cerber | 82358cfce8922a6d09b9c3ccb7867ce65556040592f238fd2939ba9507156d7b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Size

208KB
MD5

9d8c90e3c00d723f8167d9e579b2eff1
SHA1

86f82bb7da52240469a520a1c4f166aa7beef579
SHA256

82358cfce8922a6d09b9c3ccb7867ce65556040592f238fd2939ba9507156d7b
SHA512

3bfedc755703b626c47a549ffe955433bc30ad10cdea7f0feb2d848e6a2d720f5cf973115b6d454549a86a83557dafdda67fec65a938353d1e12de947d5348e7
SSDEEP

6144:awHysFR5ERM05WQ8qpo0Qcs7ukLptsa6y/xG:RFR5KM63i0Y1d6OG

Score

10^/10

cerber discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97 | | 2. http://52uo5k3t73ypjije.vrid8l.top/FAA6-34EB-13CB-006D-FC97 | | 3. http://52uo5k3t73ypjije.thyx30.top/FAA6-34EB-13CB-006D-FC97 | | 4. http://52uo5k3t73ypjije.o08a6d.top/FAA6-34EB-13CB-006D-FC97 | | 5. http://52uo5k3t73ypjije.onion.to/FAA6-34EB-13CB-006D-FC97 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/FAA6-34EB-13CB-006D-FC97 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97

http://52uo5k3t73ypjije.vrid8l.top/FAA6-34EB-13CB-006D-FC97

http://52uo5k3t73ypjije.thyx30.top/FAA6-34EB-13CB-006D-FC97

http://52uo5k3t73ypjije.o08a6d.top/FAA6-34EB-13CB-006D-FC97

http://52uo5k3t73ypjije.onion.to/FAA6-34EB-13CB-006D-FC97

http://52uo5k3t73ypjije.onion/FAA6-34EB-13CB-006D-FC97

Extracted

Path

C:\Users\Admin\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97</a></li> <li><a href="http://52uo5k3t73ypjije.vrid8l.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.vrid8l.top/FAA6-34EB-13CB-006D-FC97</a></li> <li><a href="http://52uo5k3t73ypjije.thyx30.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.thyx30.top/FAA6-34EB-13CB-006D-FC97</a></li> <li><a href="http://52uo5k3t73ypjije.o08a6d.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.o08a6d.top/FAA6-34EB-13CB-006D-FC97</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.onion.to/FAA6-34EB-13CB-006D-FC97</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://52uo5k3t73ypjije.onion/FAA6-34EB-13CB-006D-FC97 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	choice.exe

Contacts a large (514) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	choice.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\choice.lnk	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\choice.lnk	choice.exe

Executes dropped EXE 4 IoCs

pid	Process
3204	choice.exe
4272	choice.exe
336	choice.exe
3636	choice.exe

Loads dropped DLL 9 IoCs

pid	Process
3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
3204	choice.exe
3204	choice.exe
3204	choice.exe
336	choice.exe
336	choice.exe
336	choice.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\choice = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\choice = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\choice = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	choice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\choice = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	choice.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp88CE.bmp"	choice.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3768 set thread context of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3204 set thread context of 4272	3204	choice.exe	101
PID 336 set thread context of 3636	336	choice.exe	109

