cerber | 7a6dea9a1f132fb60fda6b9ab1c821189881d093a64dc62f7903c2a819cb7adb

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Size

216KB
MD5

b8ca0108f4ae400ebb7169e7cee05f4c
SHA1

710b305e72129ad1ff69f9434f27f64298060292
SHA256

7a6dea9a1f132fb60fda6b9ab1c821189881d093a64dc62f7903c2a819cb7adb
SHA512

e1836c66940f82c95b5f9d97a511b0b3910b89416bd59523ad4bc442c016cfad00e58789d2a0cb52ccaf127d46073574c9e68f2790880832b541969f57cbf7af
SSDEEP

6144:SwHysFRnGrHQAVUHjzIOh4OzRk1oOJ4CSrZ:JFRnQVU3IKM1JiZ

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D | | 2. http://52uo5k3t73ypjije.deg5xr.top/C349-AA5C-5FE9-006D-F69D | | 3. http://52uo5k3t73ypjije.vrid8l.top/C349-AA5C-5FE9-006D-F69D | | 4. http://52uo5k3t73ypjije.hlu8yz.top/C349-AA5C-5FE9-006D-F69D | | 5. http://52uo5k3t73ypjije.onion.to/C349-AA5C-5FE9-006D-F69D |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/C349-AA5C-5FE9-006D-F69D | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D

http://52uo5k3t73ypjije.deg5xr.top/C349-AA5C-5FE9-006D-F69D

http://52uo5k3t73ypjije.vrid8l.top/C349-AA5C-5FE9-006D-F69D

http://52uo5k3t73ypjije.hlu8yz.top/C349-AA5C-5FE9-006D-F69D

http://52uo5k3t73ypjije.onion.to/C349-AA5C-5FE9-006D-F69D

http://52uo5k3t73ypjije.onion/C349-AA5C-5FE9-006D-F69D

Extracted

Path

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D</a></li> <li><a href="http://52uo5k3t73ypjije.deg5xr.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.deg5xr.top/C349-AA5C-5FE9-006D-F69D</a></li> <li><a href="http://52uo5k3t73ypjije.vrid8l.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.vrid8l.top/C349-AA5C-5FE9-006D-F69D</a></li> <li><a href="http://52uo5k3t73ypjije.hlu8yz.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.hlu8yz.top/C349-AA5C-5FE9-006D-F69D</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.onion.to/C349-AA5C-5FE9-006D-F69D</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D" target="_blank">http://52uo5k3t73ypjije.xmfru5.top/C349-AA5C-5FE9-006D-F69D</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://52uo5k3t73ypjije.onion/C349-AA5C-5FE9-006D-F69D in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	MRINFO.EXE

Contacts a large (518) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MRINFO.lnk	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MRINFO.lnk	MRINFO.EXE

Executes dropped EXE 2 IoCs

pid	Process
1800	MRINFO.EXE
1780	MRINFO.EXE

Loads dropped DLL 5 IoCs

pid	Process
2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
1800	MRINFO.EXE
1800	MRINFO.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	MRINFO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	MRINFO.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MRINFO.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2C9C.bmp"	MRINFO.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 1800 set thread context of 1780	1800	MRINFO.EXE	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000161e7-59.dat	nsis_installer_1
behavioral1/files/0x00060000000161e7-59.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
2480	taskkill.exe
1820	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop	MRINFO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{04E11A53-556B-582E-C494-323BC9541A7E}\\MRINFO.EXE\""	MRINFO.EXE

