Analysis
-
max time kernel
128s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
-
Size
143KB
-
MD5
579c76a735fd8d53f4731463096a79e6
-
SHA1
17bac06d246708335586273c4d1149dd42cf3618
-
SHA256
9e359005b4bc7f7f5db77c5448af5bf22fb71ecdd618b129b35cb6b07c452957
-
SHA512
f1d29bd55e86007e1d69028a31ee8c8ddbbda53d00f615746ef51b574b9f1a9b16b14e7c488ef3c75bc436861c2a11808fd5898fe8098ae7c88bc392954b7431
-
SSDEEP
3072:cltLV7H8x7nyQ7RSP8yEqGm88E35zEQTZugj/p6kiPEWU:clD7H8x7ynP8y1CZ2Qgsh2q
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503
http://cerberhhyed5frqa.zgf48j.win/F4F5-F7C6-D3DB-0063-7503
http://cerberhhyed5frqa.xltnet.win/F4F5-F7C6-D3DB-0063-7503
http://cerberhhyed5frqa.xmfhr6.win/F4F5-F7C6-D3DB-0063-7503
http://cerberhhyed5frqa.cmfhty.win/F4F5-F7C6-D3DB-0063-7503
http://cerberhhyed5frqa.onion/F4F5-F7C6-D3DB-0063-7503
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1600 bcdedit.exe 1488 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exevssadmin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" vssadmin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2944 cmd.exe -
Drops startup file 2 IoCs
Processes:
vssadmin.exe579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\vssadmin.lnk vssadmin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\vssadmin.lnk 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
vssadmin.exepid process 1988 vssadmin.exe -
Loads dropped DLL 3 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exevssadmin.exepid process 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe 1988 vssadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exevssadmin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vssadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vssadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vssadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" vssadmin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vssadmin = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" vssadmin.exe -
Processes:
vssadmin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vssadmin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
vssadmin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE14.bmp" vssadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2376 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2572 taskkill.exe 2696 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
vssadmin.exe579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" vssadmin.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{D829B335-8529-7C36-6396-4FE23232B17C}\\vssadmin.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop vssadmin.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422239969" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C4707CF1-1575-11EF-A4A3-CE86F81DDAFE} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C48387F1-1575-11EF-A4A3-CE86F81DDAFE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000028e1ddd5c84123419580a1014f518b32000000000200000000001066000000010000200000000a0abe33cb6dc009334dbe7e92e2c117ede9ecb0035eaf15f00a6e09e1e68ba7000000000e8000000002000020000000a10941d04f5d6bb74bdcf1d9f4ac6f7806ebcb4779b07f74a8324b37d254ab0a90000000cd5bb4e3869f7fb8f80aad0103cdaf859d0f99b11d320ac632973dd7ecf211fd9fbdc9b0af98258aafd9e32220ca433309e4566d2484864a3ef94b130d80b9d5e390b5856af601f46d00953fefe99af4412aa8771711a62d94d55185416e7152866f46e1a16