vssvc.exe Token: SeRestorePrivilege 3192 vssvc.exe Token: SeAuditPrivilege 3192 vssvc.exe Token: SeIncreaseQuotaPrivilege 2148 wmic.exe Token: SeSecurityPrivilege 2148 wmic.exe Token: SeTakeOwnershipPrivilege 2148 wmic.exe Token: SeLoadDriverPrivilege 2148 wmic.exe Token: SeSystemProfilePrivilege 2148 wmic.exe Token: SeSystemtimePrivilege 2148 wmic.exe Token: SeProfSingleProcessPrivilege 2148 wmic.exe Token: SeIncBasePriorityPrivilege 2148 wmic.exe Token: SeCreatePagefilePrivilege 2148 wmic.exe Token: SeBackupPrivilege 2148 wmic.exe Token: SeRestorePrivilege 2148 wmic.exe Token: SeShutdownPrivilege 2148 wmic.exe Token: SeDebugPrivilege 2148 wmic.exe Token: SeSystemEnvironmentPrivilege 2148 wmic.exe Token: SeRemoteShutdownPrivilege 2148 wmic.exe Token: SeUndockPrivilege 2148 wmic.exe Token: SeManageVolumePrivilege 2148 wmic.exe Token: 33 2148 wmic.exe Token: 34 2148 wmic.exe Token: 35 2148 wmic.exe Token: 36 2148 wmic.exe Token: SeIncreaseQuotaPrivilege 2148 wmic.exe Token: SeSecurityPrivilege 2148 wmic.exe Token: SeTakeOwnershipPrivilege 2148 wmic.exe Token: SeLoadDriverPrivilege 2148 wmic.exe Token: SeSystemProfilePrivilege 2148 wmic.exe Token: SeSystemtimePrivilege 2148 wmic.exe Token: SeProfSingleProcessPrivilege 2148 wmic.exe Token: SeIncBasePriorityPrivilege 2148 wmic.exe Token: SeCreatePagefilePrivilege 2148 wmic.exe Token: SeBackupPrivilege 2148 wmic.exe Token: SeRestorePrivilege 2148 wmic.exe Token: SeShutdownPrivilege 2148 wmic.exe Token: SeDebugPrivilege 2148 wmic.exe Token: SeSystemEnvironmentPrivilege 2148 wmic.exe Token: SeRemoteShutdownPrivilege 2148 wmic.exe Token: SeUndockPrivilege 2148 wmic.exe Token: SeManageVolumePrivilege 2148 wmic.exe Token: 33 2148 wmic.exe Token: 34 2148 wmic.exe Token: 35 2148 wmic.exe Token: 36 2148 wmic.exe Token: 33 2496 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2496 AUDIODG.EXE Token: SeDebugPrivilege 5340 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe 5192 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4741333a78be539951c661ddbd47442f_JaffaCakes118.exe4741333a78be539951c661ddbd47442f_JaffaCakes118.execmd.exeieUnatt.exeieUnatt.exemsedge.exedescription pid process target process PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 3076 wrote to memory of 1596 3076 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe PID 1596 wrote to memory of 4784 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe ieUnatt.exe PID 1596 wrote to memory of 4784 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe ieUnatt.exe PID 1596 wrote to memory of 4784 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe ieUnatt.exe PID 1596 wrote to memory of 2280 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe cmd.exe PID 1596 wrote to memory of 2280 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe cmd.exe PID 1596 wrote to memory of 2280 1596 4741333a78be539951c661ddbd47442f_JaffaCakes118.exe cmd.exe PID 2280 wrote to memory of 1724 2280 cmd.exe taskkill.exe PID 2280 wrote to memory of 1724 2280 cmd.exe taskkill.exe PID 2280 wrote to memory of 1724 2280 cmd.exe taskkill.exe PID 2280 wrote to memory of 2004 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 