Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
-
Size
234KB
-
MD5
52c00107ca21cc4b75039a98ad4cae18
-
SHA1
ab35e8bc718fd02cec888afb22dc520d05234dce
-
SHA256
210dab383dabe37ce47658719ec8866cca4fe1ba0eac2d308c96c36293f1da4c
-
SHA512
bc2ae0ca6fd52d1190bcd0c006b4eacb1db7243b9b434cd59a4e095bfc854e5e7c4cc56cfda989d3285d8f6c2fec4e2e00ba5cc383304efcb5cfbd1c248f1703
-
SSDEEP
6144:20B2T/Lr8CETTCiIjvTWUyRsae7bI7P+B:m/X8lGbWhty
Malware Config
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txt
cerber
http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD
http://52uo5k3t73ypjije.ssd5gt.top/9636-A23A-4EE4-006D-F2BD
http://52uo5k3t73ypjije.dd4xo3.top/9636-A23A-4EE4-006D-F2BD
http://52uo5k3t73ypjije.78dmme.top/9636-A23A-4EE4-006D-F2BD
http://52uo5k3t73ypjije.onion.to/9636-A23A-4EE4-006D-F2BD
http://52uo5k3t73ypjije.onion/9636-A23A-4EE4-006D-F2BD
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" poqexec.exe -
Contacts a large (529) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
poqexec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation poqexec.exe -
Drops startup file 2 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\poqexec.lnk 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\poqexec.lnk poqexec.exe -
Executes dropped EXE 4 IoCs
Processes:
poqexec.exepoqexec.exepoqexec.exepoqexec.exepid process 2832 poqexec.exe 2252 poqexec.exe 4340 poqexec.exe 2832 poqexec.exe -
Loads dropped DLL 9 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exepoqexec.exepid process 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 2832 poqexec.exe 2832 poqexec.exe 2832 poqexec.exe 4340 poqexec.exe 4340 poqexec.exe 4340 poqexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" poqexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" poqexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
poqexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1FE2.bmp" poqexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exepoqexec.exedescription pid process target process PID 4480 set thread context of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 2832 set thread context of 2252 2832 poqexec.exe poqexec.exe PID 4340 set thread context of 2832 4340 poqexec.exe poqexec.exe -
Drops file in Program Files directory 16 IoCs
Processes:
poqexec.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini poqexec.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.vbs poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml poqexec.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.url poqexec.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.vbs poqexec.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.html poqexec.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.url poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE poqexec.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt poqexec.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.html poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE poqexec.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE poqexec.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.txt poqexec.exe -
Drops file in Windows directory 3 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exepoqexec.exedescription ioc process File opened for modification C:\Windows\ 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe File opened for modification C:\Windows\ poqexec.exe File opened for modification C:\Windows\ poqexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 6112 taskkill.exe 4464 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exepoqexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop poqexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\\poqexec.exe\"" poqexec.exe -
Modifies registry class 1 IoCs
Processes:
poqexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings poqexec.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
