Malware Analysis Report

2024-09-23 05:51

Sample ID 240603-jjzqzahe78
Target 90fcb728b7b4208b69c298ff4207643e_JaffaCakes118
SHA256 71c42f76c27bdec143e530ba237191c641cf060bbb3e8d85248396b44cc76a9c
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71c42f76c27bdec143e530ba237191c641cf060bbb3e8d85248396b44cc76a9c

Threat Level: Known bad

The file 90fcb728b7b4208b69c298ff4207643e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Deletes shadow copies

Renames multiple (268) files with added filename extension

Renames multiple (289) files with added filename extension

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:42

Reported

2024-06-03 07:45

Platform

win7-20231129-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (289) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ImportInstall.vsdx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\InstallUpdate.png C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SubmitInitialize.jpg C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoEnter.wma C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DPLMW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\HideReset.xltx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetDeny.eps C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\StartRegister.wps C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WriteUse.vstm C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WriteWait.rtf C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\28d159ea28d15e076b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MeasureFormat.ini C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DenyExit.aifc C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ImportSwitch.xlsb C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MountSet.TTS C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PublishProtect.scf C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestartInitialize.docx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DPLMW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ClearDisconnect.mpeg2 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BackupClose.png C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CheckpointInitialize.wvx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExitEnable.asp C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LimitUnpublish.dotx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RegisterShow.mhtml C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResolvePush.ex_ C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoGrant.odp C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ApprovePublish.clr C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\DPLMW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoStop.dib C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BackupTrace.vssx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MeasureInvoke.xlsx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\StopExport.gif C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\28d159ea28d15e076b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\28d159ea28d15e076b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files\DPLMW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FormatCopy.xls C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DPLMW-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BackupStop.tif C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ImportRename.tmp C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinSet.iso C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SubmitRedo.xhtml C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConfirmSkip.gif C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\OutRevoke.mpeg C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\28d159ea28d15e076b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files\28d159ea28d15e076b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d0031000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b06010505070303140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377980300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19451d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:443 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 104.26.7.206:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:443 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.185.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 34.251.161.70:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 crl.geotrust.com udp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.la-fontaine.com udp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 52.211.24.35:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
NL 35.214.205.133:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 185.107.56.54:443 www.hoteltruite.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 www.nh-hotels.com udp
BE 104.68.71.67:443 www.nh-hotels.com tcp
BE 104.68.71.67:443 www.nh-hotels.com tcp
BE 104.68.71.67:443 www.nh-hotels.com tcp
BE 104.68.71.67:443 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:443 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
US 8.8.8.8:53 www.hiexgeneva.com udp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 www.hotelglanis.com udp
US 34.149.87.45:443 www.hotelglanis.com tcp
US 8.8.8.8:53 www.16eme.com udp
US 34.149.87.45:443 www.16eme.com tcp
US 8.8.8.8:53 www.staubbach.com udp
DE 104.248.24.229:443 www.staubbach.com tcp
US 8.8.8.8:53 www.samnaunerhof.com udp
AT 94.198.139.116:443 www.samnaunerhof.com tcp
US 8.8.8.8:53 www.airporthotelbasel.com udp
US 104.17.182.58:443 www.airporthotelbasel.com tcp
US 8.8.8.8:53 www.elite-biel.com udp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
US 8.8.8.8:53 www.aubergecouronne.com udp
FR 46.105.204.26:443 www.aubergecouronne.com tcp
US 8.8.8.8:53 www.le-saint-hubert.com udp
US 34.149.87.45:443 www.le-saint-hubert.com tcp
US 8.8.8.8:53 www.bonmont.com udp
CH 195.141.14.125:443 www.bonmont.com tcp
US 8.8.8.8:53 www.cm-lodge.com udp
CH 149.126.4.89:443 www.cm-lodge.com tcp
US 8.8.8.8:53 www.experimentalchalet.com udp
US 35.241.50.205:443 www.experimentalchalet.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.guardagolf.com udp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
US 8.8.8.8:53 www.hotelchery.com udp
IT 5.144.168.210:443 www.hotelchery.com tcp
US 8.8.8.8:53 www.ibis.com udp
US 165.160.15.20:443 www.ibis.com tcp
US 165.160.13.20:443 www.ibis.com tcp

Files

memory/1920-1-0x0000000000610000-0x0000000000710000-memory.dmp

memory/1920-2-0x0000000000400000-0x0000000000428000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\DPLMW-DECRYPT.txt