2004 2280 cmd.exe PING.EXE PID 2280 wrote to memory of 2004 2280 cmd.exe PING.EXE PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 4784 wrote to memory of 2816 4784 ieUnatt.exe ieUnatt.exe PID 2816 wrote to memory of 4880 2816 ieUnatt.exe vssadmin.exe PID 2816 wrote to memory of 4880 2816 ieUnatt.exe vssadmin.exe PID 2816 wrote to memory of 2148 2816 ieUnatt.exe wmic.exe PID 2816 wrote to memory of 2148 2816 ieUnatt.exe wmic.exe PID 2816 wrote to memory of 5192 2816 ieUnatt.exe msedge.exe PID 2816 wrote to memory of 5192 2816 ieUnatt.exe msedge.exe PID 5192 wrote to memory of 5216 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5216 5192 msedge.exe msedge.exe PID 2816 wrote to memory of 5224 2816 ieUnatt.exe NOTEPAD.EXE PID 2816 wrote to memory of 5224 2816 ieUnatt.exe NOTEPAD.EXE PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe PID 5192 wrote to memory of 5540 5192 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe"C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe"C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd23aa46f8,0x7ffd23aa4708,0x7ffd23aa47186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2599187151476065042,9855846638640506580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfir0.win/0431-A279-F511-006D-FE2A5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd23aa46f8,0x7ffd23aa4708,0x7ffd23aa47186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "ieUnatt.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "ieUnatt.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "4741333a78be539951c661ddbd47442f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4741333a78be539951c661ddbd47442f_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "4741333a78be539951c661ddbd47442f_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5c79bec354cef77402e41dcc81924d51c
SHA1e3ba664ab3bfb6751d08838eb7df972deebb3998
SHA25643f71c8f5d5f9fdb6d4f556ec69972e5a83c54502725f368ac992461313515b4
SHA5122dfc643c2842e7225731442cb99049d7e45ea1858d4759a5b4392df05a3e7b55deb13a873879ca67b4d2116cdaa58383f2f30d29a5e3643b53d368056fcf03f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b6ff413d711167f3042fbe3fd5022e84
SHA11df87f943f52ab5cad920a1e481fa5693781aac8
SHA2561144cac194c85a5f31209372d8ccdd27a4d7d8a7628a3401273ff4d017074d58
SHA5129a2ecd15053d1e35826312601d8d55b2bf8221fafeea01d4d6029b17009dfad5a82780c888ecbaf5d067210d7f6fc35d06acccac11e1c3a365669265f8742a50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57fd38f5c87d72c121ae043052ed68e1e
SHA19b97a9f8ab06bc8313393a5eaf96e888771ff29f
SHA2562228e2c5ca29953238a50fbb58b5735c7aef3d3e1a94b528aaefae4ce47f4447
SHA5120bba78408136e4f9af5cf020704cdf25de3652d53d19a20ab86391f717f46857c7be8427b75fa77be0cbf169fc8a4284bd158afb11cee0d0dd8086f535dba78a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5cd5596ac50099a9d33857053fb8154a3
SHA1dd12426e4fd75443c9c5dfc6307d37abfe31ea97
SHA2560d83492c29bebf075c8573268e71b1c88e1f204292d22a5d219a4d532fced3be
SHA512ab74e88fb1172cc43b872e00da6fe6aa73320f63d01fc1a7dd1398d306a9832f54d86f4855e99da478ddfff26cfcad1987a06e5960840673bd8a1e7f1ffb6a53
-
C:\Users\Admin\AppData\Local\Temp\nsf2CCE.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\Roaming\1047x576black.pngFilesize
