Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 21:48

General

  • Target

    31318ee80570c7168708575f032ac63f_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    31318ee80570c7168708575f032ac63f

  • SHA1

    82a8589abd62b469c4ec3c454434a75a63f8b2c6

  • SHA256

    849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84

  • SHA512

    bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc

  • SSDEEP

    6144:ewHysO+dCW3EWXJ44UMa6ZhZoXtMQJCIEFTcdGwJ:VO+EW3TXiNMlSXOQJpAcIwJ

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC" id="url_1" target="_blank">http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.8kcfnk.bid/F3FD-14FF-62F1-005C-90CC" target="_blank">http://52uo5k3t73ypjije.8kcfnk.bid/F3FD-14FF-62F1-005C-90CC</a></li> <li><a href="http://52uo5k3t73ypjije.csv7o6.bid/F3FD-14FF-62F1-005C-90CC" target="_blank">http://52uo5k3t73ypjije.csv7o6.bid/F3FD-14FF-62F1-005C-90CC</a></li> <li><a href="http://52uo5k3t73ypjije.jal9lk.bid/F3FD-14FF-62F1-005C-90CC" target="_blank">http://52uo5k3t73ypjije.jal9lk.bid/F3FD-14FF-62F1-005C-90CC</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/F3FD-14FF-62F1-005C-90CC" target="_blank">http://52uo5k3t73ypjije.onion.to/F3FD-14FF-62F1-005C-90CC</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC" id="url_2" target="_blank">http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC" id="url_3" target="_blank">http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC" id="url_4" target="_blank">http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/F3FD-14FF-62F1-005C-90CC</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC | | 2. http://52uo5k3t73ypjije.8kcfnk.bid/F3FD-14FF-62F1-005C-90CC | | 3. http://52uo5k3t73ypjije.csv7o6.bid/F3FD-14FF-62F1-005C-90CC | | 4. http://52uo5k3t73ypjije.jal9lk.bid/F3FD-14FF-62F1-005C-90CC | | 5. http://52uo5k3t73ypjije.onion.to/F3FD-14FF-62F1-005C-90CC |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/F3FD-14FF-62F1-005C-90CC | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC

http://52uo5k3t73ypjije.8kcfnk.bid/F3FD-14FF-62F1-005C-90CC

http://52uo5k3t73ypjije.csv7o6.bid/F3FD-14FF-62F1-005C-90CC

http://52uo5k3t73ypjije.jal9lk.bid/F3FD-14FF-62F1-005C-90CC

http://52uo5k3t73ypjije.onion.to/F3FD-14FF-62F1-005C-90CC

http://52uo5k3t73ypjije.onion/F3FD-14FF-62F1-005C-90CC

Signatures

  • Cerber 2 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (527) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"
      2⤵
      • Cerber
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe
        "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe
          "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe"
          4⤵
          • Cerber
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3200
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3464
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3324
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:3904
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:4472
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5ae246f8,0x7ffe5ae24708,0x7ffe5ae24718
              6⤵
                PID:2616
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
                6⤵
                  PID:5056
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
                  6⤵
                    PID:4936
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
                    6⤵
                      PID:4720
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                      6⤵
                        PID:2724
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                        6⤵
                          PID:3236
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
                          6⤵
                            PID:1868
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
                            6⤵
                              PID:700
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
                              6⤵
                                PID:636
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
                                6⤵
                                  PID:2584
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
                                  6⤵
                                    PID:4840
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                                    6⤵
                                      PID:2916
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                                      6⤵
                                        PID:3168
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
                                        6⤵
                                          PID:2120
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15903803264836571294,283071659101504888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
                                          6⤵
                                            PID:2720
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                          5⤵
                                            PID:2476
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.7156et.bid/F3FD-14FF-62F1-005C-90CC?auto
                                            5⤵
                                              PID:4928
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5ae246f8,0x7ffe5ae24708,0x7ffe5ae24718
                                                6⤵
                                                  PID:3604
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                                5⤵
                                                  PID:3928
                                                • C:\Windows\system32\cmd.exe
                                                  /d /c taskkill /f /im "fontdrvhost.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe" > NUL
                                                  5⤵
                                                    PID:4172
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /f /im "fontdrvhost.exe"
                                                      6⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2032
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 1 127.0.0.1
                                                      6⤵
                                                      • Runs ping.exe
                                                      PID:3704
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /d /c taskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL
                                                3⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2284
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1136
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping -n 1 127.0.0.1
                                                  4⤵
                                                  • Runs ping.exe
                                                  PID:3068
                                          • C:\Windows\system32\vssvc.exe
                                            C:\Windows\system32\vssvc.exe
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3320
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:2672
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:3552
                                              • C:\Windows\system32\AUDIODG.EXE
                                                C:\Windows\system32\AUDIODG.EXE 0x470 0x2f8
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1628

