Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 11:06
Static task
static1
Behavioral task
behavioral1
Sample
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
-
Size
133KB
-
MD5
5ebf1b0c233e9ef06a63623c7116e4a6
-
SHA1
75c59361b6a8965ddf7f48bfd761fc75be410767
-
SHA256
7ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988
-
SHA512
8448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6
-
SSDEEP
3072:4jYFtrnz2QVsDReiq9GCMDAhU0jqI07PWQZBmJoAGHjRumwA:4sneQi+GnDAa0p0rWQiJoAGHdv
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7
http://cerberhhyed5frqa.xo59ok.win/379B-3E00-5EC1-0291-22D7
http://cerberhhyed5frqa.zx34jk.win/379B-3E00-5EC1-0291-22D7
http://cerberhhyed5frqa.rt4e34.win/379B-3E00-5EC1-0291-22D7
http://cerberhhyed5frqa.as13fd.win/379B-3E00-5EC1-0291-22D7
http://cerberhhyed5frqa.onion/379B-3E00-5EC1-0291-22D7
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16390) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1916 bcdedit.exe 1868 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.execharmap.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" charmap.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2572 cmd.exe -
Drops startup file 2 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.execharmap.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnk 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnk charmap.exe -
Executes dropped EXE 1 IoCs
Processes:
charmap.exepid process 2084 charmap.exe -
Loads dropped DLL 3 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.execharmap.exepid process 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe 2084 charmap.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.execharmap.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" charmap.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\charmap = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" charmap.exe -
Processes:
charmap.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA charmap.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
charmap.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEB78.bmp" charmap.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2536 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2516 taskkill.exe 2744 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
charmap.exe5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop charmap.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" charmap.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\\charmap.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000f76f1fd9abcc7b3a42b6cf1f1a00828b31b51fcd7362f89424e46cae329edbeb000000000e8000000002000020000000a7ff0b92afa7fbbea6670b2787c9e1125d4bf1641d8ad4f6323f8da766dd56f59000000089b6f97efd788a34a1d14ea50ad3645838ee25113aa5f07ecffc7f5b3d86ee23ddddd9835d032fa47845bca8a9a1900be1ff3a7cd6792ecbcb14d49db5d7441a1502384f73477f62d84f5c34f523c10f1e50c15f47f3ebd2741128a9ef1d1cb5df18bec4903ece65bf858b7807777d9cc9179e8b2d7c8f07f151928f4ba1fa5dd574406ff3e557385a0b9304d9dfced040000000423d6b743c7b6d31e361d8139c984fccf99e93ae97deec3f27c34819736604aa0863f0bb986356039d9028a1542f3aa8a8b1ebc2b12e4b6d467f090e98c9d515 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28871721-1699-11EF-BF93-66356D7B1278} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422365121" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30732beba5aada01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{287FF301-1699-11EF-BF93-66356D7B1278} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000002079fa8be7ebdbb4f1dfda4f8903633c8994b3eb1449191b2c059de60d656082000000000e8000000002000020000000bd178c1fd5d1848fa37257b67e854eedfbd57b65d1a3edc837ca011e045bd19620000000ec60f442ec77e08e7147b9b03f9353f8868ddc42e794a0e890118b33e674348740000000b9d9cb2d133369595e40e03b495d27231f10dd8e4cf2f19cbed087fd810fc11cbc7a8c4118c6ff5ffc870b491758bedee6dd0505a1de51b4aa4a53c7672c4bdb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