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8cc7bf0365ae542b3373a451c4069aa000000000200000000001066000000010000200000007df66f4c8bb09ca52be4ad6c7ac8f2f718a449b63032cedd3cdf7bda6392023f000000000e80000000020000200000007e2977a2c22f8a1cc89db010a4d8167d6c8ab690c0f26049046b2f3eb4ccca5f9000000011ac37c6fd295df2aae9b2b81ca66101af69ba7db80cd621d4c643400c12fd8a1d46a76d89b9d2206ab4988db1b9f0bf63e53cba426bb285af6575c7653a8c8336004ee7657e7c2f5b0f4f9d30fa4c22c980397d6a92b51810f437cded8fd4390845fe9e26ffc7b77e64c27cb612c7725d67a9c66f0623f97a85b80d4f00d3bc23df77be6932b84b65a01664494675b9400000000f10a412c1356a84d10a82a0182311e2b67c2440607ba7814c4fae752a5c557ec79fb1898421f9f462573803ca4eb048b8b555aafa51434a33ea0d898b8a4228	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424791889"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A74CCE1-2CAB-11EF-87C3-6E6327E9C5D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8cc7bf0365ae542b3373a451c4069aa000000000200000000001066000000010000200000006e83d3d919fc0a16022501ecb651160bf8e212749b31f7c3b0367c93507e4c79000000000e80000000020000200000002548a48f0c8d7cd8348bacfc44e3acf038bc378fb37dbf1df5c05d5e42e19a5320000000e0cb34c7321ee2a4cadbf7e15cbf031509d862115ce35c97b6b2b8f6de29c8f740000000bb9038315d2741933a445868e2845bd692eed5a5e63ab252632429ecc82974dba3d676f9c334f50ccc13c991df3e638a659185b200ec447fb1ee912385cbcb16	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A8EFC01-2CAB-11EF-87C3-6E6327E9C5D7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b1352db8c0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2756	PING.EXE
540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE
1780	MRINFO.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	1780	MRINFO.EXE
Token: SeDebugPrivilege	1820	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1628	iexplore.exe
1628	iexplore.exe
2576	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1628	iexplore.exe
1628	iexplore.exe
1628	iexplore.exe
1628	iexplore.exe
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
2576	iexplore.exe
2576	iexplore.exe
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1044	2512	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	28
PID 1044 wrote to memory of 1800	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	29
PID 1044 wrote to memory of 1800	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	29
PID 1044 wrote to memory of 1800	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	29
PID 1044 wrote to memory of 1800	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	29
PID 1044 wrote to memory of 2452	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	30
PID 1044 wrote to memory of 2452	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	30
PID 1044 wrote to memory of 2452	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	30
PID 1044 wrote to memory of 2452	1044	b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe	30
PID 2452 wrote to memory of 2480	2452	cmd.exe	32
PID 2452 wrote to memory of 2480	2452	cmd.exe	32
PID 2452 wrote to memory of 2480	2452	cmd.exe	32
PID 2452 wrote to memory of 2480	2452	cmd.exe	32
PID 2452 wrote to memory of 2756	2452	cmd.exe	34
PID 2452 wrote to memory of 2756	2452	cmd.exe	34
PID 2452 wrote to memory of 2756	2452	cmd.exe	34
PID 2452 wrote to memory of 2756	2452	cmd.exe	34
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1800 wrote to memory of 1780	1800	MRINFO.EXE	35
PID 1780 wrote to memory of 1628	1780	MRINFO.EXE	40
PID 1780 wrote to memory of 1628	1780	MRINFO.EXE	40
PID 1780 wrote to memory of 1628	1780	MRINFO.EXE	40
PID 1780 wrote to memory of 1628	1780	MRINFO.EXE	40
PID 1780 wrote to memory of 344	1780	MRINFO.EXE	41
PID 1780 wrote to memory of 344	1780	MRINFO.EXE	41
PID 1780 wrote to memory of 344	1780	MRINFO.EXE	41
PID 1780 wrote to memory of 344	1780	MRINFO.EXE	41
PID 1628 wrote to memory of 584	1628	iexplore.exe	43
PID 1628 wrote to memory of 584	1628	iexplore.exe	43
PID 1628 wrote to memory of 584	1628	iexplore.exe	43
PID 1628 wrote to memory of 584	1628	iexplore.exe	43
PID 2576 wrote to memory of 2900	2576	iexplore.exe	45
PID 2576 wrote to memory of 2900	2576	iexplore.exe	45
PID 2576 wrote to memory of 2900	2576	iexplore.exe	45
PID 2576 wrote to memory of 2900	2576	iexplore.exe	45
PID 1780 wrote to memory of 2804	1780	MRINFO.EXE	46
PID 1780 wrote to memory of 2804	1780	MRINFO.EXE	46
PID 1780 wrote to memory of 2804	1780	MRINFO.EXE	46
PID 1780 wrote to memory of 2804	1780	MRINFO.EXE	46
PID 1780 wrote to memory of 3016	1780	MRINFO.EXE	48
PID 1780 wrote to memory of 3016	1780	MRINFO.EXE	48
PID 1780 wrote to memory of 3016	1780	MRINFO.EXE	48
PID 1780 wrote to memory of 3016	1780	MRINFO.EXE	48
PID 3016 wrote to memory of 1820	3016	cmd.exe	50
PID 3016 wrote to memory of 1820	3016	cmd.exe	50
PID 3016 wrote to memory of 1820	3016	cmd.exe	50
PID 3016 wrote to memory of 540	3016	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\MRINFO.EXE
    "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\MRINFO.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\MRINFO.EXE
      "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\MRINFO.EXE"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:584
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:344
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:2804
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "MRINFO.EXE" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\MRINFO.EXE" > NUL
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "MRINFO.EXE"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:540
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "b8ca0108f4ae400ebb7169e7cee05f4c_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1560