4KB
MD57ed0ada46ab3a86299bca20b255a685e
SHA1658c094d23172a564034be21db111fadef455bbf
SHA256fd62ff7938fbea377931a0bd6f15aa834adb38574e851bf95fc4c2892f82c89c
SHA51292d32f625c205daf4f5fca4317277eece9cb02fdd5a09289b1e466e8e3a3b8caa00f0d2a2663e791d0f4101cdaac0b9435438b06ff19171c0cbbb97c1095373d
-
C:\Users\Admin\AppData\Roaming\404-2.htmFilesize
1KB
MD578f1a9d75f7e25e5e14ea3804e7102d1
SHA1878e200221853fc23e8d1e338cb6030d4a2bf39e
SHA256c43f04e0a10120ac19d2b1fc162887e56759409a6233de3c14366ca97a0a5f80
SHA512fb37cf9f45d9366abdb307c364ac8e5813abe758516ace319a0afce8103afb558d78bef9e83be0e24a098ef93192099150b63158ada65f070bc77ab4d75bc959
-
C:\Users\Admin\AppData\Roaming\406.htmFilesize
1KB
MD53ecc8613572d7e5b305bf90f59f9be58
SHA19627e5b8dcf39a6a9f48c4d770f0ca7e49748f78
SHA2569b29d1934ff2f61d0583b4f31496aa053473d631653f04845d695326419f2424
SHA512930b00b4a3863cabf53e678e4a99094a328b1d49e0c2a3d5e3cf480fdc87b99707c381650a9f076d99f7c4a4b41586f2bbce78c976ca5e0f2a53a2edf2c6f700
-
C:\Users\Admin\AppData\Roaming\7.gifFilesize
907B
MD53b65f2e2286842f3df086d355aceb01b
SHA1079d7bd2561bc0d4921dc3842071d6bfe8caa68b
SHA2563a3f2e5fa85bca0e33c9fe947820658177ae754eb212782f863bc1d55119357b
SHA51287ecac60ec60558770e5bb489f6486401370b54b84eba13c55d67bab5311b6b708f94e15c85ba42137f98e7b0bdfa4d4c05d327eed041bb165cd7b8f1c21ed69
-
C:\Users\Admin\AppData\Roaming\7.gifFilesize
1KB
MD5746a12f10d4eadd55a89f36b8faf300c
SHA173fec37fd50aeff90b2370140ac6a57d69985c43
SHA25600696a87d4827368cffd4a509562925bc79b66a1d0a97be510c7a8c67df2bfe6
SHA5123c22a6a3c92de519ae5b45615a0f180c89699a50b19281a09109cfef993cbb389e008c82cff6da974c6a7da5ea1e51eec03ee2fe9442fd8e2826636625d5d528
-
C:\Users\Admin\AppData\Roaming\7.svgFilesize
1KB
MD5d2e2950f9f4ccc910ede5b372598baf3
SHA1a84d8cc9b700a196db4cf9ca26d20e429fb43e1b
SHA256388e30970607450766c09e78a9e9344f97cc130666dd16973ab693eb450d6d31
SHA51235b205dab690bf6f188e9b432f86bf9740de85b351dff60837a2bd08b1e35952f545bf9932f1f7a9c5b84f01c961942f08cdccae9ede448d5dfed3b9294d9664
-
C:\Users\Admin\AppData\Roaming\BMY red 3.ADOFilesize
524B
MD5f603a2c217b5b63995d8c39730d35491
SHA1bb25bbde47ecb5f2c40db35c9bd4f6621a403337
SHA256bcda37996eadb7820490356c0f70c4f47811bea513b48de5e1566c6f365945e5
SHA512c2ff6fe9761eaaf520678989d516819349aa585d872dce806aca137ae23e934fee8a1462eed68cfd4cca15db40ddd02e9d32f9c4f9b69f46c267162cfa2ceb8e
-
C:\Users\Admin\AppData\Roaming\ChoibalsanFilesize
449B
MD5c3d77a7327602f3ef5d81c5fa45e3311
SHA1dd5fc349c0377248989a596ec2571f10bd563994
SHA256c7f453fcc2ac619ac906b694c9ba90a876acbd3e7e01862d2966585de3323584
SHA512f29f7f5c52691041f0feea5837a89c7f38aa2f4e37401f09ba560955f9cc1de0f8df61b5e8fbfdeba9f7afc1e5b93c4bb4be345396c1cf11b931f378311b0e91
-
C:\Users\Admin\AppData\Roaming\CommandTemplate.mwsFilesize
4KB
MD5c3f6ff0818d66a2a3725998f5c44ffa4
SHA1127417dc331619716ba8f3b3aa63d23d0c59c443
SHA256fd5d297ec3edf6973d7c2cf834dd8fbd7ded61748ba82f3e259507f30eee09f3
SHA512c69b0cf5e2f62a1b5be3137fda26d1d3c5cca810b845f2c51e8c5253297bffcabcedb845c322dd643cd467504f82569545f1c03626b0d60d59d604845722b6e9
-
C:\Users\Admin\AppData\Roaming\DEU.zdctFilesize
1KB
MD5a0a1920cffb51a8ac629fe603a1769af
