Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 02:58

General

  • Target

    52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe

  • Size

    234KB

  • MD5

    52c00107ca21cc4b75039a98ad4cae18

  • SHA1

    ab35e8bc718fd02cec888afb22dc520d05234dce

  • SHA256

    210dab383dabe37ce47658719ec8866cca4fe1ba0eac2d308c96c36293f1da4c

  • SHA512

    bc2ae0ca6fd52d1190bcd0c006b4eacb1db7243b9b434cd59a4e095bfc854e5e7c4cc56cfda989d3285d8f6c2fec4e2e00ba5cc383304efcb5cfbd1c248f1703

  • SSDEEP

    6144:20B2T/Lr8CETTCiIjvTWUyRsae7bI7P+B:m/X8lGbWhty

Malware Config

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#Cerber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451" id="url_1" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.ssd5gt.top/5C47-BB9F-6410-006D-F451" target="_blank">http://52uo5k3t73ypjije.ssd5gt.top/5C47-BB9F-6410-006D-F451</a></li> <li><a href="http://52uo5k3t73ypjije.dd4xo3.top/5C47-BB9F-6410-006D-F451" target="_blank">http://52uo5k3t73ypjije.dd4xo3.top/5C47-BB9F-6410-006D-F451</a></li> <li><a href="http://52uo5k3t73ypjije.78dmme.top/5C47-BB9F-6410-006D-F451" target="_blank">http://52uo5k3t73ypjije.78dmme.top/5C47-BB9F-6410-006D-F451</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/5C47-BB9F-6410-006D-F451" target="_blank">http://52uo5k3t73ypjije.onion.to/5C47-BB9F-6410-006D-F451</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451" id="url_2" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451" id="url_3" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451" id="url_4" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/5C47-BB9F-6410-006D-F451</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451 | | 2. http://52uo5k3t73ypjije.ssd5gt.top/5C47-BB9F-6410-006D-F451 | | 3. http://52uo5k3t73ypjije.dd4xo3.top/5C47-BB9F-6410-006D-F451 | | 4. http://52uo5k3t73ypjije.78dmme.top/5C47-BB9F-6410-006D-F451 | | 5. http://52uo5k3t73ypjije.onion.to/5C47-BB9F-6410-006D-F451 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/5C47-BB9F-6410-006D-F451 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.3odvfb.top/5C47-BB9F-6410-006D-F451

http://52uo5k3t73ypjije.ssd5gt.top/5C47-BB9F-6410-006D-F451

http://52uo5k3t73ypjije.dd4xo3.top/5C47-BB9F-6410-006D-F451

http://52uo5k3t73ypjije.78dmme.top/5C47-BB9F-6410-006D-F451

http://52uo5k3t73ypjije.onion.to/5C47-BB9F-6410-006D-F451

http://52uo5k3t73ypjije.onion/5C47-BB9F-6410-006D-F451

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (523) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\mfpmp.exe
        "C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\mfpmp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\mfpmp.exe
          "C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\mfpmp.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1080
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:472065 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2416
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2604
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:860
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "mfpmp.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\mfpmp.exe" > NUL
                5⤵
                  PID:1964
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "mfpmp.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:348
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:3044
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2488
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1068
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:2820
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1520
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:2112
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {D5B5E997-B22D-49E9-B71B-5F0626CA8FE4} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
            1⤵
              PID:3020

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            2
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            2
            T1547.001

            Defense Evasion

            Modify Registry

            4
            T1112

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Network Service Discovery

            1
            T1046

            System Information Discovery

            2
            T1082

            Remote System Discovery

            1
            T1018

            Collection

            Data from Local System

            1
            T1005

            Impact

            Defacement

            1
            T1491

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\# DECRYPT MY FILES #.txt
              Filesize

              10KB

              MD5

              3c7e24807995249389ebc7392130d256

              SHA1

              d0f302126fb9964af8d121a906e1685302790d8c

              SHA256

              20e04f4d671ced100f5859fc9f24b84074362e13156985d75ab551214f773c8b

              SHA512

              04183d2a3df0289bfa1677b865a3cee1a1703c0210f2d5a4588e122e93f625c3fd060c87c2200875e5b8d0d6347295055283826ecfddbf9d1fcfd995724f1492