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\indults	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
File opened for modification	C:\Windows\	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
File opened for modification	C:\Windows\indults	choice.exe
File opened for modification	C:\Windows\	choice.exe
File opened for modification	C:\Windows\indults	choice.exe
File opened for modification	C:\Windows\	choice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002356d-57.dat	nsis_installer_1
behavioral2/files/0x000700000002356d-57.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
3120	taskkill.exe
972	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop	choice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\choice.exe\""	choice.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	choice.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
632	PING.EXE
1648	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe
4272	choice.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	4272	choice.exe
Token: SeDebugPrivilege	3636	choice.exe
Token: 33	1104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1104	AUDIODG.EXE
Token: SeDebugPrivilege	972	taskkill.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 3768 wrote to memory of 4768	3768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	92
PID 4768 wrote to memory of 3204	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	95
PID 4768 wrote to memory of 3204	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	95
PID 4768 wrote to memory of 3204	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	95
PID 4768 wrote to memory of 4208	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	96
PID 4768 wrote to memory of 4208	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	96
PID 4768 wrote to memory of 4208	4768	9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe	96
PID 4208 wrote to memory of 3120	4208	cmd.exe	98
PID 4208 wrote to memory of 3120	4208	cmd.exe	98
PID 4208 wrote to memory of 3120	4208	cmd.exe	98
PID 4208 wrote to memory of 632	4208	cmd.exe	100
PID 4208 wrote to memory of 632	4208	cmd.exe	100
PID 4208 wrote to memory of 632	4208	cmd.exe	100
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 3204 wrote to memory of 4272	3204	choice.exe	101
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 336 wrote to memory of 3636	336	choice.exe	109
PID 4272 wrote to memory of 1864	4272	choice.exe	110
PID 4272 wrote to memory of 1864	4272	choice.exe	110
PID 4272 wrote to memory of 4940	4272	choice.exe	111
PID 4272 wrote to memory of 4940	4272	choice.exe	111
PID 4272 wrote to memory of 820	4272	choice.exe	117
PID 4272 wrote to memory of 820	4272	choice.exe	117
PID 4272 wrote to memory of 1504	4272	choice.exe	119
PID 4272 wrote to memory of 1504	4272	choice.exe	119
PID 4272 wrote to memory of 3908	4272	choice.exe	122
PID 4272 wrote to memory of 3908	4272	choice.exe	122
PID 3908 wrote to memory of 972	3908	cmd.exe	124
PID 3908 wrote to memory of 972	3908	cmd.exe	124
PID 3908 wrote to memory of 1648	3908	cmd.exe	126
PID 3908 wrote to memory of 1648	3908	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe
    "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe
      "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe"
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        
        PID:1864
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:4940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.xmfru5.top/FAA6-34EB-13CB-006D-FC97?auto
        5⤵
        
        PID:820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:1504
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "choice.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe" > NUL
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "choice.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe" > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "9d8c90e3c00d723f8167d9e579b2eff1_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3120
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:3216

C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe
C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe
  C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4892,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:1
1⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3776,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:1
1⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5264,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:1
1⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5416,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5872,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:1
1⤵
PID:3720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x32c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6072,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:1
1⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6684,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:1
1⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6680,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:1
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
2f83dc5164414f11ce01ae616bce45d5

SHA1
13cd4727b084dc2a781c1ae00f6abdd4d59431b4

SHA256
56aa8d2bc56806ab09a48b193aa062597480a180d05b83fb07f87c9e0342b753

SHA512
96edf5886a3ef30c594e19c1a7379ca33c28756d20c403d32bc4f3aa8d30fc5570cb1c85a4869ae3033c850a87f029d1b1f3e70f16e975c25c784d73e675922e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrFC24.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Roaming\.gitignore

Filesize
44B

MD5
095927e02e3f4d31c7a0d402d954eeb0

SHA1
803e7a7f8eb4eb6220e9edc57743ade2ecd8f38b

SHA256
f0cd807dcd8825ce23b4897a3f3a436c1174c8a4e7431a6547bb3399699f429d

SHA512
7eed3a7147f13e6a46ea8abaa0eed8a985fbd42f83f11da14fffd38c850fe52202cd00b23d3b0f063255cbcc5896266b02f892ec49e3990b7d7c332f08536f77

Download Submit
C:\Users\Admin\AppData\Roaming\3BSYBS1-DCSA_Alerts_05152015040014.xml

Filesize
514B

MD5
da7cbdc5f6821b87749e272c18f8f493

SHA1
ef8d741c8aa6226af657a35a53d45207c6ab5397

SHA256
3ae026844a141af506a4d96b8886a54a82954e331739630cd64ed2cd390f1c89

SHA512
c904a57ad128bb7efbdc2c773c130b42545daa6be2acf78be7df43761d80f3220b25146026a56f6d28d5dfca8aee071815077424c5a1b608c361c587d03d80c6