SHA17cab3cd12f20a6c76554a58eb70470446b7a63e1
SHA256e2f92b3123f18a3445303862c16acdf82b133783ac52ed61094168f83935f7da
SHA512089c78f98acf74217904b9709f33dabbca5e7f40419e24cfc5ca82492f353e4b5a090d764cd8ce842b06217edf34ba6d374b0bc5dafa6729b7d43c5e32a24b6c
-
C:\Users\Admin\AppData\Roaming\Dibranchiate.JFilesize
113KB
MD5fb262871a32ae1bae9ed58901fa71f98
SHA1ffa6bfb134d7fe6c670b10ab48075d767b2dffbb
SHA256c5e522c13dd07ea3b3184d6be278715933043cf9851265c2cedd6f9a4542e573
SHA5125fb20b93854ac72a8bfa4986f7fdce43bedc30bbd81a1611e7a034985537c455709a7a713defba76914ea31a00d04f6f0de654df40daae909506d92b7496bd82
-
C:\Users\Admin\AppData\Roaming\Frosted Detail Plastic - Frosted Ultra Detail.3PPFilesize
1KB
MD5f3ea89e2ff94329f2fe06046f3397131
SHA1813d806951418ae29f8d6514f1e8619e09bb1c0e
SHA256c8588b373d6f9e4445a7f0420e86f0ead65284c78a28866f6979a80008f1dfd1
SHA5125ba1c20e1fd834cec01d505be15bb19b0e67d63eef4856890fe41d8f6d206f1cb3c2b4f5e0321c3ad669bfcc6c28028827b1b7447993e6422df2c026f8214478
-
C:\Users\Admin\AppData\Roaming\GMT+11Filesize
27B
MD541dc583620885308274e1af0be12e78e
SHA19f96a25b7539ebc2a5bc0661b65a03992b63e210
SHA256f3236a2b39954dc659c25482fde3dcdc735b6b6829e3827bedb7c8c8dc72dd54
SHA512ec50aefdae3b9e276b1ca87677dbb89841a91169350eb88da1bd61b84726c8ffd19de6ab037bc0159a16bd44587f01daa3421298640c168ac2562a66170f9e3e
-
C:\Users\Admin\AppData\Roaming\GRAY.pfFilesize
632B
MD51002f18fc4916f83e0fc7e33dcc1fa09
SHA127f93961d66b8230d0cdb8b166bc8b4153d5bc2d
SHA256081caac386d968add4c2d722776e259380dcf78a306e14cc790b040ab876d424
SHA512334d932d395b46dfc619576b391f2adc2617e345aff032b592c25e333e853735da8b286ef7542eb19059cde8215cdcea147a3419ed56bdd6006ca9918d0618e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnkFilesize
1KB
MD5490d4463d06374c1de36cefcdbb14360
SHA1f6d32bf93b1f514d32952af467692aca7d874ac4
SHA256121698f47075fcfc49c4530404adc4d7542b8cafd0413cff1880a63396b42771
SHA51254839dd8458cf0f7a744d2ce829df86b8a14fd5329ac45db3955ba341c0c2f8dd89039a1dbb293367be7faf16dd86cb8fcce463f1bcd11ad83647e013c8f0086
-
C:\Users\Admin\AppData\Roaming\Services.dllFilesize
57KB
MD5bc9a77439744af3f7fad690872190509
SHA1e878df68c65b47e3de3d0b23666718668250a462
SHA2560ea3132bf6bb7290b373174a82f9112bcda8d745174d16d364aefb6fa66c79a7
SHA51240bcacdb105077ed814fe25bad7f32a680624f106e1e06a6bb0c17522839d9ae6745c00c02664f4329aeb10ae849df4f02cc37651449bb89b14ae571f17ba8ec
-
C:\Users\Admin\AppData\Roaming\Skullduggery.amxFilesize
1KB
MD5c38a9a83d65b6e83d9b71eedb039bbb9
SHA12644f2ea208a6bb4d895c260a9f91b226d813a27
SHA256413e764638d70f96e9032c06c489eda58318eccb6ac8225aeddb18ff82d41cc9
SHA512d83b1078fc46df5563c49dda178bf1e7910f883d2ecde82d3f6c16968632b8db3ab7f38339cd0d306f99f469e3401ed2cd870270cad18998b8dc616cb0d8091a
-
C:\Users\Admin\AppData\Roaming\add_licenses.pngFilesize
1KB
MD5e8a2b07854032ed884e15558d45cf227
SHA1733914f98c81adb9ca0e0c5e90a264e446c7308a
SHA256441d8eac3139cc3d28d7f3ca5f8412a99f0ef37466d1d578abfdc315b4840d7e
SHA512d13ea83232a9d76049e9b79ba70bea422e51fd113505082da81044d6ebfa10c1b4510507b960f2b6d4c66f82a819c586416645e5fc4171ae2d08b24a7bff3391
-
C:\Users\Admin\AppData\Roaming\add_licenses.pngFilesize
1KB
MD5f45b055127acd79ca0d98cbf168bd1d5
SHA1d6966507ccf14917d1f39bf9750daa8e424eb5df