            • C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url
              Filesize

              90B

              MD5

              028bf2f28f0a5f83a0c11941780384ec

              SHA1

              6ee97f17c3c9cafa6ba2b472df7a5fad148c0dde

              SHA256

              3bbf1a7d79b83209808b5fb2c3b9427dc4865c4363867ebb9b64c24d6982cecd

              SHA512

              14ad09dc8afe1fc90379e8af2d6ce5455d4d61b33f88fdd7eb1d116dd765fc9323c17376e05f08240e4c7ef321a9c1c10c6f466d69b725f8e42c1abe5aa8302f

            • C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs
              Filesize

              213B

              MD5

              1c2a24505278e661eca32666d4311ce5

              SHA1

              d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

              SHA256

              3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

              SHA512

              ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
              Filesize

              914B

              MD5

              e4a68ac854ac5242460afd72481b2a44

              SHA1

              df3c24f9bfd666761b268073fe06d1cc8d4f82a4

              SHA256

              cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

              SHA512

              5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
              Filesize

              1KB

              MD5

              a266bb7dcc38a562631361bbf61dd11b

              SHA1

              3b1efd3a66ea28b16697394703a72ca340a05bd5

              SHA256

              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

              SHA512

              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
              Filesize

              252B

              MD5

              613dc7116e360dc9e8670666e21b5025

              SHA1

              1fda0072ff493d4291f2a32458908ea6e7d455a1

              SHA256

              8f3b01977ffe93b373a6059b7341073be76680267c15d2f5226311fb576052a1

              SHA512

              d130854dfed0a25965c8bcab3f6d150097cb8c37a80713e7f73460e12eb6bebc423c6a1bb95e85e22f5e5d7ae0543af8c7e1d962ac885b4a227239238575b32f

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              acb90deb411e50cb6ef7446d5b065dd2

              SHA1

              a6698cbfaeb9903baf99dc9c4fb8bede3dc26610

              SHA256

              ec780a0b83daf2cf6e126900b13e427065e62a07021250fedb2e91eede97703d

              SHA512

              bec9443db8c094bf91e0b3ea81537720111d12c4c718d7f32b988fd6b295359731e1bdeb4ee34c8710929b104e9dc99c8e184e96034a66933ae6ce2af2568402

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              abea69a2b95df6c31b7c9ef6c88ea5cd

              SHA1

              f91281550d7e05ebfa6754fc9a4cfbb94db58503

              SHA256

              d38b3b70314fa5a7f7119254da108d4e985d866556d450808567216e3a0c3b52

              SHA512

              4f0d3fdd79b8cd260fc4a1da00f0e895b6375376b7ec0979762e042023482a557bc61b2f8583aa7c220fb58f74d6f2c8a0b18c465fc5fb1e76a19fc5ec240028

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              89ca70861f7e298f107b90f08dbf1f03

              SHA1

              73e81e760b8ca20fd72bbce563b3ba44626dd163

              SHA256

              447c10caf20ea810c136b12cff5c6ce54140f871a83011d2598cf0d58bc7cde3

              SHA512

              165d7d4dd1f0d87236673cf14b9303376fee8deb8dc485b65135649f21771795af5934c81fafb1984c082bb6e893aceaf0b38256551be8bd76e21c933bf1d41f

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              17e26c2e96602cf310f3601e491e0ae2

              SHA1

              4853f520bf66661c2c14fcff7c2e6a969f0c1b49

              SHA256

              b6ff11a4d0425c9b29a1f01956bbb227e11d023ceac7cefb2c19cdb9bf34e9e5

              SHA512

              bc05fc6297d7ccc8fa74e799c956d90d3c3c9d465b0ab1871023859fae9c5b58232b915b31557e830e81c827ea4de57cd2cf7c8d7054cb4b1e953f0b73712503

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              bc41ea837c5b2eafdd35a1b16331371a

