cerber | 4cfbf1fbc5335ad8ddcccc3f3deb1066872e30f0c0f01f9f3d633af15fab8c67

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Size

225KB
MD5

c98816fc2c87a9999388c5ec2d3be78c
SHA1

a7e21c65435b3be3f0226c72cd076c7d83e18f63
SHA256

4cfbf1fbc5335ad8ddcccc3f3deb1066872e30f0c0f01f9f3d633af15fab8c67
SHA512

ee6ce5e35ca3e1fdc0dea35d38e112c47edd281607bf8db459af52415cde9b310725d8e5cffe5d3ef27324c0096a929156f7d60163abcfbc233d0d7038cbb918
SSDEEP

3072:kgxI+xKQaIWoXJ+G45vrva2iqcPLicO4v+JAbpe6+vA8iOLNOnFddnbyyTnDmsYd:kg1KQjoGw2DPx5bSiOJOnFf3TnDm1qk3

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29 | | 2. http://cerberhhyed5frqa.gkfit9.win/4429-9121-CAF7-0063-7D29 | | 3. http://cerberhhyed5frqa.305iot.win/4429-9121-CAF7-0063-7D29 | | 4. http://cerberhhyed5frqa.dkrti5.win/4429-9121-CAF7-0063-7D29 | | 5. http://cerberhhyed5frqa.cneo59.win/4429-9121-CAF7-0063-7D29 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/4429-9121-CAF7-0063-7D29 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29

http://cerberhhyed5frqa.gkfit9.win/4429-9121-CAF7-0063-7D29

http://cerberhhyed5frqa.305iot.win/4429-9121-CAF7-0063-7D29

http://cerberhhyed5frqa.dkrti5.win/4429-9121-CAF7-0063-7D29

http://cerberhhyed5frqa.cneo59.win/4429-9121-CAF7-0063-7D29

http://cerberhhyed5frqa.onion/4429-9121-CAF7-0063-7D29

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.gkfit9.win/4429-9121-CAF7-0063-7D29</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.305iot.win/4429-9121-CAF7-0063-7D29</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.dkrti5.win/4429-9121-CAF7-0063-7D29</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.cneo59.win/4429-9121-CAF7-0063-7D29</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29" target="_blank">http://cerberhhyed5frqa.xmfir0.win/4429-9121-CAF7-0063-7D29</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/4429-9121-CAF7-0063-7D29 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2156	bcdedit.exe
1600	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	forfiles.exe

Deletes itself 1 IoCs

pid	Process
264	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\forfiles.lnk	forfiles.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\forfiles.lnk	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	forfiles.exe
2272	forfiles.exe

Loads dropped DLL 5 IoCs

pid	Process
2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
2072	forfiles.exe
2072	forfiles.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\forfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\forfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\forfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	forfiles.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\forfiles = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	forfiles.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	forfiles.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCB3B.bmp"	forfiles.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2072 set thread context of 2272	2072	forfiles.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2600	PING.EXE
264	cmd.exe
1968	PING.EXE
2152	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a4ac-79.dat	nsis_installer_1
behavioral1/files/0x000500000001a4ac-79.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2448	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1732	taskkill.exe
1164	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	forfiles.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\\forfiles.exe\""	forfiles.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900efc624efada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0555121-6641-11EF-B161-F296DB73ED53} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000001af7603f07515a93fba61f398ecab3e573a0bcf686784fdde251a3a220758990000000000e8000000002000020000000de577c87cae6c431531bdbbd3caf5f656f71261ed5545725d6f2dff897c324cb200000009ec593d8183531439c19e6ea4fb1bc714edf1aeda450f2caab706f8be41618ed400000000079bb2c711e15eac57473226d60ab48fae24fc02667e8e6bc4ad73bd2758d417940a35a9fe515edf4b63ca53f3b19c53c212276601454b5d5b3915544b11e56	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0496A41-6641-11EF-B161-F296DB73ED53} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000005ee00098b19d3ac702596ada1b23fb513e20ad2841a255d0dee23f937e4e0aa6000000000e80000000020000200000005d1ff598cac32824bd3bb3e7738d91441a4345acf517aed24d4e0d911aac7584900000007c3f80403a0e7aee57dba104fefb6982a0ab2ab0cfbafc1dfdd6d12a331b54b2cc3c1f889a0528c281aa071cd06950b0abf6406aeae10e30ecdcdecea039c4096b38b835100ae57298c244dff997314855e20c92c7437cc8407c5e86e741f81991da802bcb1e94c63e70d3daa9615428f8a7496dceae0f1b835a83fd3e8fd50d220f093dd7732d61d3547e5d792072f340000000b9997f896d42718ae79e923f9a6e8a7b69a8998e9357996126098ed4013d4a7b46ad9596d6c8b9e58d926363678553c8c3978954649a0230faff9bb4211f4b63	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1968	PING.EXE
2600	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe
2272	forfiles.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2272	forfiles.exe
Token: SeBackupPrivilege	952	vssvc.exe
Token: SeRestorePrivilege	952	vssvc.exe
Token: SeAuditPrivilege	952	vssvc.exe
Token: SeIncreaseQuotaPrivilege	812	wmic.exe
Token: SeSecurityPrivilege	812	wmic.exe
Token: SeTakeOwnershipPrivilege	812	wmic.exe
Token: SeLoadDriverPrivilege	812	wmic.exe
Token: SeSystemProfilePrivilege	812	wmic.exe
Token: SeSystemtimePrivilege	812	wmic.exe
Token: SeProfSingleProcessPrivilege	812	wmic.exe
Token: SeIncBasePriorityPrivilege	812	wmic.exe
Token: SeCreatePagefilePrivilege	812	wmic.exe
Token: SeBackupPrivilege	812	wmic.exe
Token: SeRestorePrivilege	812	wmic.exe
Token: SeShutdownPrivilege	812	wmic.exe
Token: SeDebugPrivilege	812	wmic.exe
Token: SeSystemEnvironmentPrivilege	812	wmic.exe
Token: SeRemoteShutdownPrivilege	812	wmic.exe
Token: SeUndockPrivilege	812	wmic.exe
Token: SeManageVolumePrivilege	812	wmic.exe
Token: 33	812	wmic.exe
Token: 34	812	wmic.exe
Token: 35	812	wmic.exe
Token: SeIncreaseQuotaPrivilege	812	wmic.exe
Token: SeSecurityPrivilege	812	wmic.exe
Token: SeTakeOwnershipPrivilege	812	wmic.exe
Token: SeLoadDriverPrivilege	812	wmic.exe
Token: SeSystemProfilePrivilege	812	wmic.exe
Token: SeSystemtimePrivilege	812	wmic.exe
Token: SeProfSingleProcessPrivilege	812	wmic.exe
Token: SeIncBasePriorityPrivilege	812	wmic.exe
Token: SeCreatePagefilePrivilege	812	wmic.exe
Token: SeBackupPrivilege	812	wmic.exe
Token: SeRestorePrivilege	812	wmic.exe
Token: SeShutdownPrivilege	812	wmic.exe
Token: SeDebugPrivilege	812	wmic.exe
Token: SeSystemEnvironmentPrivilege	812	wmic.exe
Token: SeRemoteShutdownPrivilege	812	wmic.exe
Token: SeUndockPrivilege	812	wmic.exe
Token: SeManageVolumePrivilege	812	wmic.exe
Token: 33	812	wmic.exe
Token: 34	812	wmic.exe
Token: 35	812	wmic.exe
Token: 33	2856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2856	AUDIODG.EXE
Token: 33	2856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2856	AUDIODG.EXE
Token: SeDebugPrivilege	1732	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
600	iexplore.exe
600	iexplore.exe
1584	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
600	iexplore.exe
600	iexplore.exe
600	iexplore.exe
600	iexplore.exe
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE
1584	iexplore.exe
1584	iexplore.exe
316	IEXPLORE.EXE
316	IEXPLORE.EXE
2064	IEXPLORE.EXE
2064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2652	2092	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2072	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2072	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2072	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2072	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	31
PID 2652 wrote to memory of 264	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	32
PID 2652 wrote to memory of 264	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	32
PID 2652 wrote to memory of 264	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	32
PID 2652 wrote to memory of 264	2652	c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe	32
PID 264 wrote to memory of 1164	264	cmd.exe	34
PID 264 wrote to memory of 1164	264	cmd.exe	34
PID 264 wrote to memory of 1164	264	cmd.exe	34
PID 264 wrote to memory of 1164	264	cmd.exe	34
PID 264 wrote to memory of 1968	264	cmd.exe	36
PID 264 wrote to memory of 1968	264	cmd.exe	36
PID 264 wrote to memory of 1968	264	cmd.exe	36
PID 264 wrote to memory of 1968	264	cmd.exe	36
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2072 wrote to memory of 2272	2072	forfiles.exe	37
PID 2272 wrote to memory of 2448	2272	forfiles.exe	39
PID 2272 wrote to memory of 2448	2272	forfiles.exe	39
PID 2272 wrote to memory of 2448	2272	forfiles.exe	39
PID 2272 wrote to memory of 2448	2272	forfiles.exe	39
PID 2272 wrote to memory of 812	2272	forfiles.exe	43
PID 2272 wrote to memory of 812	2272	forfiles.exe	43
PID 2272 wrote to memory of 812	2272	forfiles.exe	43
PID 2272 wrote to memory of 812	2272	forfiles.exe	43
PID 2272 wrote to memory of 2156	2272	forfiles.exe	45
PID 2272 wrote to memory of 2156	2272	forfiles.exe	45
PID 2272 wrote to memory of 2156	2272	forfiles.exe	45
PID 2272 wrote to memory of 2156	2272	forfiles.exe	45
PID 2272 wrote to memory of 1600	2272	forfiles.exe	47
PID 2272 wrote to memory of 1600	2272	forfiles.exe	47
PID 2272 wrote to memory of 1600	2272	forfiles.exe	47
PID 2272 wrote to memory of 1600	2272	forfiles.exe	47
PID 2272 wrote to memory of 600	2272	forfiles.exe	50
PID 2272 wrote to memory of 600	2272	forfiles.exe	50
PID 2272 wrote to memory of 600	2272	forfiles.exe	50
PID 2272 wrote to memory of 600	2272	forfiles.exe	50
PID 2272 wrote to memory of 1352	2272	forfiles.exe	51
PID 2272 wrote to memory of 1352	2272	forfiles.exe	51
PID 2272 wrote to memory of 1352	2272	forfiles.exe	51
PID 2272 wrote to memory of 1352	2272	forfiles.exe	51
PID 600 wrote to memory of 2064	600	iexplore.exe	52
PID 600 wrote to memory of 2064	600	iexplore.exe	52
PID 600 wrote to memory of 2064	600	iexplore.exe	52
PID 600 wrote to memory of 2064	600	iexplore.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\forfiles.exe
    "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\forfiles.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\forfiles.exe
      "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\forfiles.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2448
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2156
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:600
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2064
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:1352
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:2708
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "forfiles.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\forfiles.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2152
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "forfiles.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "c98816fc2c87a9999388c5ec2d3be78c_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1584
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:316

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
3c1c448dae1047b6bbff9e7fd21a9d7b

SHA1
7c487c34ad2f9cac28a475c28334c99672195d48

SHA256
b0357b6819882cbcd3f4ae350c486792bf25c46b8756bbf96d27c2b689346623

SHA512
02147e3df30896d3cd12cfa065bd3ef79d4843902119cc34ecd2153816838a0b96de0dc8dc250ef6c58be73bcdc8e70cb41318e5e8dada9cb81e3657c9094f64

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
85B

MD5
4229ac4f03fcaecfe94b02f556f04fab

SHA1
7360b31217dcc5d13d49b56c2091278352927baa

SHA256
e78584066e1c67fed30e4455c0ada2d77884c8856334c885eadd0e966b4bda14

SHA512
cab5402e1c74b86ecd3afdf35c8c9e6dc2d6c0da48e69c6c58d7ee9f88ed19a4500aabdc1081f373999006b41790fb0f66d05a7f1732a7c37ffcf6e5e0950de6

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
219B

MD5
35a3e3b45dcfc1e6c4fd4a160873a0d1

SHA1
a0bcc855f2b75d82cbaae3a8710f816956e94b37

SHA256
8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

SHA512
6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
c424dce7927b0d62a9e3b9a042bac52d

SHA1
718c462718bbf634b9dcfa365b7698df5e5dcd6c

SHA256
de9172ea7ac6a145372f2afe0aab488a981a1eaf92148798f68a110634736bc6

SHA512
8b73ce37d3a06a1f3d59e39c0f0d0fbe30f0615c6e6a208e9fbef0a48b8ec020a3a9bbba579ab6823773139c13a15014b048a4bb4f238aad578c1f9d2612acf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
58a4b2362340eb62cc35062a5b87d465

SHA1
613e227d96224b02fa825c7add2f8aa6ae2c8c2c

SHA256
4825f62692bb0252b3c72b4a02693d4d42c0475b7a8012abd46b070e8b56dc92

SHA512
e248ca55f521fdc5002f6bf4c7d0431d14c1cb6f336c7a733849d3e625044198432014291441eca5bdce3d6df61e9f54dbbcd736af5298f20e2b1c213c0b3862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0d36a452bfc49890836650345cbdb593

SHA1
393726ff9392c085e849ef48e0a2403c144027a4

SHA256
21dff215864adf8f2e5f146d131acac647f94e1f0c213d18446806a108312037

SHA512
888d2132df02f9040a0d7c01c8dcd02fc8159907abd7b3f00fb12afbdefea7266ddbe3d608a9fa45cdffbaeba9af850aa88f3cf7adb94c5deece51f79e09dc6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a29ee9b2dacae13e9fa389e45fb580f8

SHA1
314ba6e30205debffc284b28693fe2a7330c1c95

SHA256
2272e447aff5af0ae9b1e99835d176681fe881483bc866b795bef550fbad36ee

SHA512
756353ed138409b1a7a8cdb40f4e604384e138236091d0fa1d980d03bb4445e0936454088958eaa5874d274e0f26b153dea8d1ecba3975f4eb8fff859a551310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c2d32302cc7ed06ba4282ad809f5488d

SHA1
38621e292b0d252aa6afb448db73ed02a288770f

SHA256
75e4dc03d3b9b1ca4ed18f5d9bac21a6efb6d5d2495957d1000ab75698c6243b

SHA512
1efe8f3b47f72c7da67fa16046bd6f6f29745c5568e302d8c9c56bbe6e862a235bebdbad51c374920edd87c20ac4ca7f57a8dadaef82c3b2a07249909268e470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e638917022af67b9f6ef102b2db986ac

SHA1
31f47a3f1c3552ce9d157345f0eff14718e3a642

SHA256
ca6c19881ae9052be23537f7d1bdbdcbb9825f4080ecb5edf2ac9b2802022d60

SHA512
b7683e3a36022a48ffcd7759e2ec891f4fe81a41f4b1b3b21fb458fc7e8055d64d3db408efa5334c8060924f3b1306e91a0965cfb1ea955938e3f20c5cba5b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
582927b539069aee86531bd7bc5afb4f

SHA1
055583b2009ef535b2be83707147231aa17cd419

SHA256
11335577cc30030bbf9e77a8e40aa1c5236bb9df615f9375986c1f827a134eed

SHA512
a798805219116a95ef9945806e8e8d65a90f3b59402f0db6f5df59b2762779dca624a430f5e8bbbe838753016e25a8013f0edf829b36fe32e949cb8068ab2f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9fe275cc0b3971e9ea0bbb47d6f7bcc9

SHA1
02b604d22f52ffb852a93be673f9aa1e60325b63

SHA256
b21df0a9dbe9d757dcd1553c9d2da5dd3ab844b256459e557cf041c9327d888d

SHA512
8c950dc6b74bcf8cf2373a34f7dd39375fbf7eaf1bbb485d66fd9d6956001d153e11ee2cc840ac4e188468b3292d07f312c81bb0ca4072bee8197c93dad1b49f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ec363d1440f6cde31cd1fab70d71adb7

SHA1
6ad81fb2a4cc92968aefb33b763590b034ad96f0

SHA256
04992b11f4bd1671c53bf778a67c836562f53aff1ef1497413d6ce7244ccf023

SHA512
1a65f72dca44ae06cd64c674784ffa5e1e8f41b0db0fe872ace23a63bca18dcc77ccfc2984dbae18d8d48f740ccc64f0e41ae66154cce87a98fb9374b8b07094

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
012bbd1d8f76b748680a7831dc0cbd3f

SHA1
b41d4706e404e6ac9d4d282586dc45ceaf836781

SHA256
350be62339e933fa818cfa451fcb24293f63d8d21a7ef8d0ca7d0cac6bf567fa

SHA512
13ee1b69d9430c40e694a2b4490f8cbac6890b4c4bde347401c12e6f1d35fd4f7e9213867cc52437f50b800962613509022ecd93a577c3f63c0c86bfd09fc859

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE216.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE2C7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\15.svg

Filesize
1KB

MD5
0f17a4a7e0b94887ddc5ca15e577b009

SHA1
b7df762961ad982fb8c6f9c136e5db39e770d02b

SHA256
210f3ae380bf9369068716d12f52992aa5a48627b2851d97c05e7e8e68c16d68

SHA512
6be260fdd52faf89933d64f8bc35742105d033127a4846b18dc0d0760ffcca09e7314c566442c58f5eb3a3b6223404c9a706704067e959d373f57a3b2668825a

Download Submit
C:\Users\Admin\AppData\Roaming\16.svg

Filesize
1KB

MD5
670a196f9dde1a619cec121493f9932d

SHA1
39f7ce520b3caa5aac76c02d55027111fe0aff0c

SHA256
907275144601233158275428fc3f886d3c501f939d62b296e352dcae40bb53f9

SHA512
0a6161273580489972bab1db9edd6a1ec50fe4c7f5da8d25eb4aea3fe70aece59c9bafb69c8159e0fa1f8db66af7a72b4ae859f0d0a85187ad2d0f9d1def25c8

Download Submit
C:\Users\Admin\AppData\Roaming\16.svg

Filesize
1KB

MD5
d8c682c040480b4686c6aeb37c3cc4a3

SHA1
2955fe2bf895f27c9aef4ea99743f11eda89faee

SHA256
2568da29e3cc0bbdc6b724ee8d5aaefa7140253249ddff47489ed25b772bcd4d

SHA512
afdf82601184fd0946c81687d5a6484158cc80caf0f5dca8a4a7a24777325882c6a3e057c824eec24a703f0b2c751506d7b28c4523a65b89dd4a62a58560167d

Download Submit
C:\Users\Admin\AppData\Roaming\18.svg

Filesize
1KB

MD5
adc7f6317f2379c810438dd53b615e46

SHA1
d12a66f67d47482f67b468128556138712ae93f1

SHA256
66a1be2f2ea8233a06b3d7d7bcd3795d04948f361f510329553001331a1d1f65

SHA512
bf7f3cbb0b068b7ba1a68bf3b02110e7b097154961a9c94aac8b41572be293d0640e69d07c8598fc97ba2a467cb1604b628c2fb5ad7b7d0d3cf0800bb6c3d2fc

Download Submit
C:\Users\Admin\AppData\Roaming\26.svg

Filesize
1KB

MD5
897f8680fab96ea633aa6d392a8df65b

SHA1
54872ae7b4a1a7713bfbf9d2670fb1393bdd1865

SHA256
609a25df951b3808156ffa8bdbe60d152f44d92f30196c68f96f1ae794c0df7b

SHA512
a959ccfab610120796e149a18392465bc73ae3d28ae2b7fef9dd4ffefa0c291c9fd664b97cdec0f5dd81567f3167c82a6d89dfe34110deea00621d25caff33d1