d618e509a2eb62c2c4c1e1f8075d2dd29c4e4225c247babc5f011d5e59a3b22b1f69459ba7b397035923640000000cdc70830f057601a563f3169ee8edca527b59f428aa7ba2e7a52f77fafc2dcde55097911664c72d43faf6499c213fe9616b974c32549d9e6d06c216a58764ab2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000028e1ddd5c84123419580a1014f518b3200000000020000000000106600000001000020000000803f644fa40dda4c32f370e23db48eee863fc54673a5e503cabd45a81c75233e000000000e8000000002000020000000e0a57aa0b46392fd8c4e2992f0c36b9d51c93cd3f38f6bd6b99cbe066dc1d595200000002c2ab760155cf6be00da28cc5d279ab384fe77eda1bbe141947905437d7d3cad400000009857091788e7bc427028565160612f7a2ec2798fa79de5e7d815bf3acc4083354757b64e10f617cf7648401643e9d7375c1f60b5a9e9cc6bdcb983fffb85b8b7 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6091c48782a9da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
vssadmin.exepid process 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe 1988 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exetaskkill.exevssadmin.exevssvc.exewmic.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Token: SeDebugPrivilege 2572 taskkill.exe Token: SeDebugPrivilege 1988 vssadmin.exe Token: SeBackupPrivilege 2260 vssvc.exe Token: SeRestorePrivilege 2260 vssvc.exe Token: SeAuditPrivilege 2260 vssvc.exe Token: SeIncreaseQuotaPrivilege 2532 wmic.exe Token: SeSecurityPrivilege 2532 wmic.exe Token: SeTakeOwnershipPrivilege 2532 wmic.exe Token: SeLoadDriverPrivilege 2532 wmic.exe Token: SeSystemProfilePrivilege 2532 wmic.exe Token: SeSystemtimePrivilege 2532 wmic.exe Token: SeProfSingleProcessPrivilege 2532 wmic.exe Token: SeIncBasePriorityPrivilege 2532 wmic.exe Token: SeCreatePagefilePrivilege 2532 wmic.exe Token: SeBackupPrivilege 2532 wmic.exe Token: SeRestorePrivilege 2532 wmic.exe Token: SeShutdownPrivilege 2532 wmic.exe Token: SeDebugPrivilege 2532 wmic.exe Token: SeSystemEnvironmentPrivilege 2532 wmic.exe Token: SeRemoteShutdownPrivilege 2532 wmic.exe Token: SeUndockPrivilege 2532 wmic.exe Token: SeManageVolumePrivilege 2532 wmic.exe Token: 33 2532 wmic.exe Token: 34 2532 wmic.exe Token: 35 2532 wmic.exe Token: SeIncreaseQuotaPrivilege 2532 wmic.exe Token: SeSecurityPrivilege 2532 wmic.exe Token: SeTakeOwnershipPrivilege 2532 wmic.exe Token: SeLoadDriverPrivilege 2532 wmic.exe Token: SeSystemProfilePrivilege 2532 wmic.exe Token: SeSystemtimePrivilege 2532 wmic.exe Token: SeProfSingleProcessPrivilege 2532 wmic.exe Token: SeIncBasePriorityPrivilege 2532 wmic.exe Token: SeCreatePagefilePrivilege 2532 wmic.exe Token: SeBackupPrivilege 2532 wmic.exe Token: SeRestorePrivilege 2532 wmic.exe Token: SeShutdownPrivilege 2532 wmic.exe Token: SeDebugPrivilege 2532 wmic.exe Token: SeSystemEnvironmentPrivilege 2532 wmic.exe Token: SeRemoteShutdownPrivilege 2532 wmic.exe Token: SeUndockPrivilege 2532 wmic.exe Token: SeManageVolumePrivilege 2532 wmic.exe Token: 33 2532 wmic.exe Token: 34 2532 wmic.exe Token: 35 2532 wmic.exe Token: SeDebugPrivilege 2696 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 3484 iexplore.exe 3484 iexplore.exe 3608 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEpid process 3484 iexplore.exe 3484 iexplore.exe 3484 iexplore.exe 3484 iexplore.exe 3568 IEXPLORE.EXE 3568 IEXPLORE.EXE 3672 IEXPLORE.EXE 3672 IEXPLORE.EXE 3608 iexplore.exe 3608 iexplore.exe 3732 IEXPLORE.EXE 3732 IEXPLORE.EXE 3672 IEXPLORE.EXE 3672 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.execmd.exevssadmin.