              SHA1

              0a3ee0199797bae6a8108b56dc6fdd66c986413e

              SHA256

              3099592758a128aaa2af57b6e3adda7b8d34e2a04468a71fa98dfd77bb6fbd86

              SHA512

              f120f0a0093f17864637a004edf76cb05c62918c43f10b2ee58a4a0153d776fa9e2c8b3d97fb8930d93a4ac1c06606a4e20487ab7b1c8a0d5abbe67b6d82cee4

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              a88118be25aa88f54df9a43e36e7e213

              SHA1

              35ecb8aa330bd36c5a86196897db9f4c9814c07a

              SHA256

              7bd06b90b45be951f402d5a11f86b09f554ad21229c47af50fe94abe6f0c8d5f

              SHA512

              241555ef311afe7debc6bd0374091e958afe8bd664b6a60d35acc65bbcb8928d3986d34801b1872bdae544f8763c72552d3c370a3bc957a0fbee25820b2cc0ab

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              fa9cdd45569493cebce7c0bef06823ea

              SHA1

              dbe6fe02edc642f125cd924949c1d883c814fc02

              SHA256

              f4c5930e4bfd8dfca25349873f4983d80174e6c8eba9e5183b067fe3a3dee688

              SHA512

              9d8ac03e34ee4b325556b01441defd315e591baad7a4cf3b0207a86541304591c6cb3c11b60fa2e5ecffe370a73d26f4ae1483bd9e3caca3cf5675b7399ee45f

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              4b61a92486417f2f6ca4ea95a190e32c

              SHA1

              9aa0dcffa75da4c9bc1a00375c9813fd6379f78f

              SHA256

              3a3003df6b7e419db65123b6109adb94dcdd213abb31a2b9ee2c1ca810020513

              SHA512

              b4b5870209e406f82a332e4f01ef82993ac2df7d8a1be3dd46c7f8f1a91bcbd7f5f0fad7ca585a3c5839574cc61b16cb4b04b11767869df7944ec45e92442e7e

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              eae9fab2ab464a783a728e394f3524f9

              SHA1

              becb655acb492f76c9d02dd5c912ecd36c5a77b1

              SHA256

              b542fe44a991e91ce866e76f76dfed7599730c3710b4c6d61d2ce50b9e235390

              SHA512

              c3a53a3581c818c87a3addc3705bd289ad54fb346b879a430a8dbfc28158ddafd8d65b6fb20ad2594cd40264fe69b25726d3b2aab58ee01025b16184cdd8f6cc

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              da538c6edc22f5e82b3f46d96a48ae20

              SHA1

              217e4a3a13a30273f0e7cee37c2d4b4da8fa52c9

              SHA256

              a0f0b2fe7bc4f8c628dae2a033e0b1e2baebddf41a5067a3e06d86c329ca2e09

              SHA512

              c82f7454a5855444a1fbcf44aa8dc924f4c3e7f4d6c89de2d1c7998e57f11d47213baa3c55702dd4a0e9b120853e512477ff3bd1b05367e9d78fbfd9ce2942fc

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
              Filesize

              242B

              MD5

              67a24c333142fe4774275ba1dfa2c8a1

              SHA1

              0b3e8817f8f450f8391f9a921c921e2dbd5717ed

              SHA256

              b7459ee6acd99f235632fd2e41c2e3f49df57b9bcbd19c9ffdc2409e3f841302

              SHA512

              10c6368d897077386b1fd98bec44d2442b4e9c1d43b9461dd2991fda41c77749d73b1a0bde5ef49a2d431aaf15da4d9545519b00ec77fa9c4c8d92703dfda39f

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4DBCF51-14C2-11EF-B804-569FD5A164C1}.dat
              Filesize

              5KB

              MD5

              03bb9c4ac8ebc2a2564e8f15b3d8a68c

              SHA1

              900ee7d1a0cca241130404fad29c4c98d6e571af

              SHA256

              ec43abe441cde90c7bbc8d22ed17b11710a9dac759fe88e200718395d91586c1

              SHA512

              656e6ffe6d1626db4d2582ee4ad238cde668aeade78dfd2e978ffa4659b6337b813268607ef986fd770d22aaba22599af3d6d60a57d26f1c40d3b4cc16944eec