C:\Windows\system32\taskeng.exe
taskeng.exe {CE52C8EA-63D0-44C3-ABDC-EE0F1B87719A} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
234B

MD5
6f84dbf74ef41dc3d861f5fb3e0f45ff

SHA1
3e5f17e9b9589f33ce6add7f2518a666ff2253a4

SHA256
df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

SHA512
9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
a960756cfe3f9e4dcbbc4aa25a3c4c9f

SHA1
451955dfea3a1064a25cc2c19e4aa5f8371b028a

SHA256
ca5672f3b48c5bf471d81e957f3765a8f5a45f91bc201c293e4211346b862d9f

SHA512
c1931d5d75847932ad2607619027d618b6abbe2185d55ff3d4b039e537afdb6295f44fc14b608fa70250000be5fe24c461cc7445fc8b8fac685829e0fcf00ef8

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
5e762a202184f84b44bcf817c61d486a

SHA1
f1b9d2331195974b09d22e05586046d2882e054a

SHA256
97d44d319fb25beb6f1fd6442684eede802446ae8a5bee1b93eecd30966f3194

SHA512
5d4dc4656fa117934928b40fa9e7cc020152b08350b3312dd42124bdbb3e8cfd14d17946a10f3a14d43b88c346c907cc422273cbc10793c25e37ad360f246eb7

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
90B

MD5
020272bf91f447b8a6d1a0bf839f9d3e

SHA1
844fa019009f601902ccd17e11728ad87b627168

SHA256
e1729294afbaa357c35873fe384e9be0ccb70a8f1d5f4f85910d8310864c8db0

SHA512
ab9bc11fe4ea887b5323bad05925f843d06e81a2b81f037ea2c824f36c10ff0e193019d877aa44cea5db8f030217354aa766dc4c826600d3e652ee6ea04fa3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c161dbe5b4de1b2ee801e740d5a946fe

SHA1
d5f262237569d934e3f099c295bb83833c4a8fd8

SHA256
7af8bb1ac7d11d841e46a886c667b918025f2a048b23efb6ee9136c70e191fa6

SHA512
755bb1659f4b29ec1a5248d6cf02d7861cb83d8a98b5d8d5b735146cbb14557365f47aa0b45a0ba6f2f36a9aded55116fde17f60e0c63f1540ea22d1850b89c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56433ce9761768f1c3fcfb4230eac630

SHA1
f2e1a30376e8aec62b317dd93410c56a51982837

SHA256
dddb7d0faa30f17e98282b112367621893cdd1da2a9213ea3cefa425bb854e48

SHA512
d257ee9f979f3a48795a03c0180631bd10d2b5438f834adc4e1dc2bf89dd36c9e81c5da4cbdc6f10ad89563eecfb39e4476c2572ff03fb9196523aee3e71328c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
432d36d098728ff828112dcf05b492b7

SHA1
a26ec290f2ec892e9b8b8b67bc54f5e7f279410d

SHA256
48db0ea2e75727ba85179814f8afa74b5cadcbfbdff09cffd8c08c88ea15afbe

SHA512
6e9878cee4948d7d91fe8fc1b2bae245d0c588744ddc468ee70bbe3aecad8a72bc4c4464001b9d8eb5a8b366618a83160f74c8cfc6a06b8fb7f770d28e363223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a396f013bfbd0e0444b05e6dda276312

SHA1
f5c3983efbe9cfe30344c0e466a32d42ccede1dc

SHA256
202846dd2e9c03ac240ad0de632cbd62072bd04dbfd1aaf37556fcf8ddc11e8c

SHA512
9fb1c93a2ab34f7f96017d0e71363909c609e27b3b5353265edc8cfd08b7821d48d3c5c63b7c98debb4b0f001797cb8aaf5ca1221fa1436f8fb89b609501f601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52a51ef4ad97dd87158d9fe7f1cb02a9

SHA1
dd3f3b8ea80376182f8cf1cf6262911705a4f13c

SHA256
d07789347d48afdb7de60a0baa480a92f1110aca0ef4e939df05233428fc9fbc

SHA512
8fc2aefaa018c629f185e19d28e6fe9da2431a41b3d1d41d95d71f5eb40a8df0816b650fb3d421cd02fe7094998d62c3e7bc72a3cbcbbb6ef1c5f55549b4a7b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
378212d601c0f69393c9974279a446a0

SHA1
9baef8e305d4e0c4afb895f99e023804bd83296f

SHA256
90029bee8b62cb54228affa9ddfc258fbd5e13c192413b1d04fc5cc5c86b6118

SHA512
bf4a5a927bab583fd16d152e46339bf00ea83b378137541a0523a6f6587f8613a32fc7014da58e7dd70c1ff5b6e513e88b271a93d6179243f2b927554f472497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7f206d803a0cb4444a15d683058e5ab

SHA1
227105802c5d4c10b2bad94ae152aadc7d03bd54

SHA256
c39e87001cdbc015d086c2d5037d27e84e0bd16745716a63e5c499a40e233683

SHA512
4baf5a315a471ecb3e2d270602da64da0cf5f7e364a15f23491479196c088589715fa4f966bdfbd7bb1a520bac624312ca6d02c0caccd8a4bc37090f93bd34a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64908be65d048d5d3a149b5bb4ac0ddc

SHA1
efcda550f5d4bf05c52ccd6edf19dd23d96e1d1c

SHA256
e459be65a1c6a2563964bebc07b3ef22897c73e544cb5a9080ae05adbdf53f4b

SHA512
2206a203542c73464476f2abbb1828d62e6c5b23f402a059b3737bb2f015231cb71c380e3024cbe4b555fbb32b23a1f2a58f49b30b229aca9306b9194c759310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a16b5916e7044f035c2fc3df27d9fe8

SHA1
d80a47535be4ccd6d8a197838e252e8de767cdd3

SHA256
3698d416a58a6126476a4f636bcf7efdf4332f892613b654845e3c032289e330

SHA512
58491095b6c199dd2276ab03722c4dd442f4a337b36632cf0e91b6f077c77e4dcfa7f2a0b5480b192a3f8b0bd026882d10ff6b060b24db4d1264557bccc74a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be7799ba14c7e010b60527ec84aee3bc

SHA1
a3555fbc4f4d9fcae7f24529b965447fff48e2eb

SHA256
89bd22bf86ee5668435e4de7383647eb48885e8982eee2d0bc1e100dd68d6420

SHA512
9c86f5c3b968552ddc88213c41f28f500615b0d374e711213995d2fd8b1f2d54c82472c510688418371300e4dd251d75b5deddfa5ad2d806c158b8947c6f7f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e62de312731f622eb7c78a8ee22c59e7

SHA1
1976813ae8e5449c250573ae5c83c95c09e9cd9b

SHA256
0938a23e6b94112b879539e2c28109183cf55f3bc00d0e2098129348b132e820

SHA512
8690b7bf7e0c38260f641a7fc760bc0c1793c6c2a59810c7c0e3328552d0f4ea751616b4b35dedb16487bec2f108dfd8a427799aa107cacb5b1a5923ce1f0771

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc55fc0b3001c5fda913dc838549fa60

SHA1
a00be62dfbd668262bff0189f77b14085b83244d

SHA256
0fc85d33730d11286e1fc900566cd1e2de877f9a319ba1fcf763e4e1628c3d25

SHA512
c8236930d67c171c38861eb37f017073664b5773c898e4a689e9d34e7098888f84509615af030af3e007a8c938edef5d28647a198b3e8f6d8aa61293059129dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed13950f406a5e25e097f49bb204f311

SHA1
56f22f2f458838de4bc7f31d496b2d4d1ed2a735

SHA256
04076505fc7bdb9413214f5b50a7c0e23caa92a276dacd31b158031e2478ff58

SHA512
fa84a6bb18be4cbc1b742721780a83cabb2503872088ff2fa56984c9dcc3af68c172673d611cc05c499fa0e35ab2080172eec7c840c55e2d0a66ac35ef170a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3ba0262b13e3fc8a5e6dfbb3781bb9e

SHA1
475de174cbb9800e37d853f92f0a3ca5e1b2f96f

SHA256
cc32d73c0dd3ff8ad84472ce1f9315e9fe057a8ab94d164ba06614bb4c6f559f

SHA512
a8dc15fb28d8fad394d36929555ac4841769698cff5875d35699074c2a063aae7fb122f9f0756fd4870d39691f6e9a05e9b6cb7677afb2fd101748dc6c703a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1aeb8d9a888bee928fda6a21fa08a51

SHA1
89b64cb2c8d29e4dab48fe2df0020c1985620c79

SHA256
eb3e6dd5e0fdb1a72da064d953d7948fe0ac1adde6911f776858aa67d50ffd26

SHA512
763ebe42c8f45d84bf6dd9c4b03a3c260fcb52f95bf28df3f1e631483055dfa5794fefa8abef5fdeff8391f0842871456ee1deaae3fa15a58977a9b7ac944344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
431a66bbf7f906cf6b372c5441183816

SHA1
afd570c47013053bee8b2ca1a14bff48d5bb0f42

SHA256
1496a13fcb9a7ebee22bfc137c8c03bb19eb20df3ce8649dc564ec06c98eab24

SHA512
9319e541db9f3ebe15d1ecdf97583c9c3ba889b83dbd96bef1c951faad0968a4ff48f48c601b59ff5e5c52229f7731dfbdf12832a5e059e950d6a6106d63479e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8f45944f4a367e4552bdcbb36ffc512

SHA1
1d499c4c4ae71eeae2b6972ce83fb044330214a3

SHA256
b17da44a03f0e7dd9d6cff368b7ecf83e23e3e7842bade4c768de96e8190ddc4

SHA512
99ff3d9d9107e6a59d152c6c236bb918106e501447d580bb1f7683de2e58c42421daf68af08f17996dcd0bad764a1cf49a9ba613b7d5d6e633eafe3fdd0cf682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6A74CCE1-2CAB-11EF-87C3-6E6327E9C5D7}.dat

Filesize
5KB

MD5
893aefbab57c346a4e7ca8595e607aa4

SHA1
beb07843aa6a4c5342d6ed3bc8d505fefa28a2fc

SHA256
dbeb27e8395552cacbaa340dbd84fce6672391a57221d79404634376c4b6825f

SHA512
4ba0273e6522636db4d36aed74841ddf6e5fc357f828b45307352dc2bd79584a13a018b6f91f9a493af480919ddc3a05d0e690fba25ccfc51ef5ee4158500793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4424.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4506.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\159 dk orange bl 1.ADO

Filesize
524B

MD5
c1499bab3b267f3cae9da5c2bb1d0852

SHA1
b3d22f0f91ab2f48797fa87729b1ea62739251c8

SHA256
5b0f22c90efa9627d7e16179e0ca713cf596aac5850d776a9c619ae6cc6baaa2

SHA512
10bef0c4bdfafc2bf98c6cacea3a3bdc652e028df268111caf42961ac1f89b78c958b6f781d8cd8063e4bf90a231d0efacb2f5ffc2859e71101991d1c23211d9

Download Submit
C:\Users\Admin\AppData\Roaming\404-5.htm

Filesize
1KB

MD5
b32ee0da29e26569bd038838f1928528

SHA1
8d50ef0a8ed90ea61ff3393009e795b3cea4b590

SHA256
b560e11a6bb6d7585b216bf2139ab01f36636f9054d26a4179a5b6ca8080ccfc

SHA512
f1ef5377936a193465117ccce25e6c4b90628a32eeca1f2a40ae5ebe170389bd41462bca9684916d8809e74da3c208a5a5902e2908982fc52bdbca6618ac6679

Download Submit
C:\Users\Admin\AppData\Roaming\BCY green 1.ADO

Filesize
524B

MD5
0e8a98e6bb6fb3ad5448e3d38bafdca1

SHA1
b7ceec34c6f19f4496cd8e3377466803f4e137ac

SHA256
dde41f23d522f9a24e972c51c91903649199885a196ea90080ffe7811fdb8708

SHA512
ef94207b068b891e17b18226a5e7250275fa8376d30b7f4d7dfa0f66e1698a0ff97b268562754b84a8f0bf3ef01aef7501bdc915f5fd3be20dbb42a027af0868

Download Submit
C:\Users\Admin\AppData\Roaming\Bamako

Filesize
85B

MD5
313a92eb9dc6f52cf9368d7bdb49f636

SHA1
119974836f996a58a14584497d853e3f24b68057

SHA256
cde9b6a758da6349dc02027cc178ff4dd2b51676844935d134456bc814b74bdc

SHA512
15a851200cea62c693f3ceb03d56e77147aaea7d1019da66ea8cafca627a1316115a523c8f4f2aba9f4869d7e2cceb1e72bd328b7cdb7a11aa3f3f9a7b336d21

Download Submit
C:\Users\Admin\AppData\Roaming\CMYK very cool.ADO

Filesize
524B

MD5
f4c42aaf38232ca3e7047113845d54e7

SHA1
2ba20b769905bae855a109949ef926945c95aa7d

SHA256
55dce613e49d0b7b29883109c38ef4f5db7f1b0a4473b9d5326f73b5e5a18160

SHA512
54165d17ebfa2224e7faabcd02c83d6c5ed6c0aee687f4ec6e8c87a4877e3eec50f57ccfb0812c31f17ddda176b592ac0409bacb5c6b8873247c2489d50c2c20

Download Submit
C:\Users\Admin\AppData\Roaming\Ceramics - Eggshell Blue.3PP

Filesize
1KB

MD5
e83ab70fbbe4313da354090b019c93d5

SHA1
a3706e0604ba7d341646a383017c6dc259c4e29c

SHA256
15565a7fb183a4d86ad3d32e01544d01b99cf9feeea31476620317dfd993b01c

SHA512
f95b4302c06491b56077d77566752f6a700d95752118c2cb9ae6b50b48a95f6ef8abb2c0b96dbb3ff9bf1ec2a830db66b2c26d9b6124224b6bc93a21d38344fb

Download Submit
C:\Users\Admin\AppData\Roaming\Dublin

Filesize
1KB

MD5
d712a8597afa11cf28d0388c48970397

SHA1
0f8460d523dc7efa13c25d2f0d4bd72dd7dbdc6a

SHA256
0e588c35ad9344cd2bed21c95732cb94fd252ba77b36fb5ff49eaab3fec2762d

SHA512
051642d3cfa09d8b8af5b10bc22837ad98826452fc97fbb8da64efe784746603588df3431c3a905d3bd30daa86258879a4ab54f51b620b97be4d0ce629d9a074

Download Submit
C:\Users\Admin\AppData\Roaming\Efate

Filesize
233B

MD5
a1e91923c47567f6a6e8b4759efbdce8

SHA1
96472c46cc0d85901b0612b27e6ed1b927310534

SHA256
3947884f27876aba39f268da374a8aadffe79eb7068e85c1d244487294e132ec

SHA512
26cf0f0e925b4da8f49fea549c95d171e2c771057c52948679efd17ec821bc1e7774cf78ca08dcc60adf2cb449da67526f6077f0b0f582ab5126f5a743729e13

Download Submit
C:\Users\Admin\AppData\Roaming\Escudo.U

Filesize
127KB

MD5
30815aa3f29a08a5789be3d1ed5c7075

SHA1
4537969a7de49d0eeefd538d82a4328891911966

SHA256
884bc6651ff7ad799a12fd2c94d2761b20c5a4bc92ed3f159274c123db4abe54

SHA512
cc5292b15b6d078ab7cf4d2acf8b02b8f7890d485fdfb9036b714aaf2ef10da55e219d98cab5eb1489cd72f869a70fa0b68e6d5c5b11b301a1ca4924d9374bf3

Download Submit
C:\Users\Admin\AppData\Roaming\Graph2.mpl

Filesize
2KB

MD5
f9ae5583a287146f0d87eeb7c35af94c

SHA1
88ce5650c88cfd3143757448a33ab480001c831a

SHA256
da8d05e61efa2f72434ce673c8e80778a7dc0f5f8edaa66d0d4df45392e6b4df

SHA512
2166532e0b911aa9d662356859cff6ab3e427901230b4650d1373d9a85edeaa16bce86cd44e310ba205838060bc6f66698734c310b51a3d6ae7f6796e508967a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MRINFO.lnk

Filesize
1KB

MD5
e1c31b05c013384503d81ea2ad64a0ff

SHA1
e419b033f6ae8b3034f8e80ed026963b6b6631c3

SHA256
f0f1d0f23f9cbcddece90d313c4aef00fae6b0abc73986caf40b3f591cc19d0b

SHA512
a60f2c8ec1df872a7bd543267879bc6d3d3d242fce0f56dd4a67d3a40fb2be1cc3ce9ca7a92c057f29d817c3c8b4a0cc59b3b25d4c4aabe5cb4f1505d6da8f24

Download Submit
C:\Users\Admin\AppData\Roaming\SildCrosswort.d8u

Filesize
5KB

MD5
cf5b996326404d95e56e56c6095fbf8f

SHA1
c3a1cad85e50dd01ad358e5233cc656fd7781395

SHA256
feda19c2b46dcd7cb8d33bd10e6aba57085cd679c1eb22081a2d03a141925840

SHA512
cba18ee5588a007272673099faf9f7b515ef4b962994823ea986df341af8559ea4868981ff4469c008a6407e5197584449d619dc2d017d8aaf149df59ae06621

Download Submit
C:\Users\Admin\AppData\Roaming\administration.config

Filesize
4KB

MD5
ea8786a9e8c53d4136b57da721d3a530

SHA1
ee83b68c4c9f40b3d3eb4a04f61d9952d7513a0e

SHA256
85835a7c2f33dd24fd15d48f288ef0a8e07745611a08bfe6dcb9b8f547321f2c

SHA512
b7e4095ed87a7dd922a6a5afbb02acd7e4761c03645819a6c8690b56296f8839db2e355a1bb83d243a42fad4e5400a6f873f8d6caf9a1eee9c6fd86951511016

Download Submit
C:\Users\Admin\AppData\Roaming\backgroundmon.xml

Filesize
2KB

MD5
395c2be15da5e47505ce16f2b3dfeae3

SHA1
f26d6f1b523c6f58bcdae82c99abd83ebdb6dd7c

SHA256
97ffd445a849672e57a3a674af7e86472698f07a319e9354617081eed8ae1e40

SHA512
749ca3415332f623c59a21a29342aa6d93e2c1e6979d22e7ebf3ba88e51180e2f3d09edb6270c23a2cc251c76abbfe6b4676f10617e887914b2361251751d12f

Download Submit
C:\Users\Admin\AppData\Roaming\benchmark.png

Filesize
4KB

MD5
66774a13c8f3917bd188d164749e9637

SHA1
505452afdc8c064bd36d520e38f98a6c2b854348

SHA256
27fd5c0dff36fdceb96f8dceab5230010c86e94e295625e46f6ab12ba4b7e69f

SHA512
fc43cd5f3aaacdf5ee9749f467b9a86fb661340d3e4a47b8b5096b3dd0a69a4f43a7ccd751f451491b66b29bdf787578f6d29bc5a06aaaeff5a4cf862feede9b

Download Submit
C:\Users\Admin\AppData\Roaming\defaults.ini

Filesize
232B

MD5
0a8dc502c9c3ed9ad092da7363e7bbb5

SHA1
36150206df0c1054a7cfe034d4bb1d9a7aeeae68

SHA256
df768994da3713682658fc9c5f635a981f1566adfa4554f06555cf658b490dc4

SHA512
6d2c333748130ffcbdc3e9895c057885ba833d31dc5e43752dd3efa84cd0c2640bcab290252059bb9f63ee75822479b7179c2c6e0bff5179109ff0f8e41d9a80

Download Submit
C:\Users\Admin\AppData\Roaming\dsc_health_alert_tile.png

Filesize
3KB

MD5
715352b867b82894ee1e3dcb857b8d9e

SHA1
e1e14f1298f5c0817b6bcfd12a2495e9595b5f10

SHA256
c88fc5d7260ddc763e0146ab6ae64ca31a92edc9efff181ffe84b9305e2e8fe7

SHA512
284e47d2c7f7031cd2b1e3a13b231968236777b3fe97f052cb9cf4bbfb69676f2f1f17ae269bf274b71d27e2dfb89d9642f4d815f96eba9d9450ff3f9706727f

Download Submit
C:\Users\Admin\AppData\Roaming\externalcall.jar

Filesize
4KB

MD5
b730ea0c54af71df0fe2367b746b378f

SHA1
d37fa9b16c8d43360807129a48fdd67537f4d323

SHA256
0a4a717dcd9cc0d3f7259c237210ee8cae8e3a2368d09f4d4f2d3fb42cca43a8

SHA512
437ede4346b3d7f36e0eeca265aead1c8bbf7d92bc65aed05311e0545009073f9ca42f47d3b8426b3305402e0ed8a028494ed02f251bc105bb6642cbd2f8c128

Download Submit
C:\Users\Admin\AppData\Roaming\fnp_registrations.xml

Filesize
244B

MD5
cca42bd5b580bbc9a4a9dd1528b3cb40

SHA1
990b6bfee988f5a48fbdde374a24c8e9879c45ab

SHA256
e4808967f2b21eb05a3454b4cd13d8387da753e367177241eb4639614d83b64b

SHA512
c14c3afcc9334f8c521142f8414ae26c8572b1b402922d7ae61f07f1505711c95c14e7b4df4770df4fde9d06083b3531d3460f70f3cb5f48b099b55737cd811c

Download Submit
C:\Users\Admin\AppData\Roaming\poofs.nex

Filesize
63KB

MD5
0385931abab9197608516aae98f1981f

SHA1
ede99d3521c822ace97a6ed01f29d20fe094dd9b

SHA256
8a22796214b9f883c55e0cce3b4af2c7008761289d9a1bb132161863d8b2654b

SHA512
01f41a224832d2455ec81bd3c141eb152d07c7835d13d660ab7a2650d7ff32afcf62fcf2fcf1d266fcc6a2b5cbec1c98ada3b4959efbbe91ca6a10a4db76344b

Download Submit
C:\Users\Admin\AppData\Roaming\poofs.taf

Filesize
15KB

MD5
f09d52bb228b40fc77eb02ed341152e2

SHA1
d27b4b33090f0adce6eccc20a2c246e05949d61e

SHA256
1b405cba59d89a25f111b5251ad4c5953c5fcef92c13f5c212df0f81a3d019ad

SHA512
4ad95d4e4d0afa39a798bddf5ad98eae594c0b155ba60a324073df808f3bf5f01e7469770641c9cb84d8572e06031f6ef221850469b2292d0922af495bc5ac8d

Download Submit
C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\MRINFO.EXE

Filesize
216KB

MD5
b8ca0108f4ae400ebb7169e7cee05f4c

SHA1
710b305e72129ad1ff69f9434f27f64298060292

SHA256
7a6dea9a1f132fb60fda6b9ab1c821189881d093a64dc62f7903c2a819cb7adb

SHA512
e1836c66940f82c95b5f9d97a511b0b3910b89416bd59523ad4bc442c016cfad00e58789d2a0cb52ccaf127d46073574c9e68f2790880832b541969f57cbf7af

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2897.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Roaming\Pwgen.dll

Filesize
25KB

MD5
623fe81e0b18bd06f69e1cf75feaf479

SHA1
80227605564679e2e4ccc6d751d1a963c456b8b8

SHA256
8a13c3648c759b83870969e25bee41af6c2253c6b48514b97b37e621fdad1d61

SHA512
4f7b9a3924f75091414463e5b138a38b667aea036ab9792e1b9509dec91033a820727a263e59b029a7b8fafbff86aa551d97000b2ce619f4e1f977930bee859b

Download Submit
memory/1044-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1044-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-143-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-565-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-561-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-563-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-557-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-559-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-568-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-136-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1780-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1780-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-117-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2512-31-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download