Malware Analysis Report

2024-09-23 05:59

Sample ID 240602-rw6daafe85
Target 8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118
SHA256 c901cd480f7bab152f11367b855bfe03bacce1760fa133acb7b9512a64c1f2b8
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c901cd480f7bab152f11367b855bfe03bacce1760fa133acb7b9512a64c1f2b8

Threat Level: Known bad

The file 8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Deletes shadow copies

Renames multiple (272) files with added filename extension

Renames multiple (275) files with added filename extension

Drops startup file

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-02 14:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 14:33

Reported

2024-06-02 14:36

Platform

win7-20240220-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (272) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\PushGroup.hta C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RenameSkip.pcx C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SkipClose.ttc C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\NNRKZGVIH-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReceivePop.DVR-MS C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RevokeSuspend.crw C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\NNRKZGVIH-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AssertTest.wm C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BlockOut.pptx C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DebugUnpublish.iso C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AssertUninstall.csv C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\NNRKZGVIH-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ShowUnprotect.jpeg C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\NNRKZGVIH-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\fc74f11cfc74f6f17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files\fc74f11cfc74f6f17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RepairStep.vsdm C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SetCompress.vssm C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RegisterRequest.ppsm C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SwitchExit.xlsb C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoAdd.jpeg C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files\NNRKZGVIH-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DismountRead.ttf C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MeasureSend.wdp C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\fc74f11cfc74f6f17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\fc74f11cfc74f6f17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\fc74f11cfc74f6f17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AddRead.xml C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompressInitialize.wdp C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SetExport.mp3 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoUninstall.zip C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConfirmMerge.vsw C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConnectSend.svgz C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PopGet.rtf C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19451d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d0031000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b06010505070303140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377980300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:443 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 172.67.68.116:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:443 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.182.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 34.251.161.70:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 crl.geotrust.com udp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.la-fontaine.com udp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 54.171.157.182:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
NL 35.214.205.133:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 185.107.56.194:443 www.hoteltruite.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 www.nh-hotels.com udp
BE 104.68.71.67:443 www.nh-hotels.com tcp
BE 104.68.71.67:443 www.nh-hotels.com tcp
BE 104.68.71.67:443 www.nh-hotels.com tcp
BE 104.68.71.67:443 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
US 8.8.8.8:53 www.hiexgeneva.com udp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 www.hotelglanis.com udp
US 34.149.87.45:443 www.hotelglanis.com tcp
US 8.8.8.8:53 www.16eme.com udp
US 34.149.87.45:443 www.16eme.com tcp
US 8.8.8.8:53 www.staubbach.com udp
DE 104.248.24.229:443 www.staubbach.com tcp
US 8.8.8.8:53 www.samnaunerhof.com udp
AT 94.198.139.116:443 www.samnaunerhof.com tcp
US 8.8.8.8:53 www.airporthotelbasel.com udp
US 104.17.185.58:443 www.airporthotelbasel.com tcp
US 8.8.8.8:53 www.elite-biel.com udp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
US 8.8.8.8:53 www.aubergecouronne.com udp
FR 46.105.204.26:443 www.aubergecouronne.com tcp
US 8.8.8.8:53 www.le-saint-hubert.com udp
US 34.149.87.45:443 www.le-saint-hubert.com tcp
US 8.8.8.8:53 www.bonmont.com udp
CH 195.141.14.125:443 www.bonmont.com tcp
US 8.8.8.8:53 www.cm-lodge.com udp
CH 149.126.4.89:443 www.cm-lodge.com tcp
US 8.8.8.8:53 www.experimentalchalet.com udp
US 35.241.50.205:443 www.experimentalchalet.com tcp
US 8.8.8.8:53 www.guardagolf.com udp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
US 8.8.8.8:53 www.hotelchery.com udp
IT 5.144.168.210:443 www.hotelchery.com tcp
US 8.8.8.8:53 www.ibis.com udp
US 165.160.15.20:443 www.ibis.com tcp
US 165.160.13.20:443 www.ibis.com tcp
US 8.8.8.8:53 www.mercure.com udp
US 165.160.15.20:443 www.mercure.com tcp

Files

memory/2808-2-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2808-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\NNRKZGVIH-DECRYPT.txt