charmap.exepid process 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe 2084 charmap.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exetaskkill.execharmap.exevssvc.exewmic.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Token: SeDebugPrivilege 2516 taskkill.exe Token: SeDebugPrivilege 2084 charmap.exe Token: SeBackupPrivilege 2416 vssvc.exe Token: SeRestorePrivilege 2416 vssvc.exe Token: SeAuditPrivilege 2416 vssvc.exe Token: SeIncreaseQuotaPrivilege 288 wmic.exe Token: SeSecurityPrivilege 288 wmic.exe Token: SeTakeOwnershipPrivilege 288 wmic.exe Token: SeLoadDriverPrivilege 288 wmic.exe Token: SeSystemProfilePrivilege 288 wmic.exe Token: SeSystemtimePrivilege 288 wmic.exe Token: SeProfSingleProcessPrivilege 288 wmic.exe Token: SeIncBasePriorityPrivilege 288 wmic.exe Token: SeCreatePagefilePrivilege 288 wmic.exe Token: SeBackupPrivilege 288 wmic.exe Token: SeRestorePrivilege 288 wmic.exe Token: SeShutdownPrivilege 288 wmic.exe Token: SeDebugPrivilege 288 wmic.exe Token: SeSystemEnvironmentPrivilege 288 wmic.exe Token: SeRemoteShutdownPrivilege 288 wmic.exe Token: SeUndockPrivilege 288 wmic.exe Token: SeManageVolumePrivilege 288 wmic.exe Token: 33 288 wmic.exe Token: 34 288 wmic.exe Token: 35 288 wmic.exe Token: SeIncreaseQuotaPrivilege 288 wmic.exe Token: SeSecurityPrivilege 288 wmic.exe Token: SeTakeOwnershipPrivilege 288 wmic.exe Token: SeLoadDriverPrivilege 288 wmic.exe Token: SeSystemProfilePrivilege 288 wmic.exe Token: SeSystemtimePrivilege 288 wmic.exe Token: SeProfSingleProcessPrivilege 288 wmic.exe Token: SeIncBasePriorityPrivilege 288 wmic.exe Token: SeCreatePagefilePrivilege 288 wmic.exe Token: SeBackupPrivilege 288 wmic.exe Token: SeRestorePrivilege 288 wmic.exe Token: SeShutdownPrivilege 288 wmic.exe Token: SeDebugPrivilege 288 wmic.exe Token: SeSystemEnvironmentPrivilege 288 wmic.exe Token: SeRemoteShutdownPrivilege 288 wmic.exe Token: SeUndockPrivilege 288 wmic.exe Token: SeManageVolumePrivilege 288 wmic.exe Token: 33 288 wmic.exe Token: 34 288 wmic.exe Token: 35 288 wmic.exe Token: SeDebugPrivilege 2744 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1880 iexplore.exe 3068 iexplore.exe 1880 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1880 iexplore.exe 1880 iexplore.exe 1880 iexplore.exe 1880 iexplore.exe 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 3068 iexplore.exe 3068 iexplore.exe 912 IEXPLORE.EXE 912 IEXPLORE.EXE 1144 IEXPLORE.EXE 1144 IEXPLORE.EXE 1144 IEXPLORE.EXE 1144 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.execmd.execharmap.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 1636 wrote to memory of 2084 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe charmap.exe PID 1636 wrote to memory of 2084 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe charmap.exe PID 1636 wrote to memory of 2084 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe charmap.exe PID 1636 wrote to memory of 2084 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe charmap.exe PID 1636 wrote to memory of 2572 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 1636 wrote to memory of 2572 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 1636 wrote to memory of 2572 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 1636 wrote to memory of 2572 1636 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 2572 wrote to memory of 2516 2572 cmd.exe taskkill.exe PID 2572 wrote to memory of 2516 2572 cmd.exe taskkill.exe PID 2572 wrote to memory of 2516 2572 cmd.exe taskkill.exe PID 2572 wrote to memory of 2516 2572 cmd.exe taskkill.exe PID 2572 wrote to memory of 2412 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 2412 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 2412 2572 cmd.exe PING.EXE PID 2572 wrote to memory of 2412 2572 cmd.exe PING.EXE PID 2084 wrote to memory of 2536 2084 charmap.exe vssadmin.exe PID 2084 wrote to memory of 2536 2084 charmap.exe vssadmin.exe PID 2084 wrote to memory of 2536 2084 charmap.exe vssadmin.exe PID 2084 wrote to memory of 2536 2084 charmap.exe vssadmin.exe PID 2084 wrote to memory of 288 2084 charmap.exe