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 1844 wrote to memory of 1988 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe vssadmin.exe PID 1844 wrote to memory of 1988 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe vssadmin.exe PID 1844 wrote to memory of 1988 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe vssadmin.exe PID 1844 wrote to memory of 1988 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe vssadmin.exe PID 1844 wrote to memory of 2944 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 1844 wrote to memory of 2944 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 1844 wrote to memory of 2944 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 1844 wrote to memory of 2944 1844 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 2944 wrote to memory of 2572 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2572 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2572 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2572 2944 cmd.exe taskkill.exe PID 2944 wrote to memory of 2360 2944 cmd.exe PING.EXE PID 2944 wrote to memory of 2360 2944 cmd.exe PING.EXE PID 2944 wrote to memory of 2360 2944 cmd.exe PING.EXE PID 2944 wrote to memory of 2360 2944 cmd.exe PING.EXE PID 1988 wrote to memory of 2376 1988 vssadmin.exe vssadmin.exe PID 1988 wrote to memory of 2376 1988 vssadmin.exe vssadmin.exe PID 1988 wrote to memory of 2376 1988 vssadmin.exe vssadmin.exe PID 1988 wrote to memory of 2376 1988 vssadmin.exe vssadmin.exe PID 1988 wrote to memory of 2532 1988 vssadmin.exe wmic.exe PID 1988 wrote to memory of 2532 1988 vssadmin.exe wmic.exe PID 1988 wrote to memory of 2532 1988 vssadmin.exe wmic.exe PID 1988 wrote to memory of 2532 1988 vssadmin.exe wmic.exe PID 1988 wrote to memory of 1600 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1600 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1600 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1600 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1488 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1488 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1488 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 1488 1988 vssadmin.exe bcdedit.exe PID 1988 wrote to memory of 3484 1988 vssadmin.exe iexplore.exe PID 1988 wrote to memory of 3484 1988 vssadmin.exe iexplore.exe PID 1988 wrote to memory of 3484 1988 vssadmin.exe iexplore.exe PID 1988 wrote to memory of 3484 1988 vssadmin.exe iexplore.exe PID 1988 wrote to memory of 3508 1988 vssadmin.exe NOTEPAD.EXE PID 1988 wrote to memory of 3508 1988 vssadmin.exe NOTEPAD.EXE PID 1988 wrote to memory of 3508 1988 vssadmin.exe NOTEPAD.EXE PID 1988 wrote to memory of 3508 1988 vssadmin.exe NOTEPAD.EXE PID 3484 wrote to memory of 3568 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3568 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3568 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3568 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3672 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3672 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3672 3484 iexplore.exe IEXPLORE.EXE PID 3484 wrote to memory of 3672 3484 iexplore.exe IEXPLORE.EXE PID 3608 wrote to memory of 3732 3608 iexplore.exe IEXPLORE.EXE PID 3608 wrote to memory of 3732 3608 iexplore.exe IEXPLORE.EXE PID 3608 wrote to