SHA2565b433ecb62dc22e37c5ae6672d91c32de214c0949672f2fdf98e66e06afa9680
SHA5127f4b15c3cc369a3f14488b064664734939737ddb2e02df550557446169d9cd22f68b931cf385e4b4f03d7a9f1d01f7d8387de6445bf939d710386cebba997a93
-
C:\Users\Admin\AppData\Roaming\app_updater_body.pngFilesize
3KB
MD5984ba7332a9dbada93fa91e7b82a2258
SHA106c4dff2cec4bf5851ec9d7d030ae7ba778344d6
SHA256c2b4629a5c4afe4cb70e2a28a8d143db01bc174c1636be15090f02c8b37f37ff
SHA5123f9a6311c59b342fd42a63ec8b10f75c7ead039a447f474a113c23d2bcedc6e02e3068a6ef95cc9b79cd36a39af078fdff34b90ecafb8e5a0d9cca3c1c6aea69
-
C:\Users\Admin\AppData\Roaming\app_updater_body.pngFilesize
2KB
MD586c9a4c802b04a554b3829d4be312828
SHA1773f47126a7a7fa0aa23e1ca894d9912df2f57ac
SHA256ceec03700eee7c9342a537d53ab8cb25d1e7e2c152ca9d977045dc0d22364d8d
SHA51299244fe9a66d7f30589054b0f33a21ea5b4ea7f47dad6ed4301aa2c652277b345eca8ffbdc4420d86dcc6163e570baf59dbe3f7dbff7f88bd554733cd6c6504a
-
C:\Users\Admin\AppData\Roaming\arrow_up.pngFilesize
2KB
MD507b3126cfe4ab7297cbc21fde173c930
SHA195fc835cfe39e9a938696c5bf5020a6a3fb75369
SHA2567ca400062c5571a845b5968a4cb4c46e0588511b7776d30f8d418ae753bb067d
SHA512ea7ec034541f34753a7d580c052e1c9dbeffdf2bc730874ccad54bfdd548928eaed865b8223a1fda3f4bd9010bae7c9b5315b5a02f451bcb35f935db6e200a42
-
C:\Users\Admin\AppData\Roaming\article.appendix.title.properties.xmlFilesize
1KB
MD5adb1a285a2b926f98c062fbb74e1e992
SHA11f9799a61072673042a1a3da0fdf3fa93cf10f90
SHA2564ba4637bffa741ba5619c3de97b6c209b5a9deb330385efc7a588492a98b7b45
SHA512aa65628e34601645dfcdcb1f5f0347ae84555bd1a99432d4c25a50044dae932385bfa1f50551f6577d184de684f9264743facb53f4aa2e46bdfeff5c85bc6bd7
-
C:\Users\Admin\AppData\Roaming\blank.pngMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\computer_diagnostics.pngFilesize
3KB
MD5bd8078dcc074aaebdc63ba53082e75c2
SHA1a3887f75154e5de9921871a82fe3d6e33b7b5ba7
SHA2569e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e
SHA5129a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66
-
C:\Users\Admin\AppData\Roaming\copy.jsFilesize
154B
MD577ea68c673c183a92ecc07e600e956a8
SHA1c2f17a0351e2c9361580408eef9e19b16c0a0fa3
SHA256a7e7893e6867a93582a0e78dfa1261145068e01535db0d157409be338dd0d0d8
SHA512886664c977d8ac7e251a8a2730d6c2fc207026f18e93a5c3676bf42ce64ae4125ba058e570788467f989e8e91e49463fbdd1661a47f664ac17c38d568551d61c
-
C:\Users\Admin\AppData\Roaming\dutphon.envFilesize
2KB
MD5d3fd7121b844308f5e0d98218b25f7a1
SHA157eda098a5ac50befbbaed81c9358542508d2025
SHA2563f19660f2ffcb1b75ce092e05a9d02128025f89a378cfa302a3fe406c065139b
SHA5120512e3887235754102c623ba704421c745f43d5300a8dd31cc79d1d70a537158dd5a2a25e8e0eab69dfd8cfa234a437ebfa89abafb5c31dcaf28f745a17feca5
-
C:\Users\Admin\AppData\Roaming\example.xslFilesize
2KB
MD5ccfab72640a4d5de19096e61cc1111e7
SHA1e5f992187707c256949fee3987482de01527776f
SHA256963cca28032d4a5e5fc05cb3cb509ac235bd390161fa862611ee1543ae5b744b
SHA51293d7a787626f9444527574257a41266512565a5e3543b1026984ec5b2e606b8339d5a5901059b8e7fef502f62be50992d7bbe96522d7536ca4341bb9a4f1cc67
-
C:\Users\Admin\AppData\Roaming\green 349 bl 1.ADOFilesize
524B
MD51289782651c9af159c54bd25c344a26e
SHA15ff702833f8e0b9b2bc066d7de9e9d3885984135