MD5 4f3b133acb50d039d484a06945d20eac
SHA1 d1d327f6a28faebb55527c762c110058c2f68c5a
SHA256 a88d853711f7230706fedd6abc2922e158b6fe4d75831267c2d4e069579e6f9f
SHA512 647b738c6d12d0e40e7fe619d951ea67c5b279019e65710b5bbe7155a167c6198fe974b6ba3e9d81ecf7a255aaf1411800a3b2268632d2a68819cf7aa9b16935

memory/1920-758-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1920-759-0x0000000000610000-0x0000000000710000-memory.dmp

memory/1920-761-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar43A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b70c728fe80162f2b02fb9af9ddbbeb8
SHA1 8e2ec801854778b5a7860c3b41cded6396e9e05f
SHA256 a03216a57a2469acccbb96f20cbdf8ba21f7afc20cb3e234f5454803d0c70849
SHA512 f26ad3fddeae4b8afdfc0ab9529ada07baced6595c001769bd092e947c139b754418a254aa8501a441c41f6ce1981c4beae6152e8997e5a15fb84178de47bb0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2d92b282f2b42804ece36a008784b240
SHA1 2ad098f4952346c8966ca431f90e59208c4ff44f
SHA256 9019913f131cd83d735fb384a3f7d0f78788b701f7688188f5e5a48c4c7a05fc
SHA512 35d3a09aeda3a06038b176feea118d926b12dfb1891174cc7b1abc05e91f75a1dccb4edb86d3f07b5b6b10200c69fb50704ec21a51fb005d54e34ae392dabe83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ae415dcab38c8263598bd4582e3dc47
SHA1 1b6bbd3fd17b0a49987c3b14e22c6c024a33ccfd
SHA256 eae5073f95042318f02e41ca3c3b8d93614f243fad75a92ec96c9f3488aa09c2
SHA512 6a953616b04a3050e1e95d54327b884cc54e75b567f220b103a8f8aa9480c6296bc63c120e120049bb12a33ed441daee39f28ae4a94c11fbf9046296d0f33c4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc7f263caa599700f95ae37921be937d
SHA1 b02059cb97af7701976f427896f5ba1c47be2472
SHA256 e9620d93d0695b596eefba317d9ecb59565224d470567a14bd4206b3818e4008
SHA512 6da86fdd3fa1c38700dda361811aae0cd6646c250dc18e7b93af3209be80b78adccf8981907c76056d8270f7774235ae7a24e783d649a218409875a24d1b24ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:42