memory of 3732 3608 iexplore.exe IEXPLORE.EXE PID 3608 wrote to memory of 3732 3608 iexplore.exe IEXPLORE.EXE PID 1988 wrote to memory of 3852 1988 vssadmin.exe WScript.exe PID 1988 wrote to memory of 3852 1988 vssadmin.exe WScript.exe PID 1988 wrote to memory of 3852 1988 vssadmin.exe WScript.exe PID 1988 wrote to memory of 3852 1988 vssadmin.exe WScript.exe PID 1988 wrote to memory of 3316 1988 vssadmin.exe cmd.exe PID 1988 wrote to memory of 3316 1988 vssadmin.exe cmd.exe PID 1988 wrote to memory of 3316 1988 vssadmin.exe cmd.exe PID 1988 wrote to memory of 3316 1988 vssadmin.exe cmd.exe PID 3316 wrote to memory of 2696 3316 cmd.exe taskkill.exe PID 3316 wrote to memory of 2696 3316 cmd.exe taskkill.exe PID 3316 wrote to memory of 2696 3316 cmd.exe taskkill.exe PID 3316 wrote to memory of 2508 3316 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe"C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3484 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3484 CREDAT:537601 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "vssadmin.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "vssadmin.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.htmlFilesize
12KB
MD51f98259b1583ddf3c65bab2eb534b493
SHA1643f554572e0954442dc150dc14a5f277593340b
SHA25653453306b1cbbf542acfc7ed6d26740f2e9ca96699048d085c8984452e691d3a
SHA5121838329ba80d35d3f0e59013b5f1acc1ce2b43443730928d219d0c366fb1758139817de9b7828b93b30c1e90fa4180deae26ccc858e8321fc3fd63ea83d52fb8
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txtFilesize
10KB
MD500860ddac36a6d3a69262fbc2936b1f7
SHA16e118e7cb4b12cbc25a84eda17466d0ddea9aa16
SHA2568f836b8d53af6b95f771924b03ccb670269ad77c71eeaf863c434093ff67765c
SHA512216d002df68e7a38d17b0532dca4a2826555bfa7acef760e3ebc6e63248484d8342b204f01dc9dc47137fd96cf76c343e13c00005a0fcd0877a667b6a36dcc5d
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
85B
MD530413d233dd141c117e7a4dd3017d8d0
SHA1d8e04e634c5cdb5636bb4c8416eee41ac95b40ec
SHA2566ef8b40bf7a66ea80f1b31fcefbb6b0c9b2ccdc11e292a4e28ef97881c202ae3
SHA512714f2c6d8f12779c537e8b1c71cd41f3ae506e881a11aaa7c8dec4e9cb127a5bbdd18061139b6a6b9062574a15cfe84a3f30336fe39509c74a1ccb98aa0e6423
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fa2bb210561ac13d59bdbd9a6d07744e
SHA164048a7130eda1d3baaf3f542b77476704e08800
SHA256e48993b2ce2414ff59c1f95eaa7128f84fef9c29d10c7214651d83b215aee680
SHA51207bd68534d26567989548fc506c947287332e7b69fa4d99fb1b8fdb1230a0d44914f3a830b5cae28cc3a003d223e6749129adf7e8c75537707c7bcea8f611b99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57815b9464e76b364227c838ac2d0712a
SHA1c2a2bf8aebcc5dad6e53c1462a3490d2d0f58ffe
SHA25628dd6910e0f6178d2a6e7f96d46d05d8282510197ead9e0881438b87114b6976
SHA5129bad8e2d35d54286aa8fcd5337e56d452868dbe0a8034257c384dcddae6ce2af3c4093859c808e4ee44dce44411f5fa99569b4bb615939173caed58a5b8a3bb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59a191e950db63a498c775f4e7f3e7370
SHA1fc3e1c3693d6417077acffa50c68c299c086520f
SHA2566f55d7a98d6d2ec3148d81b19dfaf0a52d9c21f49badedf0e07791c73c4fd275
SHA512239793917a810f3eb2f48f8f9a7654cdb39a973a0245343f80e0022e7c4e5e9fd5d3611e81dc2783295459e69ded844001b5f4c52fe37c29d7b021baf75e7de0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD576405f59765ff2a4fa579ea149b47fbd
SHA1e1da4f11f8741f0465d0e8caebc8527fc545afcf
SHA256498e1b3c992882887671388d25790c7ae2af0a7e15ada8f9107265e908dac130