poqexec.exepid process 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe 2252 poqexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exetaskkill.exepoqexec.exepoqexec.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe Token: SeDebugPrivilege 4464 taskkill.exe Token: SeDebugPrivilege 2252 poqexec.exe Token: SeDebugPrivilege 2832 poqexec.exe Token: 33 5308 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5308 AUDIODG.EXE Token: SeDebugPrivilege 6112 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe 4300 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.execmd.exepoqexec.exepoqexec.exepoqexec.exemsedge.exedescription pid process target process PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 4480 wrote to memory of 1600 4480 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe PID 1600 wrote to memory of 2832 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe poqexec.exe PID 1600 wrote to memory of 2832 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe poqexec.exe PID 1600 wrote to memory of 2832 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe poqexec.exe PID 1600 wrote to memory of 4748 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe cmd.exe PID 1600 wrote to memory of 4748 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe cmd.exe PID 1600 wrote to memory of 4748 1600 52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe cmd.exe PID 4748 wrote to memory of 4464 4748 cmd.exe taskkill.exe PID 4748 wrote to memory of 4464 4748 cmd.exe taskkill.exe PID 4748 wrote to memory of 4464 4748 cmd.exe taskkill.exe PID 4748 wrote to memory of 2280 4748 cmd.exe PING.EXE PID 4748 wrote to memory of 2280 4748 cmd.exe PING.EXE PID 4748 wrote to memory of 2280 4748 cmd.exe PING.EXE PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 2832 wrote to memory of 2252 2832 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 4340 wrote to memory of 2832 4340 poqexec.exe poqexec.exe PID 2252 wrote to memory of 4300 2252 poqexec.exe msedge.exe PID 2252 wrote to memory of 4300 2252 poqexec.exe msedge.exe PID 4300 wrote to memory of 2736 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 2736 4300 msedge.exe msedge.exe PID 2252 wrote to memory of 4548 2252 poqexec.exe NOTEPAD.EXE PID 2252 wrote to memory of 4548 2252 poqexec.exe NOTEPAD.EXE PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe PID 4300 wrote to memory of 1268 4300 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe"C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe"C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8420446f8,0x7ff842044708,0x7ff8420447186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff8420446f8,0x7ff842044708,0x7ff8420447186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "poqexec.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "poqexec.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exeC:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exeC:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5307952165506091a091012ff98437c8d
SHA1296c5c1f4383b291ebc55599dce66be20783e14b
SHA256594b98ffeedaac4e501dfc409cfb9190ab1bfd0d46927bdedb41150ff65c1da7
SHA512a3c13f3332979b0c93bae78669d986a4e63d30e4785c81b8d49db9a0e71a0740dbd3a109f6fbf5f12720f64d5ed8f1cefb4e1e4fc8516653b89ed43d903873f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e9b02afa624e62923707161409e355e2
SHA19aa32ac1975b273fedd74550acad5b123f679570
SHA25668d882ded3ff30c1bc019d19010b4e55054873c6b6727d9032fa58f1a74de41a
SHA51265a857f1b5326c85a579055e29d83ffee3642cc51ad2a3ba812dbeeb381a55a2825de6a3eca8818d67318d1553fd21f9a4b7624676b6a67f4d687448ef9a5c88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5803463799894165c63f5086a39491b00
SHA158b9def2394d0d57de93639aabd0e105364c1b5b
SHA256eb4f123d6eb43bf4dcf9d0512e616355a4b3bb29411ec26f9cbc3c1ce86e167d