Download Submit
C:\Users\Admin\AppData\Roaming\403.htm

Filesize
1KB

MD5
394a5c0cee0392d04fad577c6766f06b

SHA1
16197acb33ddc2e8c5d1f7fc04aaa0cf1f26b95f

SHA256
ed1e1c39e647d0aa8b950c98ff6ba2e7d551927263e45d4ba86b8747ce5149ee

SHA512
9027e504499d057097c2b149ae3743519178cb570c48d4f0dd5cc735554199ad2525915af3b8e4ff1bafc471ebe3cefcd4760fc6c2c5a9e8f7bfde5805a89397

Download Submit
C:\Users\Admin\AppData\Roaming\AsteroidVertexInput.hlsli

Filesize
182B

MD5
b5b01ac30aabb5394aef7a5990ca6970

SHA1
bcf8aa98d01da8815b4c0326ea8b821fd9581135

SHA256
527beb88aae27bf244bcec8d7312a3a1da9d7ff3e64581919eb4563023c38b6e

SHA512
df2f5f55eb2f8409c975a09c72a48e353f1127432d2af5f4c4e917e317e0a748759e1dd75460b765d9edd8cb7d5df012db34fa2d3a4c7da2e1c644bf9777330a

Download Submit
C:\Users\Admin\AppData\Roaming\Barbados

Filesize
137B

MD5
363e53a22cdb004b03995cf78e815a8f

SHA1
d208a235652a1ef85b4a93b24e39fb149a85dc1a

SHA256
d49bcf72f9babb8d1ab2777a178befcdf98bd2f8deaccdbfac38142d6c66403b

SHA512
d727d389eac6d86dbb6423b299830ef1c090fa556cb42fb1605539165cd719b63cecb309182bef140c9b9f1974b729b18b60d3114feb344e3555f09c533efba4

Download Submit
C:\Users\Admin\AppData\Roaming\Bronze - Polished.3PP

Filesize
1KB

MD5
000f1aa3dde140d63ffb7c3a0bb9c3fa

SHA1
8897e631ed08248fbde270c7ce87cc2d2d078766

SHA256
27a661ab3534b748e9725a567628e8341c26f8fa1eb157eb9027c68a40c3146c

SHA512
a7bf610832e4412e65116eeebf279008834add76df92491c7aaed63669a465421e26d36febc3f3b846cd047b125550b3e70c5e6a9737a2eaa0e0347a1dd9ac62

Download Submit
C:\Users\Admin\AppData\Roaming\Burlington.ksd

Filesize
62KB

MD5
cfcc7cbe898a4dd7253abc4cc006a758

SHA1
7c4cd864fe923dd2e183b2a1703ca189b735dafb

SHA256
c940e7b49156e6ec0b9a9b02684676ac1c30691c2c229cb7e814904079ca5266

SHA512
1118e10e5dcb833e232e401bfd946416b5be251519291d392e12227228d79600f61ff742badc398b09ca8ec07f2b8bcaee3cff225396234bf9b974485de5af20

Download Submit
C:\Users\Admin\AppData\Roaming\Burlington.rmw

Filesize
63KB

MD5
d78e31e10c0b0c68765773608df893a0

SHA1
a67b4d1190699ec20106d91a3abaa02658740aa0

SHA256
2a2f12ddb70f5e4cf39e67163892820bc2f6297bfc5c4f17ca634fd287d87dc6

SHA512
385e9d2f7ad4066c2de373597c7ef914eada5f94bb340b1c112fe0c5f27ddade166d2a9ff52171bf30fe1ee1937a81b26a0d06962627179c7819644be3157624

Download Submit
C:\Users\Admin\AppData\Roaming\CHANGELOG.md

Filesize
4KB

MD5
e6f2520cedb0df21cc115a52eb3f7758

SHA1
27d37567e0739177af8915ebfd1d3f17fe53d52d

SHA256
daf6ffb3678d5e74a87aa550af9bd34c6e049562a771b38fcc39d5f8ec1df45a

SHA512
ea91d35f654f1275dfd437ffd44ebe8b2ec5690f32ee78c2507ebb807570306f20b18b22085a4592c215458885fb9dfbff5919f93ca19fe8e0be94cd425d8060