SHA5120f4b05888572a08cbd4a3ebcce8adfc301fef9fda4f5de361613a11d03a06b2deb0e919490cd8562c5f7e278b9b54b76c246706e952bb84e2df5a6924c408831
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5324a9d6f38828d08578549d89c2ae895
SHA1dd61b8df5c5030e5ce2822a16b80ae84d7ab7516
SHA256a9682cc55ca91c33e41f98ac7b9e60a670516c5bb39896f89eda8e1d0eb88a0a
SHA5128d5ef03a13c789e531b79a5b60e6c97476c892ec5e3fa8f9247605ec51c230594fef1397e35a78a8ca85cecf84facb34e77edfc369f1ce599e939ea739a65b40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57f5cfd1fa58c35214b0eaaebbf8d2897
SHA17730b302bc297de4a4a4c03df9f56b1549e4ccb6
SHA256786d878534de0d1728d36658ab498738308b7cbdcb3111f916010a49da49f733
SHA512a56d520c88344219408c0c2c6c9f0eb407f89b623d8cde11e5e735eb7e4f46724f987ae024f762c8a8781ecf036a6b4c687851e4e7f8b30bf83e289da487ff91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59534e90d67e0c1eb19466fc7213932f9
SHA1585bc65f57a4211686d4866d9557e84e36dcf4c9
SHA25659f7fcdd4d040341706051cac65ae00a4bfd92e6fac82a501d7f4e21a2b8d49b
SHA512c7145065838a58930c6dbdd564f25c8d41f6b945c922882dcc7ecf779f3cd3b5de992a05a47b6ba2d6fb2787ea00ac846885054f8708880ea949419b92bbbd70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56e557b7e244717e88bf591685c4e57e7
SHA1769c105131fffc110ad237750b6abf34e22d5022
SHA256159f282523efddaa206c7742e45a24902e9c474fc4fa9e588e969bdb84b380ea
SHA512dd242a2f5914188c1b7e2f546d5b7a3e8fd1827ec7d6171d4edbbc14621645f87db4a80d256366e8bace1b36514b81cad5c359e673a98bb369b9e68e995b6f7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d054688e7eaeb484902b1fb1dfd95333
SHA1f9bbe5439249d5b54f7201f862716ce1b7422cc1
SHA256964b7a82aab49255dad44ee139da9d977ea4a3842e73bc33bb39d76317fc70ee
SHA512904681e4a38c90839baef789d8bf3c9e6d6d257ced49092f80940242c1b69c71eb93acf3fec16634c76469702339e1d7bb75862a0db210664340e59d6e7562bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c7e8adf10fed92a8d3e951adfc0dad06
SHA1022928d2c8b797e1f4af4f739192b06e30209d5e
SHA256b1dc3c0d5d5718d0a9eacf2ccb5e6348a5bbe9127d66f277c9ac776da2853a7f
SHA5122cfc481d43e43e5af08c07f52efa6f33d3de0fa96dd3ae044a0ecd938e235f72180f8bd65424575fbb13175c9d3a251c230123b00622cbc3a725aa4ddef1431a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c3bb151753d0549cb1b36ce175f9ddf1
SHA1e54fefdbe678e2106479cfbe08bef0076849fc3c
SHA2563d19164468d9673b1a7e74695d1f9f806d5d0215832c7364f6d2c569fe2f6bfe
SHA512101956aa361dbbf10800f11c756e9686a3e28e57a5f207e5128b940a3e50e90307d66ef0c29b4a086430804661057ccfe238cd6ec337953ffd7a57a8cbc0e1f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD592f0b3d63553eda89f375598ac88d1e0
SHA12319d13bda8844d012d68bffd77af575a6ad20f8
SHA2567e503f0f36349f49abf59bd00457779df7f2d43a817dcc4bc73ed1775555b936
SHA5127403e87c2792138b4f62275014d5304b8828cee2f9d0c5a4779ffb59fe3d86e5d064d8426d65d9bda02fae53bb34996abadaf576323bb1f592a2a3cd348e5c4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD558510f733993d7380dad9ef191b56122
SHA15bc6e04f0e9fd88c4811a6352617f1e22d598e0d
SHA256be64b71b44eb7a8652496c7056102b2557a33972b9ed3d5369fc100079dc1361
SHA5127bce622f0c1fc4a2263444f6be819802c041fa933931e3cdb2f3660f6d103046102a76843bc1b4a84e8ab2076a224695d682fae9710386b5f80faa52d57fef1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD559a6877771fd05de0d11087571fa72ff
SHA11b0c27f221ff84591c3d6a3be4ff1da5454c538a
SHA2565238327a73b9d357aec5807ca8ea8baa244dc011b53503b55978cef3f3567cb2