SHA25682020a2103aa444d0b44638ee2666fa3f077af7b5dda85433607d871d103fc39
SHA512afe7c5e2df5643fec0c486c7efd9b8a440d2ac9631b70369e35b14561995ca91151c1859ef2d49e20621652cf38f024ea94898ff4c2b258380f5a92613a3df51
-
C:\Users\Admin\AppData\Roaming\{B57C951B-33C8-2D1D-8AA8-20866904D814}\ieUnatt.exeFilesize
225KB
MD54741333a78be539951c661ddbd47442f
SHA1e642cbf75a235b76f2f7ec6b8222d21ec518ed98
SHA2565fb92c512e17ae11f78d2c8eca04440fd89bd32e0b0bcca3d86784f7ab5581e4
SHA5122b159ae11a567060ac0e17fa85da98ac334cdf1b6edc1d4179bfa879116e15349003d657abc2555b1b13240e40541c3bd3e69ff282cc1b4edf6f1bc3caac3a24
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.urlFilesize
85B
MD504dba0137e322946b154e75e9801ec94
SHA13749e703f1b37affff0483d172241decb0127db7
SHA2565cc27e7f54d7c7e8ab48ff2b33decf7b3ac2b46e3592ed3e05dac0301024c90a
SHA512c191e8bc46b450fd0ee529422931f0ab978df68460c7f98ea25398b2c3efbea001690686eac244164821a32be7103c5770fc269c3498f8aea83cc78062f6480a
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txtFilesize
10KB
MD5c1402bd0986fffdd50470533e09025bf
SHA189379c00c8095ac9b00ebcf576b24ac583ea8cd3
SHA256cea63186c5f8aa865d2ee80e8c651972c95e91d25f41d5e4ed96fbac03ad3d3d
SHA5129750a72263d2a1902b94e01193a3f64896cffce85c4b542a5879221516579f41f8dce7f295a5ab5d100d4f064abc36aa4f148973abdc7dbd6af189802ff029fa
-
memory/1596-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1596-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1596-64-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1596-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1596-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-190-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-203-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-522-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-519-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-515-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-514-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-509-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-507-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-505-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-536-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-530-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-517-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-204-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-533-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-201-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-197-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-195-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-194-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-192-0x0000000003B20000-0x0000000003B21000-memory.dmpFilesize
4KB
-
memory/2816-189-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-610-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2816-590-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3076-60-0x0000000002ED0000-0x0000000002EE6000-memory.dmpFilesize
88KB
-
memory/3076-57-0x0000000002ED0000-0x0000000002EE6000-memory.dmpFilesize
88KB
-
memory/4784-183-0x0000000002F20000-0x0000000002F36000-memory.dmpFilesize
88KB
-
memory/4784-186-0x0000000002F20000-0x0000000002F36000-memory.dmpFilesize
88KB