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Execution

                                              Windows Management Instrumentation

                                              1
                                              T1047

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Defense Evasion

                                              Hide Artifacts

                                              1
                                              T1564

                                              Hidden Files and Directories

                                              1
                                              T1564.001

                                              Modify Registry

                                              4
                                              T1112

                                              Indicator Removal

                                              2
                                              T1070

                                              File Deletion

                                              2
                                              T1070.004

                                              Credential Access

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Network Service Discovery

                                              1
                                              T1046

                                              Query Registry

                                              2
                                              T1012

                                              System Information Discovery

                                              3
                                              T1082

                                              Remote System Discovery

                                              1
                                              T1018

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Impact

                                              Inhibit System Recovery

                                              3
                                              T1490

                                              Defacement

                                              1
                                              T1491

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                87f7abeb82600e1e640b843ad50fe0a1

                                                SHA1

                                                045bbada3f23fc59941bf7d0210fb160cb78ae87

                                                SHA256

                                                b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                                SHA512

                                                ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                f61fa5143fe872d1d8f1e9f8dc6544f9

                                                SHA1

                                                df44bab94d7388fb38c63085ec4db80cfc5eb009

                                                SHA256

                                                284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                                SHA512

                                                971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                73ef5a5613e13809e593f8db5d08b71d

                                                SHA1

                                                17b8af105e46ce521427412c7123dbb8769b4e45

                                                SHA256

                                                6343f1fcd8f3bb13d22f8f9a49ccb1af77a34700ef77a309b16523646f7a9354

                                                SHA512

                                                2faf9dad29d5fe39666754214707ed57096c0b97665d752102a768708ae46b635294610ee0788dbdbab8aa66d6a8384634013dd9ca1604030c6f87add9c438ef

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                9518858d6208742115d7351297512c21

                                                SHA1

                                                3408d5b5db52faf6fec729159419c3ae97be2c83

                                                SHA256

                                                d26a32d730e241416ac34267e91a8a2e861f635a588f1c281f13ffbbaa6edbca

                                                SHA512

                                                fda535bd02059756e24fb2fc107498212692273c6021710ae77e67be855f9f3d5ec617bbc329a07ee54bff089d8c5edac0a75458b5735916ad9b7fab95d09720

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                8c8a714edd48c04309c982c7f3ab18da

                                                SHA1

                                                8f612e78c6b01b3261d32ac626281185385aa260

                                                SHA256

                                                e180e185db78e01464c18f7a29df41eec93af71652a60991ad1c4486438814ff

                                                SHA512

                                                b7de1e76ce33b8981c6e7f2ad0db1534135a1ebd402c04b0323fc1a90b4b4d7b69cd8b4d9c1b26a15d9ca6b1329d4c98025a5d15ce1380462003f78900e5bea9

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\json[1].json
                                                Filesize