SHA5120fb3cd4dd8c1b994962f29c81200a567841197b0e502f55c5c5da3320b036172cc4d34b39fa701daaefed70dc04d1f8ca69af5c30c37c37d94bd93051ac669b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5071ee1069e073a768fb3065169b7466d
SHA1ee6326814e60c651b02a8729350e30c9231476b3
SHA2560390355f0ae13d53697af411b26b9fac981fc78f99c941b3a48a40a04196a288
SHA51237c840aaa3bac1d11d2c7778fa4aa5e737f3c5f3d3883ce95d1a73bc1af59540bba6bd29e1ba628f50ad748c90b3567ef9336dcef6428a1825488959d2259bf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c0c32c4b3be485bc17853a3175b2f809
SHA1eda20ab3d1c92c605f91e6333a9caa583cfc2962
SHA2565038849b28708fbd71b603a2260c791aa69a9cda1f2ebc30660c11e6236acdde
SHA5124f8802dd2aebd8ccc0206bdf620501a98701b3f40aeade00e782cd8d8c2336029acf2400214e384f97effc042195a486a017bbb0d416678d47ced60d8c630daa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5450da88be0265bc2aa02b0481fea0d95
SHA1a72a7a92f311e92180a5ad2dcbf206628165b3f7
SHA2560347a5f318f6ea9f1113d574f39a74b34b8e8af4c60f2a2e13bfbb576202dd8b
SHA5124c07837f6a04494db6ba5ff6202768dc0077f3775e88f4948f862fa873a23c8845d12acbc07c50473d3deabd66e9276e6edf10be41bc004fcd26a725d499fdb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD545db43fc9f2dd514b57fa96708cd271f
SHA1af748a0fad487535845aa3b498dbce1a70f545d3
SHA25637e26fccd79b7d8034a50397978d8e840358b31ffcf12b5ffb8904071b19257d
SHA51259a4307d88ee0d03d5b7ec355f3438fc73d07065ffb0565c1c036f537b22b7ac1f2af665d334efa8954ee627e99e6e3ff9da1ae1f612e8986eec6402dd19cd0f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4707CF1-1575-11EF-A4A3-CE86F81DDAFE}.datFilesize
6KB
MD5048595ccefa3a6e29ebede104c59d9ce
SHA1958b211faf436131af36d6e6e4d43a888d39b09c
SHA256e4287dec1003305ebe3d62b9999130d24fbb418f1d83c9a8aac0a226a8040494
SHA512ded577f8a943f6590d4d2695d8580f3300a4807c35a836b6e7148d7cd7eb22696ee7b47e8e15baa8d1d3c3b90c1319e67e8aea5a34fe2657edec5f045302493e
-
C:\Users\Admin\AppData\Local\Temp\Cab253F.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar27C6.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\vssadmin.lnkFilesize
1KB
MD5c28254b9956f17ea4ed1defb29075b95
SHA12acb9fb21df0e26aa1d338257aa4c157c11495b0
SHA256a6f341d142d96c89d7df7327e55db796b46524b803c0e9469d4da502fa5a228c
SHA5126c73f90ea1c6c613f455a8b0c51945c2f9c95a8c550e9535965078e749cdbe9a1ce7c8d237a2d5ba91174818ffe61ee048f6114213b0e421f0ae366a71ce6542
-
\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exeFilesize
143KB
MD5579c76a735fd8d53f4731463096a79e6
SHA117bac06d246708335586273c4d1149dd42cf3618
SHA2569e359005b4bc7f7f5db77c5448af5bf22fb71ecdd618b129b35cb6b07c452957
SHA512f1d29bd55e86007e1d69028a31ee8c8ddbbda53d00f615746ef51b574b9f1a9b16b14e7c488ef3c75bc436861c2a11808fd5898fe8098ae7c88bc392954b7431
-
memory/1844-1-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1844-0-0x0000000000020000-0x0000000000036000-memory.dmpFilesize
88KB
-
memory/1844-14-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-26-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-22-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-23-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-17-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-16-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-970-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-480-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1988-483-0x00000000038C0000-0x00000000038C2000-memory.dmpFilesize
8KB