wmic.exe PID 2084 wrote to memory of 288 2084 charmap.exe wmic.exe PID 2084 wrote to memory of 288 2084 charmap.exe wmic.exe PID 2084 wrote to memory of 288 2084 charmap.exe wmic.exe PID 2084 wrote to memory of 1916 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1916 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1916 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1916 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1868 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1868 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1868 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1868 2084 charmap.exe bcdedit.exe PID 2084 wrote to memory of 1880 2084 charmap.exe iexplore.exe PID 2084 wrote to memory of 1880 2084 charmap.exe iexplore.exe PID 2084 wrote to memory of 1880 2084 charmap.exe iexplore.exe PID 2084 wrote to memory of 1880 2084 charmap.exe iexplore.exe PID 2084 wrote to memory of 1600 2084 charmap.exe NOTEPAD.EXE PID 2084 wrote to memory of 1600 2084 charmap.exe NOTEPAD.EXE PID 2084 wrote to memory of 1600 2084 charmap.exe NOTEPAD.EXE PID 2084 wrote to memory of 1600 2084 charmap.exe NOTEPAD.EXE PID 1880 wrote to memory of 1976 1880 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1976 1880 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1976 1880 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1976 1880 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 912 3068 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 912 3068 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 912 3068 iexplore.exe IEXPLORE.EXE PID 3068 wrote to memory of 912 3068 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1144 1880 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1144 1880 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1144 1880 iexplore.exe IEXPLORE.EXE PID 1880 wrote to memory of 1144 1880 iexplore.exe IEXPLORE.EXE PID 2084 wrote to memory of 3008 2084 charmap.exe WScript.exe PID 2084 wrote to memory of 3008 2084 charmap.exe WScript.exe PID 2084 wrote to memory of 3008 2084 charmap.exe WScript.exe PID 2084 wrote to memory of 3008 2084 charmap.exe WScript.exe PID 2084 wrote to memory of 2208 2084 charmap.exe cmd.exe PID 2084 wrote to memory of 2208 2084 charmap.exe cmd.exe PID 2084 wrote to memory of 2208 2084 charmap.exe cmd.exe PID 2084 wrote to memory of 2208 2084 charmap.exe cmd.exe PID 2208 wrote to memory of 2744 2208 cmd.exe taskkill.exe PID 2208 wrote to memory of 2744 2208 cmd.exe taskkill.exe PID 2208 wrote to memory of 2744 2208 cmd.exe taskkill.exe PID 2208 wrote to memory of 1468 2208 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe"C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:537601 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "charmap.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "charmap.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.htmlFilesize
12KB
MD597362d6282e3425886888f0e5a1d4fe2
SHA1f89c327cf280d69e179440e07f28197648b861d8
SHA25626daaace5229909d19a8a60c45ea5b73ab92e31680637ac954f0e7d3286e1a1b
SHA512539af7d24dfabb3915b8c73c67ccb836e342efce642b0e3cf99392b8fb4d1ccdb1ae95added4f1e19d69dfc197d3e1443cd82ff46689bbe884fc8731f13e5115
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txtFilesize
10KB
MD538630cba948af520acd0cfcbef110e41
SHA10cc2c1c73c64481dbb05654d8abf9b469ae60c05
SHA256691afe7f1bb50df3303235a5f73f11af7e589b7f51e1b625683374f438558846
SHA512116393a8028d1cdc9fa03f37f37d3e2946c2996355c7ea9ff0a24e14b2f81652745df15fc8dcfc1dd03b45061cbac8c2f408b7bf6381b88bb68c8d4d780d9fcf
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
85B
MD5f77cb86f0ab4092a94f5880128d2e6f2
SHA1919bae849eb52fa760972de8496caf2519f7a318
SHA2566291d9fd7c2e81680804afe373bdf8522a0575f629df8d8a37ad8a2a2c16889e
SHA512286f2023eb0dd9f0ea9afa469679bbbb6f753d7b64990bf74213a8affe12a0c8144b23cf448c8b03f279ad2c2d36bd8b30dec14c3a5f6ed594fde9b646471628
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbsFilesize
216B
MD548ac29422570636cae371b68c858b988
