cerber | ba142f897f9c3c3b677064b79a7b9e556b8a7060f7d89f98f4e95157497add29

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Size

195KB
MD5

9dba51d1d709efb322ad0babf9028c30
SHA1

65916448900214e4a3a130b69767edbafa1b783a
SHA256

ba142f897f9c3c3b677064b79a7b9e556b8a7060f7d89f98f4e95157497add29
SHA512

acfd650221d3fedafb4782f762f88fce7272dd5286a609aa7c22d7c741317d72983e0ca6c957144897afbefa899bed2d8cbcbdfdf1209cdfed79f346f26c07f8
SSDEEP

6144:WyAge9RNJSldWOANp0WGk08J6WG96HU4qWDNkz0:QJPp0WGD8J6W860tW+z0

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23 | | 2. http://cerberhhyed5frqa.as13fd.win/42FB-774A-6A40-006D-FE23 | | 3. http://cerberhhyed5frqa.45kgok.win/42FB-774A-6A40-006D-FE23 | | 4. http://cerberhhyed5frqa.wewiso.win/42FB-774A-6A40-006D-FE23 | | 5. http://cerberhhyed5frqa.5kti58.win/42FB-774A-6A40-006D-FE23 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/42FB-774A-6A40-006D-FE23 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23

http://cerberhhyed5frqa.as13fd.win/42FB-774A-6A40-006D-FE23

http://cerberhhyed5frqa.45kgok.win/42FB-774A-6A40-006D-FE23

http://cerberhhyed5frqa.wewiso.win/42FB-774A-6A40-006D-FE23

http://cerberhhyed5frqa.5kti58.win/42FB-774A-6A40-006D-FE23

http://cerberhhyed5frqa.onion/42FB-774A-6A40-006D-FE23

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23</a></li> <li><a href="http://cerberhhyed5frqa.as13fd.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.as13fd.win/42FB-774A-6A40-006D-FE23</a></li> <li><a href="http://cerberhhyed5frqa.45kgok.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.45kgok.win/42FB-774A-6A40-006D-FE23</a></li> <li><a href="http://cerberhhyed5frqa.wewiso.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.wewiso.win/42FB-774A-6A40-006D-FE23</a></li> <li><a href="http://cerberhhyed5frqa.5kti58.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.5kti58.win/42FB-774A-6A40-006D-FE23</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23" target="_blank">http://cerberhhyed5frqa.wet4io.win/42FB-774A-6A40-006D-FE23</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/42FB-774A-6A40-006D-FE23 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	dnscacheugc.exe

Deletes itself 1 IoCs

pid	Process
2456	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dnscacheugc.lnk	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dnscacheugc.lnk	dnscacheugc.exe

Executes dropped EXE 4 IoCs

pid	Process
2460	dnscacheugc.exe
2816	dnscacheugc.exe
1296	dnscacheugc.exe
572	dnscacheugc.exe