Download Submit
C:\Users\Admin\AppData\Roaming\Cocos

Filesize
27B

MD5
1938fcd1b8813ea5f8fe611478d4c1b5

SHA1
d87706b8193657bce53322e59b3c206533017d83

SHA256
461a256119989ebfb392a6a6afa560213254420b1d4f89d97fa3690fc5c0fc4e

SHA512
def3e9c92266a3af6be1753872286aa8dd624c4a76b8f3f180596a748f5bf6d7bdd965dd43b13120a4ed784f4628b5a1e6d7e9e12da15179d2b47e72994c323e

Download Submit
C:\Users\Admin\AppData\Roaming\CurveFitting.vbw

Filesize
181B

MD5
19e3e555a0bf6693f27ade2fcfa43102

SHA1
6828a357dad7c26383ece0bdbb515e5c4fecd684

SHA256
02bbe02800132003ce473ffbe9e602034651d4edf71df3dd3a11014c1edc9ec0

SHA512
a55f49380db70d26db07e54ed05597b060ffbcddf33f2e49c6479e27981df301460ab1ead6d895df5241593eb13d4b7379ce20acc07e5e9ccdc617ea3409d1aa

Download Submit
C:\Users\Admin\AppData\Roaming\Eirunepe

Filesize
321B

MD5
f3b291c8ac4ce814ff455a1dedb752e6

SHA1
3699971fcdad24b65695219e582b97de04bd06a5

SHA256
0b9971842c858a61f0749a18a06a795139ee9f55038d23b9826f6b579d560dc3

SHA512
8cece8f0b1ad2a6c93f17334fc130f913e6f3c0877d93d00e706ae2d9d9ce4077101522c1b540b4bc05924c0c5e0438e67ffea9647964cd73d193ae0f8c2b056

Download Submit
C:\Users\Admin\AppData\Roaming\ExampleAWTViewer.java

Filesize
3KB

MD5
c8534d0727f789f79ee8ed9a53f50eba

SHA1
9ab9d675826468231141ffa9a59d7d3d869aebad

SHA256
01fd53799d28cb81f81efc1330d268957e14d5eaf75f5dcf8c0136c573635901

SHA512
72a2837254562ec278bc147103809c572f0d9757ab98d86cd444d571764aa3ef2655f24a138512faee488583319455698887affda4cc40b3a4a1ca62864b78c7

Download Submit
C:\Users\Admin\AppData\Roaming\Frosted Detail Plastic - Frosted Detail.3PP

Filesize
1KB

MD5
8ec4b2cbba583fad1c9dbab95eadecdd

SHA1
5a9cc205daae7774b6b45cdcd984e056eb798e4a

SHA256
540c5bdb0518da9c9aa8ca10e3c90e1ed5c7f84183a681b412b6455fa7369333

SHA512
09d8babc7b08e4a884d44811372edc1a986b7aadad9584041ef07e8dd1c0e33ab38921b368b9b9a00de9dbdb3c8d9a3abfa263f2ccf0c58258399f7c0d856311

Download Submit
C:\Users\Admin\AppData\Roaming\Gonophore.V

Filesize
3KB

MD5
20d29eb0b3b8a16b89fb56f6630b8ce8

SHA1
0e18841b5b89ac09516d51fae248f9310bc62471

SHA256
629b46aa2ea449a091e38e0636b8e7904fa98a6ce79af2834509354f1b10f959

SHA512
703bb92267913b49ba3aaf1e629ecd4ba3ec5d85b525c4acceae1abebf7438e8dac5e769f1f545228c878507e011e1ae7dfd89667e5d04deb9dc541773257eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Hawsehole.NPy

Filesize
126KB

MD5
e8eb25e0d58d365613e5118107f7eb32

SHA1
f252611d8da0c8c2f2eefc00a1990fe734e1c138

SHA256
dd4372b30ff4f96b2012f97fd58fc0252ea280dba543a39e764edc02c03af3cb

SHA512
249946e79033e0f7ad7efc1a95ed259653e1f4cd0dba441388c0ed99667f29aa07121752ef593b0b92ca848ed04d5e4e661d033834150d0ad83d695bd8ed56a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\choice.lnk