SHA512416c840d344dc38a5c22acab0984801ebf326ddc332ec4ad6b590c267d545b97b60bbd665ec1c57938f720172bee47a62ba30c30a3e3316ba6c4651f1ac18315
-
C:\Users\Admin\AppData\Local\Temp\30-urw-aliases.confFilesize
1KB
MD5c6c33cfde9f637e1d2b8cad9353df6dc
SHA175cfd127ec1fe9a140c78bc84164bd35214ced1f
SHA256c28770c5d1ec815ce63a33cfec8aabadd21aed84d60f000ebaa2d13e2bcbb0ac
SHA51266bf5248914ce0e6371a8e0cb12f9a3cc573928488f67dc714d5a6605ad61d01aa5b308f13ab7f3ecaec0ae502a4c279e1bbf1280d4dd41874ad2614e132080c
-
C:\Users\Admin\AppData\Local\Temp\Adobe-Japan1-4Filesize
3KB
MD55a23e712d699f48cff3190caee581f79
SHA15caac471f05c5934c4c07af3d690f0ce3402f081
SHA2567cd11d1b862b16aebbe2042d45b4d7a331994acd5c8457f6f4fbc1c8956a5355
SHA512ff5c2ad7959984d903023a58a4b81f160c0dc020fa33ce3f7e582c91613f1d9b5e39ff4660a02ac28e369524d42f1adc2eebfba5dc448c97389b973d7894cefa
-
C:\Users\Admin\AppData\Local\Temp\AnimGif.dllFilesize
48KB
MD5db143770b3cabb64c32477bc5890ea30
SHA1b9d580ff68c53ba0b7298d09c4b0472958876319
SHA2564d5f0c40375b84835bc93494bbf4f73a94d7843a319125a840c34e0c9bdf6c8d
SHA51256842d9e000d1fd13d24044351ebf01ca8a8ced5a08c7ee314244697e69c7a563e26c53c78f473bed121ede6186bcae14da69a66f8be915a2c59891fbdb49cc4
-
C:\Users\Admin\AppData\Local\Temp\BadBits.mmFilesize
1KB
MD545ed0fb06f0ce6c9ba9613926d1cb1e6
SHA1a19206ff3bb1f5f2109e3c2233aefd2a6285d05f
SHA256aee530dc1e94d53130035d2ace33d0147b96aa970c764eb4e86fb6b5d07200f4
SHA512d989bee283acef837ecb3b2995be8098e6d4f886456972a42ab5ef5a98ae48ba3a88a71193a7aa4dba179d57ed0912a0203e0a1aa46e9873f97399f0238c9128
-
C:\Users\Admin\AppData\Local\Temp\BudapestFilesize
1KB
MD5c275950acffcd3a57996966067c5a21c
SHA1fa08f0e03f74f5d0e9fc90df73fe5b00c797367b
SHA256427bb97ce4f246e7f809bb14a5b9191aecd8a2d8854d0493ff718e7830086ea5
SHA5124512adb2ea30202de146c1252ab7f52a467611b0b33999b8b9b875dbe78d18f1adde8e1ade1b7787245708c12f343fc649aa8f75a71bebb73178fe0039e89412
-
C:\Users\Admin\AppData\Local\Temp\Cape_VerdeFilesize
97B
MD5739bc3be601fc4c312fca262597514eb
SHA1c14ae4cd4e2ce75b7ea4ed39a835bc8d207f2486
SHA256b645b5d403881ac66ce4171af4aced39c0a17237fb78443fae623b1f4367345f
SHA512c0092979146f54dd885d4b12b0f7e37285b4116aecf4a793eb524d0b33c8ed2e7a336f97ec6d2504203d51207205f192895c1850fd6dd5f30f9848d86ef4c5fd
-
C:\Users\Admin\AppData\Local\Temp\CoreTemp.iniFilesize
1KB
MD54318900d48f4b420b3f14cf9d3efc812
SHA1399f9bd94316658d2da143367e8ae2e200f67a78
SHA256d95c522b113e468fe3e0cc92579148c53d8c1eaed13bb89e07130ca4c2fd0c6c
SHA5125f7c4ff8375fa9c995ac0d4cddd8974c7f5bc893759ae2c17de5f29cb9fe8f2d888a44b3b1d23d6a5106304a523719fe87cb1dafe0922eae80de05289e96c526
-
C:\Users\Admin\AppData\Local\Temp\EnteronFrotteur.yMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\FijiFilesize
588B
MD503eeedd6926392057b761444ea01871a
SHA1e3cc8ce79e0625854e1f922ebbe4ba2f44d0248c
SHA256ba6662dd53b64810a0449f9ff4a9ca3a46f2d5ad63ba66507d00988b64bc043e
SHA512c8516e29e3b8a2b9d9f8e43d472cd4d4af6393f5be2cbe59ee6422f7238a3bfb7523c821d9ed1de25136f58905af54b724528e80562f20e2f250927851b17968
-
C:\Users\Admin\AppData\Local\Temp\GMT+3Filesize
27B
MD5834630bcae89f566789c6e3abb9cde0a
SHA11937e7784e79fd9a6adbc2b4a227a6bf9455dc86
SHA2565d9e7b18a4cf92f1d47164f438ed6515657d4ff8f3d2c8bb5a1f7b605d79cd61
SHA512835b29bd2acb63abd813ded66df8f9d895c83cce8e38cec1f21c266a6d6992965efb6fbec8e87bb74f24e3321588ac94d16be5fe0eacdf9dc80e6ca26dbf0061
-
C:\Users\Admin\AppData\Local\Temp\LodeEucaryote.zawFilesize
148KB
MD57ee7c1a5386b3898b787f52a7863e46e
SHA1cf692dad8b81b61c9db39b45fd443ae8a73cef13
SHA256f926c082b5eb24f9cb597e2be152e7a7fde4a96351a3fdec9d1ab0fdba67215f
SHA5122e79e6db4b5ec4a53fe2422b576c7b4a0362ad0312bae98c50806d8a56889b643e982c6ed546ac58ffdad806b4c02f44403135e3e2f9687d631f67068de607c3
-
C:\Users\Admin\AppData\Local\Temp\callout.graphics.xmlFilesize
993B
MD57c17ee2b7f023668d51e6199325c8d63
SHA1ffacfc13b232f2187499d7c02a76ae86248a9e73