MD5 a3c8d90579b5e2847fa338fed28f2635
SHA1 e2c56a9d05cf701756559cb8af2abcf1ff32ce74
SHA256 06405a106ad0667835f80a9e2662a4b3b338df23b2b92065179b454f2308ca72
SHA512 a3c498775c136ead21ed23ed955c9101b2712ac97dd5ef4c441a3af6661337c41312d37bfe8c846416c7a1545c4835910e45294c853704d9bad971d00ee8efdf

memory/2808-733-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2808-735-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2808-736-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB7AD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB94A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 47d14697b7afa3f685c1308f438ba111
SHA1 ef838dede6510ac20e2079037e70029df88c85b1
SHA256 745c8f5ba45a929a55084686d44fae0a572770e3036efc9b1a1098ddea709299
SHA512 737e75d59e16ed855fb65744aabda0c7a2e795681f40bb1d45d05f2d69c48deb3fb6a4d9acb399167a0722d4eb822dc4a716489f1f4ecd3289237ffda40968d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 012b1d8d60d4f225053a916a137fc2db
SHA1 aa5509d8057bf26ef8108e90238f58508315a1dc
SHA256 00502d9c59f7a2db9a0db706ee87c415812cbfffe932947344e11e6c6e9106ad
SHA512 fad358371d4ff038a922f1e7f2d2980fd5c00d629fcfb191a9998da522af21a0de7f629fa03841251580b060a4f914c7623bfa9beace33e52454e2afe135331b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a55974b87c3d6d5c57a8a32915465e11
SHA1 1664669cef46acb1029a3763bcd8418059fd8928
SHA256 b2bd8974905dc6594ae7592fe1ed29280eabfea928fbfd2f5ec9ba12d1296302
SHA512 f81378f16f54e9a044d32c74a65398aefb9a0bc9e23e66bd07ccc380612639a70e1501e2ff5e068be6d76651dba716f73ad1389423ae853ccff91526ed423c95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca118f3d70dc94ec4eec9c3f600dfef2
SHA1 d16501e3095053fb317e1cf0c1851dcf7813a516
SHA256 2b9c750981425ff4917f5d3ad9d01de8a8d10982fc7c4d74797258a500b42cec
SHA512 72ad1f6bee2f4f41b1a39ece0681b3fcb3ec9afda3340e9bf9d5ff787d9fa1bd5f20b8baad804385383d26bbe3cd7a2d8620a9c2ae087d35847035a017d3efad