            • C:\Users\Admin\AppData\Local\Temp\30-urw-aliases.conf
              Filesize

              1KB

              MD5

              c6c33cfde9f637e1d2b8cad9353df6dc

              SHA1

              75cfd127ec1fe9a140c78bc84164bd35214ced1f

              SHA256

              c28770c5d1ec815ce63a33cfec8aabadd21aed84d60f000ebaa2d13e2bcbb0ac

              SHA512

              66bf5248914ce0e6371a8e0cb12f9a3cc573928488f67dc714d5a6605ad61d01aa5b308f13ab7f3ecaec0ae502a4c279e1bbf1280d4dd41874ad2614e132080c

            • C:\Users\Admin\AppData\Local\Temp\Adobe-Japan1-4
              Filesize

              3KB

              MD5

              5a23e712d699f48cff3190caee581f79

              SHA1

              5caac471f05c5934c4c07af3d690f0ce3402f081

              SHA256

              7cd11d1b862b16aebbe2042d45b4d7a331994acd5c8457f6f4fbc1c8956a5355

              SHA512

              ff5c2ad7959984d903023a58a4b81f160c0dc020fa33ce3f7e582c91613f1d9b5e39ff4660a02ac28e369524d42f1adc2eebfba5dc448c97389b973d7894cefa

            • C:\Users\Admin\AppData\Local\Temp\BadBits.mm
              Filesize

              1KB

              MD5

              45ed0fb06f0ce6c9ba9613926d1cb1e6

              SHA1

              a19206ff3bb1f5f2109e3c2233aefd2a6285d05f

              SHA256

              aee530dc1e94d53130035d2ace33d0147b96aa970c764eb4e86fb6b5d07200f4

              SHA512

              d989bee283acef837ecb3b2995be8098e6d4f886456972a42ab5ef5a98ae48ba3a88a71193a7aa4dba179d57ed0912a0203e0a1aa46e9873f97399f0238c9128

            • C:\Users\Admin\AppData\Local\Temp\Budapest
              Filesize

              1KB

              MD5

              c275950acffcd3a57996966067c5a21c

              SHA1

              fa08f0e03f74f5d0e9fc90df73fe5b00c797367b

              SHA256

              427bb97ce4f246e7f809bb14a5b9191aecd8a2d8854d0493ff718e7830086ea5

              SHA512

              4512adb2ea30202de146c1252ab7f52a467611b0b33999b8b9b875dbe78d18f1adde8e1ade1b7787245708c12f343fc649aa8f75a71bebb73178fe0039e89412

            • C:\Users\Admin\AppData\Local\Temp\Cab44DF.tmp
              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\Cab459D.tmp
              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            • C:\Users\Admin\AppData\Local\Temp\Cape_Verde
              Filesize

              97B

              MD5

              739bc3be601fc4c312fca262597514eb

              SHA1

              c14ae4cd4e2ce75b7ea4ed39a835bc8d207f2486

              SHA256

              b645b5d403881ac66ce4171af4aced39c0a17237fb78443fae623b1f4367345f

              SHA512

              c0092979146f54dd885d4b12b0f7e37285b4116aecf4a793eb524d0b33c8ed2e7a336f97ec6d2504203d51207205f192895c1850fd6dd5f30f9848d86ef4c5fd

            • C:\Users\Admin\AppData\Local\Temp\CoreTemp.ini
              Filesize

              1KB

              MD5

              4318900d48f4b420b3f14cf9d3efc812

              SHA1

              399f9bd94316658d2da143367e8ae2e200f67a78

              SHA256

              d95c522b113e468fe3e0cc92579148c53d8c1eaed13bb89e07130ca4c2fd0c6c

              SHA512

              5f7c4ff8375fa9c995ac0d4cddd8974c7f5bc893759ae2c17de5f29cb9fe8f2d888a44b3b1d23d6a5106304a523719fe87cb1dafe0922eae80de05289e96c526