Filesize
1KB

MD5
32e3dc04489957ff2f219a593d690ac1

SHA1
e2d58b548411c28726cbd8cda24c52de70e58f02

SHA256
dcdc03e72032593a902b8027a332d219d7dac3ee503bd6be5bc6a380db9a955e

SHA512
c8af52140de7a107bb8ef7770e80519a8a4063bb093ea0697af99ac4bd8e7c1ecea8a9570717dd5f8243aa97712dea9741651673c411309ded8b2a437594e731

Download Submit
C:\Users\Admin\AppData\Roaming\Registry.dll

Filesize
28KB

MD5
1e9011ed3232d3a7142d8896606f524e

SHA1
56370a185a5de3d9019a39d3f97226cb5fe1352f

SHA256
e9581869c22c1fdbf547b4356c1f399283d7c9d3244ca32862373b8b0f11e6c5

SHA512
39b13c932344d70cc54a6ee3843936a25373d77c2335e8f5e3d7d11f5a0b3b6d14989e13c0fc3809148cf4c8d0d91666130abfc1d3507e3c7c03c6e545a9cc5b

Download Submit
C:\Users\Admin\AppData\Roaming\accelerometer.png

Filesize
3KB

MD5
ee605850778b585f63c6382ab05e8112

SHA1
4463ca8edb3c221fd0bec825822d0f77b71d2e10

SHA256
583e9114740dd5e71aec0a4bab86d644c1856a3008d248f41502fc4368b62398

SHA512
ab521ba8d4b06b0d440d80a50b2439ec983a26df943021c82a9cabf931c352e11e6f8e12c5b97ffaed30ea60bf989c04fe5e96237cab6dc06241c19a4464e50b

Download Submit
C:\Users\Admin\AppData\Roaming\archive_inactive_unhovered.png

Filesize
2KB

MD5
2706a9691f646f678220600f5a3da66d

SHA1
18aca6b122fb4eeb132ff80378a3ebc5c7e76acb

SHA256
5709aef07360ffe1cc827e1f77d0c23d5eb97d5f328ac8293911aa888dcf4ba0

SHA512
8263f29d2dc33e2060c8c4b5ca34abff26a3c79c08e019f9b3eb3d8cc6504f26786a65ea20ae968ae5f42dda9c6a446a4394ca0886003c50bfc068b9009609b6

Download Submit
C:\Users\Admin\AppData\Roaming\bn_IN.aff

Filesize
197B

MD5
6c0fb6fd9810560e7b438cdf662c2734

SHA1
26304263ffc6724e5bd5a0dc440d74f233bc2fa2

SHA256
bff0a0f00c9adb0ac7bcc8421882b4bcd0fb5b47d278ed64cd661ec7dce51cde

SHA512
d85b9b780ef0ecac44e9af6ca0c766c04dcbc22cf3bf65efd23395806042d8cdadebbe088d21a0be75b37b2c6ddeb7aa726483c9b139d4284ef6b51101ca8c8b

Download Submit
C:\Users\Admin\AppData\Roaming\build.xml

Filesize
4KB

MD5
0675ddae39995e21081a699d62da24d5

SHA1
369166f6793892f2e6690e95dd68da65015ef07c

SHA256
40f8f3a3ae7dab8b8b00147ae9b4dbb0611cd15636a15dced3b90d21c14edf1f

SHA512
900015de142233f3bbe870a6c697d18d2f587a5c6d1e965daa0807d6a5cd311d2eb605ca3aa89f9e650913d476a18cf8b4a74afa84acda4cd63c4939ea284d94

Download Submit
C:\Users\Admin\AppData\Roaming\chunker.output.indent.xml

Filesize
1KB

MD5
52c969a3814d887034bbd308839b39e6

SHA1
76990e9aba806f033c75af3e61c54f5aff35bba0

SHA256
de01f6b82723db2b995bd31ce510d27f55c699404330989b923662281e726e9e

SHA512
0f6fd0891432ab71a0f7358bd6cecd41d37ccf1450e0c56bb48ec058cb74e10cc680341b2ccd653449c83969873c5f217fc16d4831e3bf7123177e0584932309