SHA1ff86dea198c93a8ae49ee52c6eb919fcbd259aab
SHA2563926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0
SHA51275019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55e4dc6e12e1c13425a80d744653a7582
SHA1672ec2eb89e7d80825d3e3b8e251ffc7eca63ed5
SHA256963fe2b4801ad270e6e2d6be337c9ee0464124a068249a5dae1371196407bd48
SHA512dd79265a4ee1d3bb87419b71a5d9b100e999f2accae30f2c5baf1ffadcc19a27ab6b48ffeb7987974aaef0362bf4f51a52fab518505a01f3872b1f370b651237
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5af031eae7d5c839d122b777196967b85
SHA14845a04fa686c363f37a0b8f29bfc89153504e4d
SHA256c3ba8096646f75ff75b5ff9e83acf5ba925ca15debf982f21c88bc5e12c0a61b
SHA51218d4861833c33248c3bf64ceed03e3c07193b5f0c39eee6fe666e31e2a4bce053bff6eae95871fc2c42acfa2bb61e0185005ac93386d6199996c7ff65d5850e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5512d5ff1ba6b2e253edd134b9dd1735e
SHA17bd474e99608567c1a59b9144aab8e20b624ac7e
SHA2567e4979e4037f207e95ab6c14a19b41270a395616811e8821ee3534b9aed8790d
SHA512d463c91f2ecdfea5862c37f3a260bf3e2a473a74ce4a418c617674832ccad02c8b15fde48ccce25001d4eb8905ee5a8223843c391c7ab9fdf8f0f1823cf87f6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f093a5f35cb042ae207ef392d1def462
SHA14d80dab2375e26aae45fb19631ea6a29a8d3bb12
SHA256dbea299d1920e131ebca2b660ac86a5486bead638dece4290392c90630ac642d
SHA512a9295b9c4bf02bfb28a531dca8fb15f9516e59d32f029a8d384968347ba51ac9e7fcdf7e644125a382ac36fab625f6643e986ec35c8cf8554c8c9401dba29f2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54746199d2595d69040db533da73b080c
SHA187a87caf44b4b6d567865773176f93d8187f58b9
SHA2565ba99bb0f2dd6ea096e719253f9a457604affedbdcc1345d702371e34c274e3e
SHA512374308cdbe4d5b5a4d024e1229dd26b40e348fc537c4ccdaa9073c462be9dd7b41a764bb9bc76b0b2fcaa024316918404b99d010381034b98297d7bb5a039e0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57603b2e81945390a4290085f4d5c4fc1
SHA1caa204f6c0b8a9fc8e6f94935008a8c2884d23af
SHA256390482b712c933de7c79513e7c1d7684bfc526a21ffde3ebd495f08836961487
SHA51237556bf6a8fe62aef08bfba7aed5335b11303fe8cd47e5c474ad3519b2a98da862af0658aafcf8b863dfad83af6f25dc7b145b11147c044444559fb898a66afc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD544c546d39385a0bebedfae009f366fdd
SHA13704b12a682fbf99a3e1062aebad340779bc5191
SHA2568a445004b8fad1f429cc1bde880d9dca0dddc0560d05da0891d08667e8e72710
SHA5129756c1417311b94e4624f07490901f4d7ff74bf4fd9d751566ddba324dbbe5ce768dfe88361cb721ca7dc91786ffdbbdf6be833e0a2f1657dc1ded7c35f26af6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d67497ec1d4cac657844fa3a2317cbea
SHA1fb8cec21dc3f83860f2053e39e7f102a9a3f61e4
SHA256ca24ab7900ab70fcea4c1e5bca3a882c580b8c390c41eaeb2f63f95cf42ddfe0
SHA512cb35f94ef6ab72a320d11b4dec212823c43fb054acebda752a462ff32e145de55a7a3fd599ef24aa879ea390dbc4b33bafb17b52880f9dd78f10713a649a3686
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ded4188dfe99b6de0bb49231c4ee6704
SHA1fd097b654334e763e1f5aa8ae9b2dad0e061dc23
SHA2566457cabb1fba6a8bb981974a3e631a858331e35b8cdb436483b5f68e2fc4dce0
SHA51267b59c8248f6238fd17e90c0f8f16a64ba9e6d77d78ab3acb9d693fa6d3e7cfd592f35c31632fb628f9510518765ad1501794ddc9c4ff2c4f0e475521631a42c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b19787acacb4e8d700ce4bfd3a31c84e
SHA1437165fca5f6fe0c1e5b95e41f35daac639c3b5f
SHA256457ff9e1207e4b5a25a385043dc699a1cab25ca14a520df3c28cc2c880e591f6
SHA512c5f9eb7b8c5120822614a398bade1ea6809326d7f486375d6d6379d4f7f5b1710ed8bbe7d87e7dd816951684952a6005ba5486f7dd1989f78d0fae641a920a6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d07050f0264ded56ca3b71ff2562667d
SHA1c3535ec871d8bfa9a670e69cf3b41252250f35a6
SHA256403095d2b8ef15f110bac0202eb490348223a6cf25c529c3e4b6a012dfa46ef8
SHA5124909de6bd707a9c0b54cb2dacd7098fbec78029eba89e0234095e7105792da113fa1a663d353ee7d57b6633293eb8cca01cbd79600cb9779e3539b4841884823
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5acfe00532e841d3ec707c866451d90ea
SHA1f5dc11d664aefabb5ee5c741936c2b8c7ae87ed8
SHA2568a16504e0f7cba8e2602deaf66681c589e172f1fa80c5cd66cf8687061d57944