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 14:33

Reported

2024-06-02 14:36

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (275) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OHSNOBW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\f6c0813cf6c086d17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DisableUnlock.vdw C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MergeExport.mov C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RemoveExpand.mpg C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RequestCheckpoint.m4a C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\OHSNOBW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FormatRepair.7z C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RedoClose.xsl C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DisableExit.xlsb C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ImportUnlock.jpeg C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RenameSelect.asf C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ShowAdd.avi C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WatchRead.vst C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExportRestore.wdp C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\NewLock.emf C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PublishOut.xls C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RemoveExport.php C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UninstallJoin.tif C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SplitRequest.png C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TestDeny.dwfx C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UseEdit.rm C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files\f6c0813cf6c086d17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConvertFromDismount.css C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ImportConvertFrom.avi C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LockEnable.clr C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PushShow.vb C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetDisconnect.mp4v C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ClearReceive.xps C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CloseCompress.jpg C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DebugLock.bmp C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LimitConnect.au C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SplitDismount.avi C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files\OHSNOBW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestoreUnblock.TS C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TestMeasure.mov C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UnpublishRevoke.mpeg C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\f6c0813cf6c086d17a.lock C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19450400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc20000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 5c0000000100000004000000000400000400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a3190000000100000010000000e559465e28a60e5499846f194087b0e520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e66e35fd856d36c49cfc7265f6cedac_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:443 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 239.227.15.195.in-addr.arpa udp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:443 www.swisswellness.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 7.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 16.88.207.18.in-addr.arpa udp
US 192.124.249.31:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 ocsp.int-r1.certainly.com udp
US 151.101.3.3:80 ocsp.int-r1.certainly.com tcp
US 8.8.8.8:53 31.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 hotel.hardrock.com udp
US 151.101.3.52:443 hotel.hardrock.com tcp
US 8.8.8.8:53 3.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 172.67.68.116:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 116.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:443 www.hrk-ramoz.com tcp
US 8.8.8.8:53 63.18.132.18.in-addr.arpa udp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 37.24.191.194.in-addr.arpa udp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 140.162.243.136.in-addr.arpa udp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 13.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:443 www.torhotel.com tcp
US 8.8.8.8:53 228.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 76.55.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.184.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 58.184.17.104.in-addr.arpa udp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 174.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 elite-hotel.com udp
CH 80.74.144.93:443 elite-hotel.com tcp
US 8.8.8.8:53 93.144.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 34.249.200.254:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 254.200.249.34.in-addr.arpa udp
US 8.8.8.8:53 52.23.126.94.in-addr.arpa udp
US 8.8.8.8:53 nationalzermatt.ch udp
CH 94.126.23.52:443 nationalzermatt.ch tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
CH 217.26.52.10:443 www.limmathof.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 10.52.26.217.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.60.26.217.in-addr.arpa udp
US 8.8.8.8:53 65.145.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 34.251.161.70:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 70.161.251.34.in-addr.arpa udp
US 8.8.8.8:53 30.21.126.94.in-addr.arpa udp
US 8.8.8.8:53 www.la-fontaine.com udp
CA 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 77.57.199.213.in-addr.arpa udp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 54.171.157.182:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
NL 35.214.205.133:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 182.157.171.54.in-addr.arpa udp
US 8.8.8.8:53 153.36.193.18.in-addr.arpa udp
US 8.8.8.8:53 133.205.214.35.in-addr.arpa udp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 185.107.56.194:443 www.hoteltruite.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 218.93.65.159.in-addr.arpa udp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 194.56.107.185.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 144.236.248.151.in-addr.arpa udp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 254.60.26.217.in-addr.arpa udp
US 8.8.8.8:53 kroneregensberg.com udp
CH 217.26.60.254:443 kroneregensberg.com tcp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 189.54.26.217.in-addr.arpa udp
US 8.8.8.8:53 45.37.220.82.in-addr.arpa udp
US 8.8.8.8:53 www.nh-hotels.com udp
BE 104.68.71.67:443 www.nh-hotels.com tcp
US 8.8.8.8:53 76.133.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:443 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 67.71.68.104.in-addr.arpa udp
US 8.8.8.8:53 27.199.17.193.in-addr.arpa udp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 144.128.33.193.in-addr.arpa udp
US 8.8.8.8:53 57.84.129.213.in-addr.arpa udp
US 8.8.8.8:53 94.201.201.81.in-addr.arpa udp
US 8.8.8.8:53 www.eyholz.info udp
CH 81.201.201.94:443 www.eyholz.info tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
US 8.8.8.8:53 226.206.227.188.in-addr.arpa udp
US 8.8.8.8:53 www.hiexgeneva.com udp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 70.73.23.81.in-addr.arpa udp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 www.hotelglanis.com udp
US 34.149.87.45:443 www.hotelglanis.com tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 132.30.151.185.in-addr.arpa udp
US 8.8.8.8:53 www.16eme.com udp
US 34.149.87.45:443 www.16eme.com tcp
US 8.8.8.8:53 www.staubbach.com udp
DE 104.248.24.229:443 www.staubbach.com tcp
US 8.8.8.8:53 229.24.248.104.in-addr.arpa udp
US 8.8.8.8:53 www.samnaunerhof.com udp
AT 94.198.139.116:443 www.samnaunerhof.com tcp
US 8.8.8.8:53 www.airporthotelbasel.com udp
US 104.17.186.58:443 www.airporthotelbasel.com tcp
US 8.8.8.8:53 www.elite-biel.com udp
CH 94.126.23.52:443 www.elite-biel.com tcp
US 8.8.8.8:53 58.186.17.104.in-addr.arpa udp
US 8.8.8.8:53 116.139.198.94.in-addr.arpa udp
US 8.8.8.8:53 www.aubergecouronne.com udp
FR 46.105.204.26:443 www.aubergecouronne.com tcp
US 8.8.8.8:53 26.204.105.46.in-addr.arpa udp
US 8.8.8.8:53 www.le-saint-hubert.com udp
US 34.149.87.45:443 www.le-saint-hubert.com tcp
US 8.8.8.8:53 www.bonmont.com udp
CH 195.141.14.125:443 www.bonmont.com tcp
US 8.8.8.8:53 125.14.141.195.in-addr.arpa udp
US 8.8.8.8:53 www.cm-lodge.com udp
CH 149.126.4.89:443 www.cm-lodge.com tcp
US 8.8.8.8:53 www.experimentalchalet.com udp
US 35.241.50.205:443 www.experimentalchalet.com tcp
US 8.8.8.8:53 www.guardagolf.com udp
CH 83.166.138.8:443 www.guardagolf.com tcp
US 8.8.8.8:53 89.4.126.149.in-addr.arpa udp
US 8.8.8.8:53 205.50.241.35.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 8.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 guardagolf.com udp
CH 83.166.138.8:80 guardagolf.com tcp
CH 83.166.138.8:443 guardagolf.com tcp
US 8.8.8.8:53 www.hotelchery.com udp
IT 5.144.168.210:443 www.hotelchery.com tcp
US 8.8.8.8:53 210.168.144.5.in-addr.arpa udp
US 8.8.8.8:53 www.ibis.com udp
US 165.160.15.20:443 www.ibis.com tcp
US 165.160.13.20:443 www.ibis.com tcp

Files

memory/1792-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1792-2-0x0000000000400000-0x0000000000428000-memory.dmp

C:\PerfLogs\OHSNOBW-DECRYPT.txt

MD5 406424825720e2473c20f40a0fe909bb
SHA1 f3325c404462f6ca0d6f4cbaf82aee38988d6fcf
SHA256 c3710286645d09062bcd140a36de79b69dc3387a7f03d37bbfdb10a57e6216cd
SHA512 5deae24faff1cc8a481eeb7c8378c28de7dac3e6477f0ea2aea3316b766e769d5d6d656573e8e0abbae1ccd402ca02da5e025cb71ab7564355f33e44edd5532c

memory/1792-433-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1792-450-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1792-454-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1792-455-0x0000000000400000-0x0000000000428000-memory.dmp