SHA256000e761b0bdaf092ef845bb91a352cd432ee257163851d4c251db448c7e6748a
SHA512e78dae20fc2966fdc54a40b9fa7f4f06e594eb972929d701d79738a2e01e523e3a560190e112278b80cfff75eea6026260ad56d96d6dd5062abbda0373a57625
-
C:\Users\Admin\AppData\Local\Temp\circle_glass_Thumbnail.bmpFilesize
4KB
MD57d005a7a687c9f4d56272fe7522e7dce
SHA1d66cbd3ebc892a2c7b305181b465cf592c2c4990
SHA256c3bca0815951a454ec15dc23b1d135d42537d9fecba6577e03f46bd6807da135
SHA5123cef4c6a8c0507556a0983b72913233fda3b2a9311a0fa5e652bb46955ebf3113fece823721048c3188174daddec1e17c608044000bcc90c7ad02fab49237f05
-
C:\Users\Admin\AppData\Local\Temp\component.xmlFilesize
691B
MD5137d64c837e42916568685e05be6ca27
SHA13cc124359aa623bc4ca2511805e8f8e1f9fe5ff5
SHA256f9aa7c2759c4fc6b67add7710d6fa40750c2cf131fb576bad7c8f7fb008fa78a
SHA5128a8144c82b27163e3aba9fa5400f7eb7a4088c3822aa010bc6a8869ab1daf9a98d2ad483ff0f32727d8251ee23bd062a56f616b1f7cac98f79c0190b6abfdfa6
-
C:\Users\Admin\AppData\Local\Temp\currency.dataFilesize
3KB
MD534825d08fddf008a6c670ed506dcb880
SHA16705d775600261d9ed3d5bc05705746e96311e46
SHA25629071f93c8af7ed0a5ee3966c531c8182e86eeb2237793e6a680a926005d1742
SHA512bf18d6566609c503efbac1d8ab615b87ec6f6e75f18a0e0faa58d38a755dd84a6b40de5e07d3c579272d158c06dd7727f630138694d96e55f9a13f45a6b06784
-
C:\Users\Admin\AppData\Local\Temp\defaultProfilerFilter_restorepoints.xmlFilesize
592B
MD5b14872001828a70ca9f8cb55f37d8e7f
SHA1ceec1f59f82ef6991eeb3f931707716f76ae4c38
SHA2569ca7847addfc688efad2575b3c949fd296890731b3865cd7aeef3166a3a9b900
SHA51221a5d902d045ce1eb73c8f8e5183152445bb95eaf2b24b76a21f32e39be801f2ab19e7b90743de2926afc12334fe168230effe24d622ca2816ed039f30080f79
-
C:\Users\Admin\AppData\Local\Temp\embedding.xmlFilesize
4KB
MD57246ded2719a2ed3a5d325dbe15e4226
SHA1d6f781dd2f3d9e3c4388ec7a07b20c9c490f9cef
SHA25644db2977e5bb2422e73c63d4bd1a727779313c1acfe124b205325db391076f3c
SHA51276855b922d4ecfd2caf708dd94a424853f03470f1d13a4ebccb3e56e8068dd36855ae529381f80817be576bd6d43f55e64ce8c1bec12e525a2ea16c090fe97ec
-
C:\Users\Admin\AppData\Local\Temp\errorReport.pngFilesize
1KB
MD5599fb9441ade1302ec22d4420ad6dbfa
SHA1376de11c0fd54d2828ca06d861393f0ab1d57b31
SHA256594a955ba1060a795d8760e5df316b091149f10b72ff5032d2dd588f79547535
SHA5127fc1811abd69f26c77b901b17ceed11c46e345da75f3a26b495d1aadd4601a4aa20c4154d93cb6c688165dbbe9a439813097186d194945c094af6235be5c6936
-
C:\Users\Admin\AppData\Local\Temp\f24.pngFilesize
1KB
MD5a16e322bba363c21afc35515bbd59138
SHA1b93bf5fa9c44a2d2ee8d69cd6357c2ebe12162c9
SHA256021ea003666ec9a2279a3069f3fdd8b5c71b106851bc8051d88747eb7a142dfc
SHA512f39f845f1950849e753873fe2f0252201e929ca389960afe9bf055d910d19bcc2ff57f9df5c8d905522f0ca424ac4403638d5f6daa52bfac259974020701d3ea
-
C:\Users\Admin\AppData\Local\Temp\honks.rjwFilesize
74KB
MD59db5213cc2837c33400e32cf1fede797
SHA1661b7156351c07d7597e1583786e7016a6dcbd0b
SHA25629aed442d93386108d48f758c26f074f86161acc513892ea366a8df433ad2aff
SHA51220b28dbcecd11f74089ba2bd8f0cd35602c8c30448a1af77fbbb35c4a3d1cdca32bb992c352b47b095d2a019c647db60bbd953ec57745de1e92a16dd422053a6
-
C:\Users\Admin\AppData\Local\Temp\nsc662E.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Local\Temp\telophase.ttmFilesize
74KB
MD52bb7db4cf25f693a1e26119e8fc1afda
SHA17fa83832984e582a06ec31111a3685d7b90e6a54
SHA256a17c3b5a3833649b93059bbdee15af3a35db602a21fe5151769d1d2d6c34cf81
SHA512d57723cfff15d0cc60249749cf9b8d800a53cb8333ad6316a04e0eea7ee46ad4597c41a389376566884356a0e9716476bb8ac8758365533fb15ac8da7cf51f3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\poqexec.lnkFilesize
1KB
MD506cd72256e0031991dc5129a37940446
SHA1741a03a00fc632fb3f2a30b7b71323713538a355
SHA2561180252e41aa6b3e743c37b8d3c348f183630ff68fa4f350848ccdbab8982096
SHA51295a05be932e3c385bfb14119c50344e8b996f425b90d9b61adc145e5f8bc5f2fe48cc46dbf9cdc04f54371fb3d3f2ad1b682995a105a3c3f4f9b5fc447e53f12
-