            • C:\Users\Admin\AppData\Local\Temp\EnteronFrotteur.y
              Filesize

              4KB

              MD5

              bbcf57deef6803e937ed345163f4c75c

              SHA1

              fe0c1e88d6fc1eb92f80440b814f619399ebf6e6

              SHA256

              ef6eba2550e9b85953ea1158ba2d471da4557becd3744d1df714c344f8e87d53

              SHA512

              7d560e8fd60c3e383253f9ccf7de3d422763eed9a534f7c3057541685ee0145416b81fda51840b1b01d75cdbec781ecc5ac7c06fe7aaa4d51d6fa8e70253a075

            • C:\Users\Admin\AppData\Local\Temp\Fiji
              Filesize

              588B

              MD5

              03eeedd6926392057b761444ea01871a

              SHA1

              e3cc8ce79e0625854e1f922ebbe4ba2f44d0248c

              SHA256

              ba6662dd53b64810a0449f9ff4a9ca3a46f2d5ad63ba66507d00988b64bc043e

              SHA512

              c8516e29e3b8a2b9d9f8e43d472cd4d4af6393f5be2cbe59ee6422f7238a3bfb7523c821d9ed1de25136f58905af54b724528e80562f20e2f250927851b17968

            • C:\Users\Admin\AppData\Local\Temp\GMT+3
              Filesize

              27B

              MD5

              834630bcae89f566789c6e3abb9cde0a

              SHA1

              1937e7784e79fd9a6adbc2b4a227a6bf9455dc86

              SHA256

              5d9e7b18a4cf92f1d47164f438ed6515657d4ff8f3d2c8bb5a1f7b605d79cd61

              SHA512

              835b29bd2acb63abd813ded66df8f9d895c83cce8e38cec1f21c266a6d6992965efb6fbec8e87bb74f24e3321588ac94d16be5fe0eacdf9dc80e6ca26dbf0061

            • C:\Users\Admin\AppData\Local\Temp\LodeEucaryote.zaw
              Filesize

              148KB

              MD5

              7ee7c1a5386b3898b787f52a7863e46e

              SHA1

              cf692dad8b81b61c9db39b45fd443ae8a73cef13

              SHA256

              f926c082b5eb24f9cb597e2be152e7a7fde4a96351a3fdec9d1ab0fdba67215f

              SHA512

              2e79e6db4b5ec4a53fe2422b576c7b4a0362ad0312bae98c50806d8a56889b643e982c6ed546ac58ffdad806b4c02f44403135e3e2f9687d631f67068de607c3

            • C:\Users\Admin\AppData\Local\Temp\Tar45B2.tmp
              Filesize

              177KB

              MD5

              435a9ac180383f9fa094131b173a2f7b

              SHA1

              76944ea657a9db94f9a4bef38f88c46ed4166983

              SHA256

              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

              SHA512

              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

            • C:\Users\Admin\AppData\Local\Temp\callout.graphics.xml
              Filesize

              993B

              MD5

              7c17ee2b7f023668d51e6199325c8d63

              SHA1

              ffacfc13b232f2187499d7c02a76ae86248a9e73

              SHA256

              000e761b0bdaf092ef845bb91a352cd432ee257163851d4c251db448c7e6748a

              SHA512

              e78dae20fc2966fdc54a40b9fa7f4f06e594eb972929d701d79738a2e01e523e3a560190e112278b80cfff75eea6026260ad56d96d6dd5062abbda0373a57625

            • C:\Users\Admin\AppData\Local\Temp\circle_glass_Thumbnail.bmp
              Filesize

              4KB

              MD5

              7d005a7a687c9f4d56272fe7522e7dce

              SHA1

              d66cbd3ebc892a2c7b305181b465cf592c2c4990

              SHA256

              c3bca0815951a454ec15dc23b1d135d42537d9fecba6577e03f46bd6807da135

              SHA512

              3cef4c6a8c0507556a0983b72913233fda3b2a9311a0fa5e652bb46955ebf3113fece823721048c3188174daddec1e17c608044000bcc90c7ad02fab49237f05