Loads dropped DLL 8 IoCs

pid	Process
2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
2460	dnscacheugc.exe
2460	dnscacheugc.exe
1296	dnscacheugc.exe
1296	dnscacheugc.exe
2816	dnscacheugc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dnscacheugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dnscacheugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dnscacheugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	dnscacheugc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dnscacheugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	dnscacheugc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dnscacheugc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7BB5.bmp"	dnscacheugc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2460 set thread context of 2816	2460	dnscacheugc.exe	35
PID 1296 set thread context of 572	1296	dnscacheugc.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016411-52.dat	nsis_installer_1
behavioral1/files/0x0006000000016411-52.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
2992	taskkill.exe
2904	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	dnscacheugc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{C3E8D47C-9F43-BB75-694C-C844176198A5}\\dnscacheugc.exe\""	dnscacheugc.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BF8A411-27D6-11EF-9267-5267BFD3BAD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a43d870b630db429b070e111b31e4fd000000000200000000001066000000010000200000001864a440a9a72161089e1031b9169f0a754bdf691d3deda7781452b570c4998f000000000e80000000020000200000005b6c4b67e61db747ac491d2816034bb75dcb4d99dbb46c09209ed4e14628e23c20000000ec311561569cb8a13c9a5d4facae294355273731033c7ea401b111dcbd2f54d940000000a719baa576ecac2413de9a4694a20555df71b52293add70e9dc8081f58b59a3601bcb539dd741b13e320e7e5cefbf64bfd3abb9613a8a4ebe1e7258754b2ed2e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509dc0fee2bbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a43d870b630db429b070e111b31e4fd0000000002000000000010660000000100002000000067003f7832ab5cdb9c11e0adff1df194738b6692d707bfa8027536cd8cb223dd000000000e8000000002000020000000e402529c2dcb3b31bf7553738ea4782b735f8b4ce64befbe8453b878367c0be99000000085d8a8fc8f79e170425804b9c7713ef3b7853553ebb4954d604edd64f53351ae3190176db5262a3a2c292dca949ccf2b1efce47cbfbbbf7790225153ad5036fd870a46afcf561163b189dbef9db7c16ef7a98431b198bbd2447a893f171f1ef0558e8a7612c15f3915c031cd2d059e3733c374b4c2b86389786bc60ef33c9edd9b56f95906c9d4d29b8cd93603f3a57a400000006ac2b2aef605f6ac72c1a3c5a44a6b0e0c091afcf2e4c1600e894faa84572b7aaf1c5c96a5eff1088c1b878583ea386817c755ca9e07ad7c34c0fd3f2bf5d2fb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C094DB1-27D6-11EF-9267-5267BFD3BAD1} = "0"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2968	PING.EXE
2004	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe
2816	dnscacheugc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	2816	dnscacheugc.exe
Token: SeDebugPrivilege	572	dnscacheugc.exe
Token: SeDebugPrivilege	2904	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1528	iexplore.exe
1528	iexplore.exe
2820	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1528	iexplore.exe
1528	iexplore.exe
1528	iexplore.exe
1528	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2820	iexplore.exe
2820	iexplore.exe
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2636	2152	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	28
PID 2636 wrote to memory of 2460	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2460	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2460	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2460	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2456	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2456	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2456	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2456	2636	9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe	30
PID 2456 wrote to memory of 2992	2456	cmd.exe	32
PID 2456 wrote to memory of 2992	2456	cmd.exe	32
PID 2456 wrote to memory of 2992	2456	cmd.exe	32
PID 2456 wrote to memory of 2992	2456	cmd.exe	32
PID 2456 wrote to memory of 2968	2456	cmd.exe	34
PID 2456 wrote to memory of 2968	2456	cmd.exe	34
PID 2456 wrote to memory of 2968	2456	cmd.exe	34
PID 2456 wrote to memory of 2968	2456	cmd.exe	34
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 2460 wrote to memory of 2816	2460	dnscacheugc.exe	35
PID 1156 wrote to memory of 1296	1156	taskeng.exe	41
PID 1156 wrote to memory of 1296	1156	taskeng.exe	41
PID 1156 wrote to memory of 1296	1156	taskeng.exe	41
PID 1156 wrote to memory of 1296	1156	taskeng.exe	41
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 1296 wrote to memory of 572	1296	dnscacheugc.exe	42
PID 2816 wrote to memory of 1528	2816	dnscacheugc.exe	44
PID 2816 wrote to memory of 1528	2816	dnscacheugc.exe	44
PID 2816 wrote to memory of 1528	2816	dnscacheugc.exe	44
PID 2816 wrote to memory of 1528	2816	dnscacheugc.exe	44
PID 2816 wrote to memory of 1524	2816	dnscacheugc.exe	45
PID 2816 wrote to memory of 1524	2816	dnscacheugc.exe	45
PID 2816 wrote to memory of 1524	2816	dnscacheugc.exe	45
PID 2816 wrote to memory of 1524	2816	dnscacheugc.exe	45
PID 1528 wrote to memory of 2680	1528	iexplore.exe	46
PID 1528 wrote to memory of 2680	1528	iexplore.exe	46
PID 1528 wrote to memory of 2680	1528	iexplore.exe	46
PID 1528 wrote to memory of 2680	1528	iexplore.exe	46
PID 1528 wrote to memory of 2492	1528	iexplore.exe	48
PID 1528 wrote to memory of 2492	1528	iexplore.exe	48

C:\Users\Admin\AppData\Local\Temp\9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe
    "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe
      "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2680
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:537601 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2492
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:1524
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:596
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "dnscacheugc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe" > NUL
        5⤵
        
        PID:2568
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "dnscacheugc.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "9dba51d1d709efb322ad0babf9028c30_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2992
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2968

C:\Windows\system32\taskeng.exe
taskeng.exe {A82CB12C-3851-4AC4-A6B3-0C4722553284} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe
  C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe
    C:\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2820
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2420

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
9611e4cd379e188367f2877f566c34ed

SHA1
7d5d2ba4f0e071e496f6a4034cdc7fc9757c379a

SHA256
d755aa3726273bda02491d8a502c449fd0bae04c035eb7a53d3d494a042b42ed

SHA512
ebda3e39a3d4c3db48f4edd919137eeaa47ea008c9e2ba70eaa8fa610a92d8b844784eea8c7281da17b11715db5f422d8bd7a68b22a087bb191acdd3a11e1ec7

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
8399bbab0b075111c6e1f89f812ab05f

SHA1
7540abb0160e17226f60e20bfe17524d404a30ad

SHA256
08d7ce649f0b2a155ec0834da38fd69161168b5c063d4f202982d5cf18fc8e0b

SHA512
21ce2f820ab9954037a3c9c628b133ee03c174205cde7af596f7fe87d8a071c6db2b8b9f329cff1e8638b6164320972bb9815f0039b18be06610bbf9e9543e81

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
f65f41006403b59b606f4a7338f07244

SHA1
8179968da0550d6ce85decafe44d571de86516f0

SHA256
40e13ad5b831651246e9c9461b81846d5fa6d5f9a4403948d5706721ca10eef8

SHA512
7dd7c6aae50afd832cd5ca23763c5a24395ae14cf20fc3e5f2c7b3b162abd6f70eaf1b0207e67bb732cc8f330ed9c4c0a6fc25bdbdb09fd403f944b9ee51fb87

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
231B

MD5
9d8c4bfbd009c4d6001e2125abaa8b02

SHA1
cd040558172b5fca5b200447a281843956243741

SHA256
a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

SHA512
c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f6ab01cb7a1af2e37d7c65b5f0cce7c

SHA1
a908c4e7fe8cfe26457bb2e55d709d243757e6f4

SHA256
336c6bd4a34ff09de078015feb91caa66b370d02c51ac3acc6a89b21a9f346dc

SHA512
1eac66f612c2110ce1c13eb7f65be6182a850915ba5efc47efb1585111fa31bfb12ec924fde312d7d7b199b0a2ec0ab4221ff76817588969f630a6d18ea888fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d08af9afaa260e77583c08b37bfe7a2

SHA1
d3897774ec66e6228d7ed3704b9856191303748d

SHA256
cc5f920c75ce2983d8748d23c27b80f3440d71fa5092bf3289525cb503a38ccf

SHA512
bc38daeb82cccbc9fee0d2a13c1b7ea328d732e34a0e704341cdf179b8c367f88be64f925b04b9dec5719214556d11453cf270eba2a56ba076376f4ffe0e092f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e377cd4d9692ae89017da7eb096ae8e

SHA1
7cfa8030669e5e05ba38924ad205ccb7cbf9213e

SHA256
814791df9145a0a4a0c1ff9d046abf8fc551776c717bad24a68cfd21fded3b36

SHA512
3231427ce6282942a42dee635f375bc546b1f6df142b9ade3fd4d1eb80d26ff2e99f5ddbf5f11e4c07f9027b8f0d9de718a7b8564e57850e632fb9f5be247c53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
912d0ced786513173d3035517017a39f

SHA1
2ae03017b55fb8805d59f8dc822f410996fdeef4

SHA256
96e2a4132f7c53280f5c532110559044a171f63d5eec21a3311a4900a8aac715

SHA512
43b110d1a62a319deb66bf0d7e41da03754479926e45a8240bec0bf4198132ae95bab90456bea17a8a2904456734206d10a1596ee9745fe8a2bb7c36d189d6b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a421fd60c18657b31f6d3fd6e3f4d6c

SHA1
be8e8ad540c63609f02a688aab6b1d643bebb8d5

SHA256
ada45f1a48f4f34710d89d7c17876b0eaa509269c925c36290853d5de08fd4b0

SHA512
dec77ba6023820a7f18be7961b307ee787b80b68297642f565a87260209bed67d1646f52a4b40c9a41c08a691a087387dd675aa2d2568e9170a736020676c028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f9a8d5d1fd406449a739bcaf9fb6493

SHA1
fe86ea0d8fcb3715b215d3a816e10046281eb333

SHA256
ca21089b204f60c887938c637ad3dbc9a3ce927fce33ed995e5d2d261bf6990e

SHA512
7e2f4639e25249285174b2dcd2b17fb610fb8ccdbb60999722f44195fbe238eddf68cfb344586b9aa4a9084a1a0f931aaf7ba3068b426c44ad76ef2656cc5c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d9f652a94dc401dcfe78b96b49b21c1

SHA1
08d1639979d11e923c2f5bae38f0e241e2b3d323

SHA256
64025ceb9695546ed2fc30a414f2002b6295f8cab1716c1fe4feb5647b717fe4

SHA512
d3732992934ada014e385831579fae043bd2d65cd12b7199bcd48e9b4e6ebd4a8613699d7ac47d5aadd0d635aaee1709bbeb8acc48d258353e6495fe0f0a52f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deda17af8b08b498168b5c48250e1527

SHA1
b8579a86f6ebe94096b79db360e9ef043c9d2892

SHA256
e886d71cdf437cb43edac56276c60e41763e9b4687649675bf738d92674fa2ca

SHA512
a276dc967beb0114d77af7ff08c3f90dc463904d8a9be64ac0b384554a421a840e7c19ca2bf57d76b98cd07f95146d66059a314c03ebd8a400d734b3b7aca6b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce4df5682fe8206e59e3ef2d9f76d9ec

SHA1
24b3ebf15d7e824b40fc4e9b228587eb7b9310a7

SHA256
82d52d320b88ef3acdf15f4ba30c8092b7e523c4e5a959439f28ddce032c8d22

SHA512
5898d51cfd3e17c134207af36dea535e50a6bd0d73a936eb3b77467f4e42d2b1b6b3186ab5a8c18b1fea74653d40228bb58443f31e375148bc5434a46d16c068

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9262.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9354.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Cape_Verde

Filesize
97B

MD5
739bc3be601fc4c312fca262597514eb

SHA1
c14ae4cd4e2ce75b7ea4ed39a835bc8d207f2486

SHA256
b645b5d403881ac66ce4171af4aced39c0a17237fb78443fae623b1f4367345f

SHA512
c0092979146f54dd885d4b12b0f7e37285b4116aecf4a793eb524d0b33c8ed2e7a336f97ec6d2504203d51207205f192895c1850fd6dd5f30f9848d86ef4c5fd

Download Submit
C:\Users\Admin\AppData\Roaming\CircleSubpicture.png

Filesize
3KB

MD5
66c15bc65dcd0d2125578f68a1a9a5fb

SHA1
7c6e3c7e4f6fd160f6030d41c177de56b5813914

SHA256
c8ad5c12253b5ddc84f6b5cd6e88a9359ee6a77c6b52cd363cd53582772cb525

SHA512
0025ebc1fa8ceddabc979db4a25b5095fed0836d98d42212cab73f063a4b244e47c39f5e2ce3cf14ee519c42939ebeff2805d18c5a2883b687114d443e3d62bc

Download Submit
C:\Users\Admin\AppData\Roaming\CircleSubpicture.png

Filesize
2KB

MD5
20a07038d866854806cde137985291be

SHA1
0757b25acc07c221f0d178500edff240f8b3f4a3

SHA256
fa8b9c24c5b0ad36366a3feeedd6418849b329af3e9abf768247458423314bf2

SHA512
d7989f2b39237547533cfc00d11768dd9585eada20d4ddcd0e55a51fabea5ed44ac080722e017b868c36607b95abd1df21082b0bb3549f05f60fe98caa12fbd3

Download Submit
C:\Users\Admin\AppData\Roaming\Cool Gray 9 bl 3.ADO

Filesize
524B

MD5
48e0fb6b8052f1ab8b71b3f18e4c1a43

SHA1
82b1b0194cea753df8b9130a40c5688e30fce472

SHA256
1b39315b00fd693c9d3ebe209eed643c8e18cc3ab30aa5405069de2c92d301cd

SHA512
4c5d66ed0145f2705ffdd7e2132683c4a627867ff72dd2de442f24288b17bfafd6b75c391f2fe5ee6cf72660f6cc7fcfb9878f74e757ad21259b418b599365e1

Download Submit
C:\Users\Admin\AppData\Roaming\CoupeInvolucrum.9bY

Filesize
4KB

MD5
a5cde678454ba56e36f963911bf2556c

SHA1
5b1f5b664a1f649ab54c626c5eb085d58e1b102f

SHA256
b7b300298eee7584b59897cd77793e67ccf5faf8373ea3da7078df645fbe3a91

SHA512
4a8d4fa353827e40248f89c2e7dbaa18cba2c55ba32a203a243284f834aa9aad88155306e222989e65fea16f0fe7ce36759dca9b36af84be4872904a2560a698

Download Submit
C:\Users\Admin\AppData\Roaming\Default Menus.mnu

Filesize
39B

MD5
31296c038e3154364571e61b99f8579e

SHA1
3e1433612c2e7f61a1310ee47d6f4ce27a2e694e

SHA256
4443ae9d463bf4bdde7812237ab097327ec1d23a3f4e12b319899f2cf7a0dbb0

SHA512
42ae2ae55d5dbc85521cf5c4df9d510b610a62038ca6800682aa95e406b3ec9316f4c74782657f7a99e125b1a908b6ada7bb32b81a46a425f6a5de5bb88d33dc

Download Submit
C:\Users\Admin\AppData\Roaming\GB-H

Filesize
4KB

MD5
81da9f36f9b33e1454c01fbd4fe8bb8a

SHA1
1141725f4d2d4c9318381ebafabca24cfe609ada

SHA256
acd22725de018de883eeb647690906631e10ffa4b18c56d9cc141ebd70154d8c

SHA512
b511ec1c39d2ebcd0a528f70670a3ae491ad3c6d26476bd41088549ec87d51e0292696472ef812c579e2d04463435219570b453f1c0c586a4fb6da503e630b29

Download Submit
C:\Users\Admin\AppData\Roaming\GMT+11

Filesize
27B

MD5
41dc583620885308274e1af0be12e78e

SHA1
9f96a25b7539ebc2a5bc0661b65a03992b63e210

SHA256
f3236a2b39954dc659c25482fde3dcdc735b6b6829e3827bedb7c8c8dc72dd54

SHA512
ec50aefdae3b9e276b1ca87677dbb89841a91169350eb88da1bd61b84726c8ffd19de6ab037bc0159a16bd44587f01daa3421298640c168ac2562a66170f9e3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dnscacheugc.lnk

Filesize
1KB

MD5
96e1bd54fe6f259ed5a3472cb925560f

SHA1
f790c17107c605a8a632f9307cc272b53f061265

SHA256
4d9ddeb76c4edd7941e9885b5b722fb6f5dc2f3115868d9675e011198677031e

SHA512
a3d4475f4972bb418794d9304efb3384613fe97b0ba0a11f8cb2ea9b6c33d095964ed3272b57c2f8f97b49928f8c71808c2784654f2f47b9cafcd66d83bde819

Download Submit
C:\Users\Admin\AppData\Roaming\Servitude.W

Filesize
128KB

MD5
2fc7a60cc8016d277c0bce2ebef71ab8

SHA1
4085b129a87faecfaa15ef6b6b7991e770c8990d

SHA256
936b79427c4e2550ebb989c7db80f39b7bfc28b24fd22ee536d13aa86d924a02

SHA512
cf464c86bfe49500acb4e83fd76fc684267b61dd0010c68975d352d23900857fa1ebb480de06a62d5d350850a198e47af171ffabaec16faa31ae00b553d82d2a

Download Submit
C:\Users\Admin\AppData\Roaming\autoidx-ng.xsl

Filesize
942B

MD5
b3c15ca22e2021027f4234739b578f66

SHA1
f3a1ad8bd3cdd9713e719ab9040194e5fd7ce33d

SHA256
4e14f479ff7b4fe613d169f7509ab7cb077f90e5aff3d97008c1f40019016688

SHA512
8a41b35641c21b07d9740aad38101475007d72d9605a2dabc17c180679e7e190e847d2a3ae21e5e24ddb77e0552bfdac4a9ebe68681ce19188c418d4f1761541

Download Submit
C:\Users\Admin\AppData\Roaming\but-info.png

Filesize
687B

MD5
39b25e2484aa82c7b2ec81fcd1f7af59

SHA1
ee8a02ac5ed57a01e2822d2153a129ebe928212f

SHA256
fd14667ca139e7315c85f6fdb5d59fb7869a42873e710fb6465c4db238d06cfb

SHA512
7e411c1ff701d39908325a128881d328405e0936efcabb34465fd21d71a8bc10fa459d6e2a57f281c05e4d22f66a2975f7866dfee019c58dc10ef2298cb6ccf9

Download Submit
C:\Users\Admin\AppData\Roaming\but-info.png

Filesize
301B

MD5
edf1bb40465c547e373b2057117a6997

SHA1
f3579744a4d76be8245b5d04ba693ab19ec520c9

SHA256
11edbb41223aabf180c7c15822b5e2f6f7c5d60e591c83557e3afb08819a5d8f

SHA512
fb19deaf1ed3540210e6b87d3f0e8b3e1f163911220a84cf2f805b70a135faf4f311aa898924ae2b5a7966dfdc021c37b9e0ce80b77fe6a3706c68e4ef5098c0

Download Submit
C:\Users\Admin\AppData\Roaming\compare-with-callbacks.js

Filesize
2KB

MD5
1919cb27aa32b81469031fa695695aa9

SHA1
10927f7237a798c773a26b4ee3b74b92ce701210

SHA256
2735fcb499b355d527eebd74b22e8299d53334aa9d6480c73152292c32b04dfa

SHA512
70e6caf4a84a998ad802c0d2e21501b4a827d66498835cdff614b4eea7bd0c833ac77c75b03c531b0095b852eff015f6d6f847c0343b096abd91a7361cfb154b

Download Submit
C:\Users\Admin\AppData\Roaming\compare-with-callbacks.js

Filesize
1KB

MD5
2c6f5684ce8e64e2ac4d106ec6c361dd

SHA1
78f431b04243778cf02f29c63ec1f10e464bde6a

SHA256
1d552bba9fdb2557c0a0b55c79eb322852df0e6a0bcb3b48cfbdd335f32b3552

SHA512
0e53cd5e0c943e9c2014b8b778811b4aa83610347f7156ef4b5f616a13a7d29552f72087fe8a956c1c9464af224dcf113232d65e913049e8be8966aa7f2887a6

Download Submit
C:\Users\Admin\AppData\Roaming\copy.png

Filesize
1KB

MD5
b8f3bcb39093d3fa4aac98300e85f9ff

SHA1
e0beef56dd0c1bf1b46a926af0cba54aa2304fab

SHA256
7990a4f0f6b2cb8bd5f110fca1035bdb0d9ecf0f504c28b5775e9c0a61561231

SHA512
1af57b2525efa8308be083852b5ea567bf9a8cbe7484da45ac5d002b3ad1ac684cbf770d30940774af7e976ec874a6eb3ecd4c274700450c5afd2474de793ad4

Download Submit
C:\Users\Admin\AppData\Roaming\copy.png

Filesize
867B

MD5
35cc513ff018f47876e85c705cbf1406

SHA1
b4616a4cd9651952b354782f291b667f5ee9a232

SHA256
4edd945106ec52a068241ab556a0c549c73b1bd46b2a216d6a0f82f015dec27d

SHA512
80d89352840492434ddd194881f428fe4c2175bf3e13bc9fe11e4e88af187315a3180b4897bffb96bf4922ccaae9b3b9998b63d1cfb425faba30247c2b33a948

Download Submit
C:\Users\Admin\AppData\Roaming\cyan bl 4.ADO

Filesize
524B

MD5
6b80535edccb2506b4253ca9c4b9df69

SHA1
9cefb2a388e5ce03e5b9a1f2eefa7f9560c2ac14

SHA256
8e078310abf2897c7261c116eca316ab8b172be404c1188c8376b4a141802563

SHA512
9dea47b9d11d1549a0a5265bad2dd0a20d1334f36b1256e3423f0fe65831262205066d30302fec2c8cefd97b60f30cb4a8e4dcfe220f7eb757022697401c3de4

Download Submit
C:\Users\Admin\AppData\Roaming\double.sided.xml

Filesize
1013B

MD5
0b0b81875ffaac9b717fc9f7eb35d7b8

SHA1
0f5b7e8acfb0b4b0a94c8d7d543b184e7e5cdea6

SHA256
e17138765b5c3649e13e933f3f0e40a05da6110e9709a279e5fd4906df710cfa

SHA512
f721b4efa8e6238aba84f6ce86b37aded60a44430a00cdc96eb1132ef6abe53ec2394350ec196b7ee7254b27d857ef8c6e1925f407ce08859a8f5ff9321bcda8

Download Submit
C:\Users\Admin\AppData\Roaming\double.sided.xml

Filesize
1KB

MD5
3276d7c599dccd63c8c6e9d40c199370

SHA1
6472a23cf5a1643f10037586cf70e6263043c9c9

SHA256
9dbb067cf9af604609d86c452feaac2c4692f84cf4e9e046e9a10dff174f2c4c

SHA512
c149086ebde3bbec2d483f0550125dbbbd98655e386e25d2e5bb74e5533f95172c29a909e4038c18a28659ae42bf699dc2f7d6806214982359d2eae3695dbd16

Download Submit
C:\Users\Admin\AppData\Roaming\dutphon.env

Filesize
2KB

MD5
d3fd7121b844308f5e0d98218b25f7a1

SHA1
57eda098a5ac50befbbaed81c9358542508d2025

SHA256
3f19660f2ffcb1b75ce092e05a9d02128025f89a378cfa302a3fe406c065139b

SHA512
0512e3887235754102c623ba704421c745f43d5300a8dd31cc79d1d70a537158dd5a2a25e8e0eab69dfd8cfa234a437ebfa89abafb5c31dcaf28f745a17feca5

Download Submit
C:\Users\Admin\AppData\Roaming\error.xsd

Filesize
1KB

MD5
3c514691acb839524ed060bf0e2a2a11

SHA1
b0a7bfaa6f2c2b27dc48240a3bb948ea222a76c6

SHA256
cea31280b99f0c6175d51c4acfc211ac985690b1b919b46b639f32b1f61362e5

SHA512
29195c4016c4650f12b67130213fcdb7d9901df188db718e135be9b0b7c8fb55f950f32b68856021a51fe004405f85d24f4a9514e5b070fc394368e67b2fe3b2

Download Submit
C:\Users\Admin\AppData\Roaming\excluded.txt

Filesize
1KB

MD5
eca0bc75a6f145bb33aabe5108dff9a8

SHA1
cca370c3ebb4b3bd2bab1f9c067574f47aee3f9e

SHA256
a5aef44fc2041f030b33a7827777dcf98917642df83e242949eb5df532eca85e

SHA512
b6c0b7b9780b82ce0f00a752e9942e7905c58cf9162eaaa03940772791822c5ac36cd5230c0947e2d3d6f33e6774743adf35c1b6294cf3df28615c17fce1e332

Download Submit
C:\Users\Admin\AppData\Roaming\filename-prefix.xml

Filesize
1KB

MD5
ce246be1354bd6501d1ccddc9d552c68

SHA1
6f08c8785367189bb495fc903cd8627ef90a9174

SHA256
1a69e5650275cefbb8d93b2d0c02128d851de7e36ddca730a8e444b6fce467c4

SHA512
2a3155391b483757e3c0c302ec34dd90efe9434318ce33b52d006e68d478f9d40108fe8774893b16a1c4bc60f026d113e6ceac8aba42f09ef92fa8fe32ff6e04

Download Submit
C:\Users\Admin\AppData\Roaming\forward_long.png

Filesize
887B

MD5
52a6ccee7b61aaebdad8b0ac25d54680

SHA1
4aa90440ff85fb8eb9900f4f761e1706f8a763b7

SHA256
78dc9a077f420c64ac03126608e052f33a471191e55ac51625b5f8081e78c96e

SHA512
becce92eaa29f38b11cf2fc3b68d6feb7d2de12dac03634685a8f2f09dbfeff518d2c540830a6565d27e9e4706154fdcfb592de655ad6cb480beb5f602167fdb

Download Submit
C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xml

Filesize
1KB

MD5
a057463e49cc7a282b9de9bd1f98c940

SHA1
17f203dd324b4dc61fc85a2848b93f0941946d4e

SHA256
ca43ac52dec0ed1083c006678f4e1e0b7e6c2882e8bcc66e76bc776b7340bfe8

SHA512
b18514215cc196d457629ee48c08b05078aa7b61dcd26a540ef9aa107e4231a27a80de11e068a03611c85966fcb511bf22f0ab40fc8e461cb817a1caba9c0734

Download Submit
C:\Users\Admin\AppData\Roaming\gray 423 bl soft.ADO

Filesize
524B

MD5
f80c22abdede870a48b813be86f1dfc4

SHA1
55521387353a7fe5798f2d1cea608177c175aeeb

SHA256
1e3b4a0cd6a9017e8ffbb611587330845608ce2508a18d11a78ea03a3f220260

SHA512
559d3c18a038302280f897c5fd912bd3aab360a8e9ce7cf3606ca49234cf9be22ba0171e35929634beb54f39cbe4d2fe0b9a838eb8e02198c966eb9d1acfd80b

Download Submit
C:\Users\Admin\AppData\Roaming\green 349 bl 1.ADO

Filesize
524B

MD5
1289782651c9af159c54bd25c344a26e

SHA1
5ff702833f8e0b9b2bc066d7de9e9d3885984135

SHA256
82020a2103aa444d0b44638ee2666fa3f077af7b5dda85433607d871d103fc39

SHA512
afe7c5e2df5643fec0c486c7efd9b8a440d2ac9631b70369e35b14561995ca91151c1859ef2d49e20621652cf38f024ea94898ff4c2b258380f5a92613a3df51

Download Submit
\Users\Admin\AppData\Local\Temp\nsyCA0.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\HelpButton.dll

Filesize
48KB

MD5
ed6a1f9c51825426eba9c9accc70e212

SHA1
f49bdd25415b979fef71b227d206ad6430860f28

SHA256
183fbe83a879d66e03ea757fb8c130b41e58781fa9d1b08dc3ae6a2e712e0cb6

SHA512
db87e2a3347c83cf305fcbf957d0aa86421b93b7bc25c4664951ef523a7b1c693221eaa42bbc69d9d594f0545167a244364493797a84e80f507cdc994fafe32b

Download Submit
\Users\Admin\AppData\Roaming\{C3E8D47C-9F43-BB75-694C-C844176198A5}\dnscacheugc.exe

Filesize
195KB

MD5
9dba51d1d709efb322ad0babf9028c30

SHA1
65916448900214e4a3a130b69767edbafa1b783a

SHA256
ba142f897f9c3c3b677064b79a7b9e556b8a7060f7d89f98f4e95157497add29

SHA512
acfd650221d3fedafb4782f762f88fce7272dd5286a609aa7c22d7c741317d72983e0ca6c957144897afbefa899bed2d8cbcbdfdf1209cdfed79f346f26c07f8

Download Submit
memory/572-208-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/572-209-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1296-191-0x0000000000310000-0x000000000031D000-memory.dmp

Filesize
52KB

Download
memory/2152-29-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/2460-114-0x0000000000890000-0x000000000089D000-memory.dmp

Filesize
52KB

Download
memory/2636-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-130-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-213-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-214-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-205-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-132-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2816-129-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download