                                                297B

                                                MD5

                                                bd0c2d8e6b0fe0de4a3869c02ee43a85

                                                SHA1

                                                21d8cca90ea489f88c2953156e6c3dec6945388b

                                                SHA256

                                                3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

                                                SHA512

                                                496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

                                              • C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\System.dll
                                                Filesize

                                                11KB

                                                MD5

                                                6f5257c0b8c0ef4d440f4f4fce85fb1b

                                                SHA1

                                                b6ac111dfb0d1fc75ad09c56bde7830232395785

                                                SHA256

                                                b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                                SHA512

                                                a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                              • C:\Users\Admin\AppData\Roaming\403-3.htm
                                                Filesize

                                                1KB

                                                MD5

                                                c7df00e9e0609d4216bb7404dd9c12ee

                                                SHA1

                                                3aac5a61dc12fcf9fd23280d8fc6361ef734c524

                                                SHA256

                                                9fa88627e300794f3f5f657aed1a58a447d4cd5ce6989d49d62dca9507c3d9de

                                                SHA512

                                                87427aca49cf20aa8d36541f589940b23e42d60eda72965f75ebdbb8342a19198c8625b8d4f9c71b4444d14ca99816d314991ff1e870da3437cbc15453d8e47f

                                              • C:\Users\Admin\AppData\Roaming\ChiPollywog.9mW
                                                Filesize

                                                207KB

                                                MD5

                                                b4129e70e3bfbe686825a7d5ae5b3882

                                                SHA1

                                                2020712b26e98c5e212c816404ac6f57bf7fe658

                                                SHA256

                                                9e28161075db33792a94422525dacd286d78efcfb581f16ca762a7bbfdcdbd15

                                                SHA512

                                                259650ae89d4edec29e72b65fbacd7432ad80b835731e507c37d30f18b07bdd7981ec32bc083243d3a410428f7756ae849a578c03b7dbf6044e5a9fca237b04f

                                              • C:\Users\Admin\AppData\Roaming\HelpButton.dll
                                                Filesize

                                                68KB

                                                MD5

                                                27a5e7b6a25949beeae9d66ee66759b4

                                                SHA1

                                                c98d27eb5421cc0e12f1736d8cb6da952df25635

                                                SHA256

                                                ca1469a748c0805bedaa6bbcf87cfea1772a004ce5fb1ef1e5f62998874d4851

                                                SHA512

                                                426dd583044d651b790e006189d2ff42dcb883851dffa61cef2b4badaa43fde5a718e8ec4415ac928a39b81a6507ab54d2a1d0842bfbec4db89656478b610bea

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnk
                                                Filesize

                                                1KB

                                                MD5

                                                77215cc060044c79676901f906d0cbee

                                                SHA1

                                                42ee469217999edbb08dce61df4344feae3d09cb

                                                SHA256

                                                1c99f7a5385a2b3ae66f29a28f7f5cc76de3adbd9804b1f25ec8f109311f2c3c

                                                SHA512

                                                d70f67a9ba0ba6bfb7de1f6f434ab11b8d0cdd8b71b7d2aa29113c7da702abfdcb79998bbdcd9c4ff76d29c4909e0379f4dd028b87e7bf6f8edae88161e067a6

                                              • C:\Users\Admin\AppData\Roaming\Phenothiazine.aLp
                                                Filesize

                                                4KB

                                                MD5

                                                4cd6691685530a80f97c5633b75a8d81

                                                SHA1

                                                a2d8a60847c6a4c0df2e87ac5964b98806d3a2e7

                                                SHA256

                                                1e8ea471a61594fbf877acc9c2cc26cccf2eb6bd1da7c7dd803a1b154d632c6c

                                                SHA512

                                                d05c9d9c870c885cd7a964e669f775e5e4c9da99cd97cc1509f7e08af61fb13d97688f337fe5b9ac6c9c3c6cd14c95df4689b2715fdc531eac3d58133fbe2c48

                                              • C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xml
                                                Filesize