            • C:\Users\Admin\AppData\Local\Temp\component.xml
              Filesize

              691B

              MD5

              137d64c837e42916568685e05be6ca27

              SHA1

              3cc124359aa623bc4ca2511805e8f8e1f9fe5ff5

              SHA256

              f9aa7c2759c4fc6b67add7710d6fa40750c2cf131fb576bad7c8f7fb008fa78a

              SHA512

              8a8144c82b27163e3aba9fa5400f7eb7a4088c3822aa010bc6a8869ab1daf9a98d2ad483ff0f32727d8251ee23bd062a56f616b1f7cac98f79c0190b6abfdfa6

            • C:\Users\Admin\AppData\Local\Temp\currency.data
              Filesize

              3KB

              MD5

              34825d08fddf008a6c670ed506dcb880

              SHA1

              6705d775600261d9ed3d5bc05705746e96311e46

              SHA256

              29071f93c8af7ed0a5ee3966c531c8182e86eeb2237793e6a680a926005d1742

              SHA512

              bf18d6566609c503efbac1d8ab615b87ec6f6e75f18a0e0faa58d38a755dd84a6b40de5e07d3c579272d158c06dd7727f630138694d96e55f9a13f45a6b06784

            • C:\Users\Admin\AppData\Local\Temp\defaultProfilerFilter_restorepoints.xml
              Filesize

              592B

              MD5

              b14872001828a70ca9f8cb55f37d8e7f

              SHA1

              ceec1f59f82ef6991eeb3f931707716f76ae4c38

              SHA256

              9ca7847addfc688efad2575b3c949fd296890731b3865cd7aeef3166a3a9b900

              SHA512

              21a5d902d045ce1eb73c8f8e5183152445bb95eaf2b24b76a21f32e39be801f2ab19e7b90743de2926afc12334fe168230effe24d622ca2816ed039f30080f79

            • C:\Users\Admin\AppData\Local\Temp\embedding.xml
              Filesize

              4KB

              MD5

              7246ded2719a2ed3a5d325dbe15e4226

              SHA1

              d6f781dd2f3d9e3c4388ec7a07b20c9c490f9cef

              SHA256

              44db2977e5bb2422e73c63d4bd1a727779313c1acfe124b205325db391076f3c

              SHA512

              76855b922d4ecfd2caf708dd94a424853f03470f1d13a4ebccb3e56e8068dd36855ae529381f80817be576bd6d43f55e64ce8c1bec12e525a2ea16c090fe97ec

            • C:\Users\Admin\AppData\Local\Temp\errorReport.png
              Filesize

              1KB

              MD5

              599fb9441ade1302ec22d4420ad6dbfa

              SHA1

              376de11c0fd54d2828ca06d861393f0ab1d57b31

              SHA256

              594a955ba1060a795d8760e5df316b091149f10b72ff5032d2dd588f79547535

              SHA512

              7fc1811abd69f26c77b901b17ceed11c46e345da75f3a26b495d1aadd4601a4aa20c4154d93cb6c688165dbbe9a439813097186d194945c094af6235be5c6936

            • C:\Users\Admin\AppData\Local\Temp\f24.png
              Filesize

              1KB

              MD5

              a16e322bba363c21afc35515bbd59138

              SHA1

              b93bf5fa9c44a2d2ee8d69cd6357c2ebe12162c9

              SHA256

              021ea003666ec9a2279a3069f3fdd8b5c71b106851bc8051d88747eb7a142dfc

              SHA512

              f39f845f1950849e753873fe2f0252201e929ca389960afe9bf055d910d19bcc2ff57f9df5c8d905522f0ca424ac4403638d5f6daa52bfac259974020701d3ea

            • C:\Users\Admin\AppData\Local\Temp\honks.rjw
              Filesize

              74KB

              MD5

              9db5213cc2837c33400e32cf1fede797

              SHA1

              661b7156351c07d7597e1583786e7016a6dcbd0b

              SHA256

              29aed442d93386108d48f758c26f074f86161acc513892ea366a8df433ad2aff

              SHA512

              20b28dbcecd11f74089ba2bd8f0cd35602c8c30448a1af77fbbb35c4a3d1cdca32bb992c352b47b095d2a019c647db60bbd953ec57745de1e92a16dd422053a6