Download Submit
C:\Users\Admin\AppData\Roaming\clock.png

Filesize
2KB

MD5
4cb40bdad1a43c4fb89f7b4400076efc

SHA1
ab2a3689957a412dbd3cd7f83e5aa35d44055941

SHA256
1bb2e1d63f0787ad9a0e0ad8b3987c42f74d873211f440e6338f78bfa62d4ee0

SHA512
0e444c130721fa155e28af88b21c0badced98ea2f1fd0df915cf07e4cf4b6d364e24a5babff81ad3246c5839595df520dc3e4d9a13635903f0e5ab4dc795a840

Download Submit
C:\Users\Admin\AppData\Roaming\compact.list.item.spacing.xml

Filesize
1KB

MD5
223909ceffcf7dd92a90656a0a1eb1af

SHA1
72557996dce6cabab827b4e7d1bafc94574beafa

SHA256
c49d10ccada76693da2aeadadfff385359732ff5ef4f01bc662150564c892ff3

SHA512
2d5ed9519276d244b7e8c98c11a1e9c572a6d76a9caa4c71e8dac2a87ae1d338490682a7cf27f44965f26dda96b0fb033555328b1ab0394817074c2e12b21a83

Download Submit
C:\Users\Admin\AppData\Roaming\cp_network.png

Filesize
2KB

MD5
5a7fb700d24dc20ca7e86ac88c7898ac

SHA1
50edfb37e364b1b1d22a3fc51d317d7ace27ccec

SHA256
42a28dd4821b43368002876179a593aee7a2eb4912074d84ac6d3f3dab4b7211

SHA512
144fda85daed37c7f43847abab93273d1b3114784def313c81ef165ed4ec85ff72c504c14005afb89e40ca863dbaa04dfe6fc74021d1592786415606122867df

Download Submit
C:\Users\Admin\AppData\Roaming\cpu_core.png

Filesize
3KB

MD5
823c348a508c32bc7d16d568126c34fb

SHA1
2b2f4bf49a7d8454474bf185e26b2c48cf43e461

SHA256
4f84fda6a4dc46d8577474025df6fead475e5ce750de8177ce51031b82b7221a

SHA512
c80ad925af22645a6ee1766036ff1841350387683db6210fff36c6f5fe321855e77aa50c765a3be4319b8a66032a14bb98655c31184ccc2dcf217a4e12df2842

Download Submit
C:\Users\Admin\AppData\Roaming\dut.fca

Filesize
1KB

MD5
61bb87909569420e9d889bd076a11aef

SHA1
668909823ee96cd46b76ffb4aba97e2335dd65da

SHA256
386b26bffa39406bea409f57f8d332a590856554373b073b7b5b340d5e68eaca

SHA512
fc873eb58c1a25f830ff3571b863c0da371f751d75052d3e77d1b94bb5ccead606ca19aaa73621467bbbc86aef817cfb9c9150f04af18f1c87846fc31f81f03d

Download Submit
C:\Users\Admin\AppData\Roaming\f33.png

Filesize
1KB

MD5
2be2fa3d1cd7438ceac3bb0fabff57f0

SHA1
06566068deddd781890d3ecb5a9e9fe087f763c5

SHA256
3b0ff6b401c23a915b4dc05a8cf26f0825a93aa1f569da6bbc1a6195d4904ef5

SHA512
cc95871dddc3a7c241f1a919787035f32bd644e9a369a8af43673b9822ad7d9722888dde35a4eb725e152e0f351c1f639b6d0a867534673b93340bf37fb62668