SHA512c0820679b58f22b55cf53c4ca30892339e8bac1293b4c965e993864d5e425352fabbd1b4303b485cea69fc7ff6277f04bf5ac47c412735b2fd1d018f2d9747fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cd610354798299edd5e40f871d2f8b75
SHA149b0645bf6507077dbd336e8e96abd3e331184d4
SHA25677e949febbd72563cbd99929d06fcce91f8f22928b2ca6920edcac0e6e1bbc7a
SHA512702357113c937fe79854673c9d3c309716009af9e05a7cafb268e55b68c6119b8a06292cf0e40ddcbe868a7e1e204ed3f90035c463e40cd47bf1d3f8f464efe7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b50eeec667248a97ea99b51ed199e197
SHA1d8c67c20ae218beab3f81b23d0529c33b3918664
SHA256f1d83ff95fa5722c36db125a971c4c12d183956a35e5d43a4a73354e0d3daa98
SHA512ab97b179a8b3eefce3fd32be40e9f54b8ece6eda10887a3671ba96e2bc71b7f077884b8dd8cfdc217de434649d781d14296b27c3f0d62e114856d442a84ccbc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5322ea6edfea8bfa66228967a198ba5e1
SHA136e79421054e3b61ee12678909338e811b96574c
SHA256c2efeb354480565011d25f277b7afc585825a47021b714e9b55b7ef621d9e1d2
SHA51253bed71dc1c1bc528f2fd412c5059f192191d64494f4c7708b6bb89d02f86ff70a6a0aebe3066e2b22d207c5b37df14daf08201bbadd20c21086ca348b6eef4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD505f227f52089ed4b57494c3820f9edb8
SHA1afdd45eb84a2713bba96c339e933f4b37f180b4d
SHA2562f7d6c6b8768b0b749eae00d8b41f8bd64c48bc2e7a6bb8eef66c557284e02fa
SHA5122b4483d9253b74af586509f7c0d95a40415c868ad6139eff850b2745834be37da9b8e95b30e2ef4b8082a903adade36232e86a17fdc1864550c0d091ba5d9551
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57bcd0bf0d4fe477c6ba31b821949c652
SHA1d72d6b7e5b5b5d292640313b235460e88c7d9217
SHA2565885577a6244479a5bc7b50961ec359a06ce6cef2a1452b3597e49feb886be8f
SHA512d6aad2a5a227820111fc466fc374d3bfe3bdd4575ba6d9dabfe19448f64f47076a4ec9f56ebce37edac8d2bcee36680d491adc4ae05f99b2d24597847321ff47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56c77add73e0bdeb8de2e7ee55e4b41c8
SHA1ab2d425bac7f1c0308c6bca62a8abd258d1b3c3d
SHA25696315d31d577b9d898bade0514bf6dddc6dfb172c357d6123758844eebf7e0cc
SHA512b89349fdd20648cbf9ff43f51912d96d90c091c1b82c6f99d47d63814142c75972367ae7095d137155858d40d6e64f3ca6cdeecce15804227791ec589759b61c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{287FF301-1699-11EF-BF93-66356D7B1278}.datFilesize
5KB
MD50b536c3d5dc3603b5724aef307761483
SHA1366eb00af9fee02b36d02d3a946528596d3db008
SHA25620b8825332def03960f08ca75c0e5460fd21b64f4f56c92fbfd13704092b431c
SHA512e7c3f9dadb1d34954568807842ca61511f9163b2b5b36b13bd9c90b7567effcfeafadb20a19d183ce9adc959d088639c7706d1e38f36b28eaeba70cccd26591e
-
C:\Users\Admin\AppData\Local\Temp\Cab224.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar2F8.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnkFilesize
1KB
MD5f6fecebbdb1f935863295345ce37f5c3
SHA1e066fc86a5d2528179df5f98c60a57b808d3496a
SHA256ba560a92328af3afbd1862d3345426f9b554cd25a9724dbf9a3013c4485eadd6
SHA512bbaa6a842f16047aeccde8ede651df5a2ea2840649ee82323dec96121a7904d45dc33fb3c2c00b13667904c1a02a638c48a55c22e0af7758c3ff09c2aa666f5b
-
\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exeFilesize
133KB
MD55ebf1b0c233e9ef06a63623c7116e4a6
SHA175c59361b6a8965ddf7f48bfd761fc75be410767
SHA2567ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988
SHA5128448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6
-
memory/1636-0-0x00000000001B0000-0x00000000001C6000-memory.dmpFilesize
88KB
-
memory/1636-14-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1636-1-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2084-922-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2084-445-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2084-432-0x0000000005370000-0x0000000005372000-memory.dmpFilesize
8KB
-
memory/2084-21-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2084-22-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2084-19-0x00000000036C0000-0x00000000036C1000-memory.dmpFilesize
4KB
-
memory/2084-15-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2084-24-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB