Analysis Overview
SHA256
4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
Threat Level: Likely malicious
The file a1be3cbefb845eac49a0cad049876a73_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks for common network interception software
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VMWare Tools registry key
Reads user/profile data of web browsers
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Checks system information in the registry
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:28
Reported
2024-06-12 18:31
Platform
win7-20231129-en
Max time kernel
138s
Max time network
122s
Command Line
Signatures
Checks for common network interception software
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fonts\pns.ttf | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chistilka.com | udp |
| US | 8.8.8.8:53 | api.amplitude.com | udp |
| US | 44.240.109.3:80 | api.amplitude.com | tcp |
| DE | 80.240.18.87:80 | chistilka.com | tcp |
| US | 8.8.8.8:53 | stat2.chistilka.com | udp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| US | 8.8.8.8:53 | chistilka.ru | udp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| US | 104.21.37.8:443 | chistilka.ru | tcp |
| US | 8.8.8.8:53 | i.pki.goog | udp |
| GB | 172.217.169.67:80 | i.pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 44.240.109.3:80 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | chistilka.com | udp |
| US | 8.8.8.8:53 | update.chistilka.com | udp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| FR | 5.135.140.26:443 | update.chistilka.com | tcp |
| US | 44.240.109.3:80 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | pay.chistilka.com | udp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| DE | 140.82.35.84:80 | 140.82.35.84 | tcp |
| FR | 54.37.81.78:80 | stat2.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 8.8.8.8:53 | new.config.chistilka.com | udp |
| US | 8.8.8.8:53 | time.google.com | udp |
| US | 44.240.109.3:80 | api.amplitude.com | tcp |
| US | 104.21.37.8:443 | chistilka.ru | tcp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| FR | 5.135.140.26:443 | update.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
Files
\ProgramData\Чистилка\Чистилка.exe
| MD5 | a1be3cbefb845eac49a0cad049876a73 |
| SHA1 | 68f8f9ed528a21ca796fe3fa228b8e0ad1141218 |
| SHA256 | 4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd |
| SHA512 | c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk
| MD5 | 5ad4011ed312ded0730c6e6c3b6e8ec0 |
| SHA1 | 585b6955d977987f79cb26108681b79139b3804f |
| SHA256 | a6c5fc3ef8e7518266a9e37da7bc77100c9bc29bb156646da8823ec46601ed63 |
| SHA512 | 2765594f8250dbaf48d93432b7f72646f68b12af354f165a48a6b74386bee2bbacaf9e7850e35347db144d83b7bc9d71620cb7ead8a9c389f6f4e6ad83f8d772 |
C:\Users\Public\Desktop\Чистилка.lnk
| MD5 | 878065c613c8c619e684dcf2fdef55bb |
| SHA1 | 33f3c592603b472e817f7ffdbbe201ce4e10a4b5 |
| SHA256 | 02d9447bea51c58af833a9d3f1fb4439765dbc5d941ec2ff2145059c24baf998 |
| SHA512 | 70828d9f36a5e481566da00cf4c688b2586798637141edc08348e007061791700ca3e6c81de085bb2f82f2ae96373a05662cef49e61bf8a368e18c508d53e1de |
memory/2956-49-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
| MD5 | d7ebb78bf1f0e4a8278b2d63013b1134 |
| SHA1 | 498b315dcba9bf4403d6748be61453d5d8991b61 |
| SHA256 | c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8 |
| SHA512 | ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312 |
memory/2956-66-0x0000000000A40000-0x0000000000F9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\clnEC3.tmp
| MD5 | abee4387ab69da821ed9397cc651597d |
| SHA1 | 5d14f4afdbe15448bf884b528ffffab874f920a7 |
| SHA256 | ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22 |
| SHA512 | e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904 |
C:\ProgramData\Чистилка\settings.json
| MD5 | bfda7ae0084bf200cca8abb94c0e46a2 |
| SHA1 | d8bcefd54c862290862f6d06edaef226c8fd7911 |
| SHA256 | 392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136 |
| SHA512 | f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:28
Reported
2024-06-12 18:31
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks for common network interception software
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fonts\pns.ttf | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0 | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chistilka.com | udp |
| US | 8.8.8.8:53 | api.amplitude.com | udp |
| DE | 80.240.18.87:80 | chistilka.com | tcp |
| US | 52.89.33.48:80 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | stat2.chistilka.com | udp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| US | 8.8.8.8:53 | chistilka.ru | udp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 172.67.202.42:443 | chistilka.ru | tcp |
| US | 8.8.8.8:53 | chistilka.com | udp |
| US | 52.89.33.48:80 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | update.chistilka.com | udp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| FR | 5.135.140.26:443 | update.chistilka.com | tcp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 52.89.33.48:80 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | pay.chistilka.com | udp |
| DE | 140.82.35.84:80 | 140.82.35.84 | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.18.240.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.81.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.140.135.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| FR | 54.37.81.78:80 | stat2.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.35.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.172.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | new.config.chistilka.com | udp |
| US | 8.8.8.8:53 | time.google.com | udp |
| US | 52.89.33.48:80 | api.amplitude.com | tcp |
| US | 172.67.202.42:443 | chistilka.ru | tcp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| FR | 5.135.140.26:443 | update.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 8.8.8.8:53 | 0.35.239.216.in-addr.arpa | udp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 172.67.172.117:443 | pay.chistilka.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\Чистилка\Чистилка.exe
| MD5 | a1be3cbefb845eac49a0cad049876a73 |
| SHA1 | 68f8f9ed528a21ca796fe3fa228b8e0ad1141218 |
| SHA256 | 4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd |
| SHA512 | c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e |
C:\Users\Public\Desktop\Чистилка.lnk
| MD5 | 77106b36ec3d6c7ee4f5b69c1110169b |
| SHA1 | bb6495448f765e40fd157a47d8774bf579677e22 |
| SHA256 | 817f836d1023d2d7b926858bc3d3b1b5013143c106c8e511c317825d0f914a5e |
| SHA512 | 57ac6d511a8c3c2cb722fae7cb2f7476ef23870c0ff065b86eb4137d1dba6fba6fe159a7e09b84578b80faaf9a4a9bd83776b947578a7f48335a2ee154b71d2a |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk
| MD5 | 02a123f9c35fd77b52145ec8686b5b19 |
| SHA1 | f09e4058be4e1b07b6317e8219a38ba9a8ed2acc |
| SHA256 | 585ab48e10fc363d6e10310796c60438232dafb645834774d7c49e707001b3d8 |
| SHA512 | 008b74e359392263067bd0475b264d7490c7c5946890e1ad83753e57c2cd82a7a380a3bc642eed1e42f2efb9bc5cb8dfe6e77bdac99bc643f58a298b9db99fb3 |
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
| MD5 | d7ebb78bf1f0e4a8278b2d63013b1134 |
| SHA1 | 498b315dcba9bf4403d6748be61453d5d8991b61 |
| SHA256 | c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8 |
| SHA512 | ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312 |
C:\Users\Admin\AppData\Local\Temp\cln36EF.tmp
| MD5 | abee4387ab69da821ed9397cc651597d |
| SHA1 | 5d14f4afdbe15448bf884b528ffffab874f920a7 |
| SHA256 | ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22 |
| SHA512 | e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904 |
memory/2416-43-0x00000000009E0000-0x0000000000F3B000-memory.dmp
C:\ProgramData\Чистилка\settings.json
| MD5 | bfda7ae0084bf200cca8abb94c0e46a2 |
| SHA1 | d8bcefd54c862290862f6d06edaef226c8fd7911 |
| SHA256 | 392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136 |
| SHA512 | f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af |
C:\WINDOWS\FONTS\PNS.TTF
| MD5 | df8c626474a73ab7a8b511655597c7c4 |
| SHA1 | 5de28f387ea88553d195d1978286d43c33231969 |
| SHA256 | 723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5 |
| SHA512 | c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59 |