Download Submit
C:\Users\Admin\AppData\Roaming\feed-icon-14x14.png

Filesize
689B

MD5
2168a573d0d45bd2f9a89b8236453d61

SHA1
30733f525b9d191ac4720041a49fc2d17f4c99a1

SHA256
8ee173565b2e771fecf3b471a79bdf072aaa1bd9dc27582cfda2b2a322beeba8

SHA512
1263589e12f587143ec1dd8ac87293a041f7d77439fcf91503e62be02e36d13e28560342deed86cf800c7bc01cd31837004d1ebe7ae53c670340040c68eb0e22

Download Submit
C:\Users\Admin\AppData\Roaming\function.parens.xml

Filesize
922B

MD5
054b78215f249c0bdb4a66dc5194ff6b

SHA1
b7375a86ea0bc22a5a2033ea92eb0435e5a6c0d4

SHA256
4acce89219d39f8e1f024bd6e90f93936afc4899821cf0674548f96a80815fb9

SHA512
e59c92ff9198afa690a61d789379e6cc448156c20a673e948066dbf97446bf2f11533516d92deba0b865b8b6460b785646cab9970234aada7fda02fdac15fca8

Download Submit
C:\Users\Admin\AppData\Roaming\g3_5 x 7 in 300 dpi.IMZ

Filesize
46B

MD5
4d86c60fba2c17060dc3ea905619a4f9

SHA1
1d7c6fb8779b9a6e18036d3fc20be4311be1e54a

SHA256
486162bd4d51d4ad263da28d8ffd288e75d5228e015f041702c9c295179689ba

SHA512
6af5f1f4a26f8eda819acf1af36758b83ed5fee5e58c67e4fb7cb4253b75c74aea36169231662f1aa746d85cd91e66951134958bed5e4812caa5aa4a397a39da

Download Submit
C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\choice.exe

Filesize
208KB

MD5
9d8c90e3c00d723f8167d9e579b2eff1

SHA1
86f82bb7da52240469a520a1c4f166aa7beef579

SHA256
82358cfce8922a6d09b9c3ccb7867ce65556040592f238fd2939ba9507156d7b

SHA512
3bfedc755703b626c47a549ffe955433bc30ad10cdea7f0feb2d848e6a2d720f5cf973115b6d454549a86a83557dafdda67fec65a938353d1e12de947d5348e7

Download Submit
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
e7b3a3bd570a907928c3393acbf11de5

SHA1
2bd845cfdf2a2ac4cd7e9b19edfe8caea3a23216

SHA256
4fcbd1147d178a92dbd741a9a791bd2d45829bb04c8fb4a6e399b136aada9211

SHA512
af6f1142eb8e01f9b369a8caa3b38ed8441ab50b0a368101ed060f8ff6afda3d20d84f43240be10488676ac885b79e47e29e4546ec6ca5da79f0ddb06bbe7556

Download Submit
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.url

Filesize
90B

MD5
b5c475e3db39298f6bfbb38b308b5151

SHA1
364f99cb4a3298463e31bbd30d8ebdf13acdbefd

SHA256
48ba49a2bfec24f1e539fbd8a8c681f5408e434ec244cdb92120404e63974c20

SHA512
2b86ef9214a7dc770bac4dce2f325a3ddc6c8954ca7fcab6ac41e8ccd86ad9e50755e2bca11616de08a1d2ed6576a97be08d3b15f5995367c64e6c2d576bc6f8

Download Submit
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.vbs

Filesize
234B

MD5
6f84dbf74ef41dc3d861f5fb3e0f45ff

SHA1
3e5f17e9b9589f33ce6add7f2518a666ff2253a4

SHA256
df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

SHA512
9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

Download Submit
memory/336-216-0x0000000002F10000-0x0000000002F1F000-memory.dmp

Filesize
60KB

Download
memory/3204-142-0x00000000021B0000-0x00000000021BF000-memory.dmp

Filesize
60KB

Download
memory/3636-220-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-219-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3768-46-0x0000000002ED0000-0x0000000002EDF000-memory.dmp

Filesize
60KB

Download
memory/4272-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-557-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-601-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-149-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/4272-564-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-565-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-147-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-224-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-225-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-226-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-568-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-574-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-577-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-151-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-554-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-571-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-592-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-589-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-598-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-596-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-586-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-583-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4272-580-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4768-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download