                                                914B

                                                MD5

                                                72d925da1cf45aed93d045853a5281a8

                                                SHA1

                                                354dc025c187395a741ff630aaf6ca9ddf2d0d47

                                                SHA256

                                                19c79b8b4731e5a4f1bff40db16c6bae24fc7d299243a45ccd8998290247413d

                                                SHA512

                                                685081bd6829d3f825f2b50febd0df1c0db602bc9ea68c425b9bcc07b59e3860b91fbe918f485ac650cfbc14ea08f00dd98ad287d013190af829813122572c68

                                              • C:\Users\Admin\AppData\Roaming\{1B619EC1-DAC0-C86E-6BB6-7F9A1519E78F}\fontdrvhost.exe
                                                Filesize

                                                257KB

                                                MD5

                                                31318ee80570c7168708575f032ac63f

                                                SHA1

                                                82a8589abd62b469c4ec3c454434a75a63f8b2c6

                                                SHA256

                                                849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84

                                                SHA512

                                                bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.html
                                                Filesize

                                                19KB

                                                MD5

                                                e3969a054802d987317f8c70526d1810

                                                SHA1

                                                b18bcd0c35fd9249cc1ce8d334a5c1698e5ef98c

                                                SHA256

                                                1966b2b806cbaccdb089e7f1badfbda946303e1cd825359072e4a187fd904387

                                                SHA512

                                                3e069a0ec92a2cbaa239e8ea7b88dd69ba8f00854e49ab994105c7687c6795c532b790acb89518b78d1f189005c8f4bb9b398846a8ca25e2670e0dc627f670fb

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txt
                                                Filesize

                                                10KB

                                                MD5

                                                8f5204c6b8ab0d323d2e301876ab0c9a

                                                SHA1

                                                81542b358d590052eb38e5885433d5af462288d6

                                                SHA256

                                                706372b54a5b359d3902889eb73d308e0aad5aee5e1440ba0248e8319069b046

                                                SHA512

                                                03d5ce9d57c0db070b109b4757710f363f088a5b41dd121483debd33218054557908f2f2959648c653747cc175512e3ea6f4c472f7147c043ddf57ce38ad9af2

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.url
                                                Filesize

                                                90B

                                                MD5

                                                42c31cdb6da79878b0aeebfb7771e8ae

                                                SHA1

                                                281b5650c02013a11c06e242a31da0bb55a080b7

                                                SHA256

                                                687e04615514b169e99cd2ea02c3d5cfc8b1344362cd2273bda7ffcb54ff8ff3

                                                SHA512

                                                1db62b9ff1b54ff32ee8f6c28a923c645b51a11ccf450ac2a27809239079e56194217c45397f4fcb24d945b30e3a6e541891acae6caff07d2afbdb6e9821fb96

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.vbs
                                                Filesize

                                                252B

                                                MD5

                                                18d46f5d8ebd3c7d6df0c7a8fd1bd64d

                                                SHA1

                                                aeb8407457434aabce2a4c2f95fe305c5303f929

                                                SHA256

                                                ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9

                                                SHA512

                                                35fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65

                                              • \??\pipe\LOCAL\crashpad_2748_BZIBQDJCWXPUKYEG
                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              • memory/1208-33-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/1208-25-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/1208-23-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/1208-20-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/1208-18-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/1208-16-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/2296-54-0x0000000002F10000-0x0000000002F22000-memory.dmp
                                                Filesize

                                                72KB

                                              • memory/3200-850-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-820-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-74-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-817-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-853-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-823-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-826-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-829-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-835-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-832-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-838-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-859-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-844-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-847-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-72-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-73-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-841-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-856-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-862-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-71-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-67-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-64-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-63-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-895-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-899-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-901-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-60-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/3200-59-0x0000000000400000-0x000000000043A000-memory.dmp
                                                Filesize

                                                232KB

                                              • memory/4468-13-0x00000000026B0000-0x00000000026C2000-memory.dmp
                                                Filesize

                                                72KB