C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exeFilesize
234KB
MD552c00107ca21cc4b75039a98ad4cae18
SHA1ab35e8bc718fd02cec888afb22dc520d05234dce
SHA256210dab383dabe37ce47658719ec8866cca4fe1ba0eac2d308c96c36293f1da4c
SHA512bc2ae0ca6fd52d1190bcd0c006b4eacb1db7243b9b434cd59a4e095bfc854e5e7c4cc56cfda989d3285d8f6c2fec4e2e00ba5cc383304efcb5cfbd1c248f1703
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txtFilesize
10KB
MD5425a5d1dc02e88f5a93ca1e007afa114
SHA17c290a1e4ce00a542aa1b70246f54c1c32db384b
SHA25653920d3455413247e313d856887dfdce1172c1a50016325c374b2d8c6bfb437a
SHA51229024957bec738954b81c97737de0adfa78fdfc67f324ff8dad11dc6e686e2876b501460fe1744894d8d33b98f6ba447013a45b5ae932ef6c3e30095221fdf6a
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.urlFilesize
90B
MD516ea266209db7916eec7cdfa9cd12fe6
SHA1df1b67130fc15eac2d3e6aa8be1a868dac39072c
SHA25651bede437330f06c0bd7849700b4a11550c689d895d35ad32ccd745cd09b0265
SHA5127a13550dd48938d6ac1603605a006f86452d280c57dc50a758799b6634c1e97aab0c86c9d06c1d0b1cd9c5b3da7e7f47a4352f1ff788111368b87bade6c13a8e
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.vbsFilesize
213B
MD51c2a24505278e661eca32666d4311ce5
SHA1d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee
SHA2563f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628
SHA512ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.htmlFilesize
19KB
MD51d0320ea8d2a4d4f30dbc6647675c9e4
SHA149aa9f19ac1546a0e48138846264f7ca12d0774e
SHA256a21916423880d5a8445156569ad65a140d14b399ee65cd3bf24872649b1b90e8
SHA512eb5d6950831d2e17c1cfaa9b5da7d87db2a9300b623e77869b477b9f5b2ac23619329879dc8c9132a9af2346f2bb12269f5e02cce8ae6659988eb78b0bb91ba5
-
memory/1600-47-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1600-39-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1600-38-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1600-37-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1600-35-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-114-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1005-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-183-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1102-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1101-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-174-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-994-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1002-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1014-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1026-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1029-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1032-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1020-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1008-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1017-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-182-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-999-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-996-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1011-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-992-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-990-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-109-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-115-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-113-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-1074-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2252-108-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2832-177-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2832-178-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2832-103-0x0000000000800000-0x0000000000810000-memory.dmpFilesize
64KB
-
memory/4340-171-0x0000000002270000-0x0000000002280000-memory.dmpFilesize
64KB
-
memory/4480-32-0x00000000006A0000-0x00000000006B0000-memory.dmpFilesize
64KB