            • C:\Users\Admin\AppData\Local\Temp\telophase.ttm
              Filesize

              74KB

              MD5

              2bb7db4cf25f693a1e26119e8fc1afda

              SHA1

              7fa83832984e582a06ec31111a3685d7b90e6a54

              SHA256

              a17c3b5a3833649b93059bbdee15af3a35db602a21fe5151769d1d2d6c34cf81

              SHA512

              d57723cfff15d0cc60249749cf9b8d800a53cb8333ad6316a04e0eea7ee46ad4597c41a389376566884356a0e9716476bb8ac8758365533fb15ac8da7cf51f3f

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mfpmp.lnk
              Filesize

              1KB

              MD5

              4c4cb612d9be70af6a5b4fe2624fe20c

              SHA1

              2b3f34f9cb5735bc8af49e9c0f19111db089f5fa

              SHA256

              bb336ef99e1916e9c147c852a2dcc76f2d8eb4b8cb723d366bfb4d6c254081f0

              SHA512

              89984e51ba3d857e04db1b9d7a77eca948064acee808480b747e737803311afa5fd2dfa647c5a6a279b190c3eaf6c706ae1bf81c6e99daf5e79c759a2102108e

            • C:\Users\Admin\Music\# DECRYPT MY FILES #.html
              Filesize

              19KB

              MD5

              ec1d4c01f20729ba4051f17653e6dd75

              SHA1

              394bc7206816307a1a4ab3e177b8883442083a8f

              SHA256

              9e7aee0bce3c189e4463f7839ab69d317b185191597256eb2a3f203be43b39dd

              SHA512

              0c17599759cd5ef5c64b53aac74c69b27d6b5208f4d97c1037b63edfc7b5831cad1820c6b38fd1ddf5563b5300d5a9dee61223111633c1ce7d1925a38e9c2e48

            • \Users\Admin\AppData\Local\Temp\AnimGif.dll
              Filesize

              48KB

              MD5

              db143770b3cabb64c32477bc5890ea30

              SHA1

              b9d580ff68c53ba0b7298d09c4b0472958876319

              SHA256

              4d5f0c40375b84835bc93494bbf4f73a94d7843a319125a840c34e0c9bdf6c8d

              SHA512

              56842d9e000d1fd13d24044351ebf01ca8a8ced5a08c7ee314244697e69c7a563e26c53c78f473bed121ede6186bcae14da69a66f8be915a2c59891fbdb49cc4

            • \Users\Admin\AppData\Local\Temp\nso2E34.tmp\System.dll
              Filesize

              11KB

              MD5

              6f5257c0b8c0ef4d440f4f4fce85fb1b

              SHA1

              b6ac111dfb0d1fc75ad09c56bde7830232395785

              SHA256

              b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

              SHA512

              a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

            • \Users\Admin\AppData\Roaming\{8F76CA93-6AF5-FCB8-1751-35093594ADFC}\mfpmp.exe
              Filesize

              234KB

              MD5

              52c00107ca21cc4b75039a98ad4cae18

              SHA1

              ab35e8bc718fd02cec888afb22dc520d05234dce

              SHA256

              210dab383dabe37ce47658719ec8866cca4fe1ba0eac2d308c96c36293f1da4c

              SHA512

              bc2ae0ca6fd52d1190bcd0c006b4eacb1db7243b9b434cd59a4e095bfc854e5e7c4cc56cfda989d3285d8f6c2fec4e2e00ba5cc383304efcb5cfbd1c248f1703

            • memory/1752-136-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-145-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-138-0x0000000000590000-0x0000000000591000-memory.dmp
              Filesize

              4KB

            • memory/1752-144-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-135-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-601-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-619-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-143-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-141-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/1752-140-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2496-118-0x0000000000640000-0x0000000000650000-memory.dmp
              Filesize

              64KB

            • memory/2644-65-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-39-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-50-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-49-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-33-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
              Filesize

              4KB

            • memory/2644-37-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-51-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-41-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-43-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-47-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-35-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2644-52-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

            • memory/2844-31-0x0000000000370000-0x0000000000380000-memory.dmp
              Filesize

              64KB