Reported

2024-06-03 07:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (268) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\TXHGPMJVDP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\608497a9608490446b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CompareMove.xlt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CopySend.midi C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MountPop.svg C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UnblockInstall.dib C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReadSync.dib C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RedoMeasure.au C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResolveConvertTo.inf C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\TXHGPMJVDP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files\TXHGPMJVDP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files\608497a9608490446b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CheckpointGrant.3gp2 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinReset.ex_ C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ProtectRestart.avi C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResolveEnter.mhtml C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TestRename.mpeg C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ClearCopy.pptx C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompareMount.mht C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\EnableMount.vdw C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RepairSelect.xlt C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestoreInvoke.search-ms C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\StartConvert.DVR C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\608497a9608490446b.lock C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19450400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc20000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 5c0000000100000004000000000400000400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a3190000000100000010000000e559465e28a60e5499846f194087b0e520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90fcb728b7b4208b69c298ff4207643e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:443 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:443 www.swisswellness.com tcp
US 8.8.8.8:53 239.227.15.195.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 7.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.41:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 16.88.207.18.in-addr.arpa udp
US 8.8.8.8:53 hotel.hardrock.com udp
US 151.101.3.52:443 hotel.hardrock.com tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 172.67.68.116:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
US 8.8.8.8:53 116.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 63.18.132.18.in-addr.arpa udp
HK 156.235.147.122:443 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 37.24.191.194.in-addr.arpa udp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 140.162.243.136.in-addr.arpa udp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 13.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:443 www.torhotel.com tcp
US 8.8.8.8:53 228.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.55.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.184.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 58.184.17.104.in-addr.arpa udp
US 8.8.8.8:53 174.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 elite-hotel.com udp
CH 80.74.144.93:443 elite-hotel.com tcp
US 8.8.8.8:53 93.144.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 34.249.200.254:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 254.200.249.34.in-addr.arpa udp
US 8.8.8.8:53 52.23.126.94.in-addr.arpa udp
US 8.8.8.8:53 nationalzermatt.ch udp
CH 94.126.23.52:443 nationalzermatt.ch tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
CH 217.26.52.10:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 10.52.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 27.60.26.217.in-addr.arpa udp
US 8.8.8.8:53 65.145.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 54.171.157.182:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.la-fontaine.com udp
US 8.8.8.8:53 182.157.171.54.in-addr.arpa udp
US 8.8.8.8:53 30.21.126.94.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
CA 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.57.199.213.in-addr.arpa udp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 52.211.24.35:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 35.24.211.52.in-addr.arpa udp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
NL 35.214.205.133:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 153.36.193.18.in-addr.arpa udp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 37.48.65.154:443 www.hoteltruite.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 218.93.65.159.in-addr.arpa udp
US 8.8.8.8:53 154.65.48.37.in-addr.arpa udp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 144.236.248.151.in-addr.arpa udp
US 8.8.8.8:53 kroneregensberg.com udp
CH 217.26.60.254:443 kroneregensberg.com tcp
US 8.8.8.8:53 254.60.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 189.54.26.217.in-addr.arpa udp
US 8.8.8.8:53 45.37.220.82.in-addr.arpa udp
US 8.8.8.8:53 76.133.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.nh-hotels.com udp
BE 104.68.71.67:443 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:443 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 27.199.17.193.in-addr.arpa udp
US 8.8.8.8:53 144.128.33.193.in-addr.arpa udp
US 8.8.8.8:53 57.84.129.213.in-addr.arpa udp
US 8.8.8.8:53 www.eyholz.info udp
CH 81.201.201.94:443 www.eyholz.info tcp
US 8.8.8.8:53 94.201.201.81.in-addr.arpa udp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
US 8.8.8.8:53 www.hiexgeneva.com udp
US 8.8.8.8:53 226.206.227.188.in-addr.arpa udp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 www.hotelglanis.com udp
US 34.149.87.45:443 www.hotelglanis.com tcp
US 8.8.8.8:53 70.73.23.81.in-addr.arpa udp
US 8.8.8.8:53 132.30.151.185.in-addr.arpa udp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 www.16eme.com udp
US 34.149.87.45:443 www.16eme.com tcp
US 8.8.8.8:53 www.staubbach.com udp
DE 104.248.24.229:443 www.staubbach.com tcp
US 8.8.8.8:53 229.24.248.104.in-addr.arpa udp
US 8.8.8.8:53 www.samnaunerhof.com udp
AT 94.198.139.116:443 www.samnaunerhof.com tcp
US 8.8.8.8:53 www.airporthotelbasel.com udp
US 104.17.185.58:443 www.airporthotelbasel.com tcp
US 8.8.8.8:53 www.elite-biel.com udp
CH 94.126.23.52:443 www.elite-biel.com tcp
US 8.8.8.8:53 116.139.198.94.in-addr.arpa udp
US 8.8.8.8:53 58.185.17.104.in-addr.arpa udp
US 8.8.8.8:53 www.aubergecouronne.com udp
FR 46.105.204.26:443 www.aubergecouronne.com tcp
US 8.8.8.8:53 26.204.105.46.in-addr.arpa udp
US 8.8.8.8:53 www.le-saint-hubert.com udp
US 34.149.87.45:443 www.le-saint-hubert.com tcp
US 8.8.8.8:53 www.bonmont.com udp
CH 195.141.14.125:443 www.bonmont.com tcp
US 8.8.8.8:53 www.cm-lodge.com udp
CH 149.126.4.89:443 www.cm-lodge.com tcp
US 8.8.8.8:53 125.14.141.195.in-addr.arpa udp
US 8.8.8.8:53 89.4.126.149.in-addr.arpa udp
US 8.8.8.8:53 www.experimentalchalet.com udp
US 35.241.50.205:443 www.experimentalchalet.com tcp
US 8.8.8.8:53 www.guardagolf.com udp
CH 83.166.138.8:443 www.guardagolf.com tcp
US 8.8.8.8:53 205.50.241.35.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 8.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 guardagolf.com udp
CH 83.166.138.8:80 guardagolf.com tcp
CH 83.166.138.8:443 guardagolf.com tcp
US 8.8.8.8:53 www.hotelchery.com udp
IT 5.144.168.210:443 www.hotelchery.com tcp
US 8.8.8.8:53 210.168.144.5.in-addr.arpa udp
US 8.8.8.8:53 www.ibis.com udp
US 165.160.15.20:443 www.ibis.com tcp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

memory/2092-2-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2092-1-0x00000000006C0000-0x00000000007C0000-memory.dmp

C:\PerfLogs\TXHGPMJVDP-DECRYPT.txt

MD5 8cf8969549776a659e7993919002a89e
SHA1 a1f10ad1189a5168554db689aa08a124666d1e80
SHA256 45fea4297e1c74a1e75318c188898599b43ab55ab7033bfbba7c1bbb90760bf8
SHA512 6a26177d400a175e54ae6da662c1aa3cced8edc1ed355df591e84ad6fb4b8315ed0603c6225b478f23429896bbf3d71afb8d56089cb6e8097025d0fe05745dd5

memory/2092-426-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2092-443-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2092-447-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/2092-448-0x0000000000400000-0x0000000000428000-memory.dmp