Download Submit
C:\Users\Admin\AppData\Roaming\401-4.htm

Filesize
1KB

MD5
c9f1a1c859507bfe6c9011cd9829ad4a

SHA1
7c12f66365fce199914023885ffc869c643223a1

SHA256
2d71383fe5086e7e2d9589d131962381dfdadfcc564bfbd1f1c3d6e739ab47c7

SHA512
600342479c2de4aa875517a52bb42db859721abbee2f3c48c8824fe48c597458b71181c70e60c9465ad699f0a143e653db93655a48f75b4af4f7942bd0be1fbd

Download Submit
C:\Users\Admin\AppData\Roaming\5.svg

Filesize
1KB

MD5
808f650d45deb39aec6a3c65c39356f4

SHA1
5a625362d8556f9cb5ac84df5169f0f226ed387b

SHA256
b146ba884b66b56eea10b2092715e5e5deba84dd682b2f0b579e0371cb055bf2

SHA512
88362ec263747a646dd4fa34a11004f989b37847a656cc64e87e62a63cce49716a70087992e087fdcbbdb5bc3016e8b78d3458606dc9336054f64779d6ccc149

Download Submit
C:\Users\Admin\AppData\Roaming\90pv-RKSJ-V

Filesize
3KB

MD5
523676e02eeb6efa86ac4d5cffde5a65

SHA1
2507758e737be7a6ed429bda65f97087d309a92b

SHA256
83f1bb3a64a0ec92d90cf83e326fbb459f4f501f4f1334adbbbc659c2afda687

SHA512
666064d41eb08b7f8bce911c1728931b892ec6e3ca25e22ce17f7411039ac7a7c971de9a429f8a041e417c7e9a10f80896672349df81e02c09047a6f151746a8

Download Submit
C:\Users\Admin\AppData\Roaming\Bahrain

Filesize
77B

MD5
d7a8d88e7d5b134d92542787e019e123

SHA1
ad633d30aa9f0bf314bba5f004060fc90a14a16d

SHA256
859d70658cc7502f214d9abd669c4e730e798210c372fd7020ceae470ac7756c

SHA512
194e553ecc8ffd376c029670ced1f2480509b072d2adebd6af22fa69945f3fafb58a3385d5a09451c85f03d891049b8123c0cd3907bce944cb4784606679ffa2

Download Submit
C:\Users\Admin\AppData\Roaming\Bushbaby.A

Filesize
1KB

MD5
158a547eb81d452e11fcc2e2e1652905

SHA1
b820430cd25878f8279f3dfb274ab827b7c6d3cb

SHA256
17d47e1cf07b5d65c664a3cdbbba663623f487394bde29682d0bbaa33931a12a

SHA512
f26ec1826ee5ad0c785ea6b6ec963bc4a5794cf2de6f62b2f65d62a6e8df536fd5ccdeed86388ca211af0e36ef503cb42516320aec89c49d05b8d94d81b37830

Download Submit
C:\Users\Admin\AppData\Roaming\Chihuahua

Filesize
816B

MD5
92c4a315a4935330f79159c91933cddc

SHA1
099996c95e43fbe849eba8d8bbd461f9989dcee8

SHA256
106c8167a1df22b4908ccccd98f4afab763ebebe287e4be144af7061be66c899

SHA512
fa9cf4ebe3a8b032b2dcfe1ecf04a22a67b923545d926822dc145cf98bc1d4a5615722784d69112d9ee976daa064ac754a89dec028f192c41a71208e298d0907

Download Submit
C:\Users\Admin\AppData\Roaming\Cool Gray 7 bl 1.ADO

Filesize
524B

MD5
d29eb91cf4abb3c8cbc19e559eb993ad

SHA1
2fe46d50db022efad91ac5c9b98d8bca9fcd3626

SHA256
52566a6955776419971be3da95029cd3209a77533e459f3ba06ee3e0a7114dca

SHA512
8d756afc68bf2a0a03d5c99810aa90ee746b73b953e94c87b15e4262b36824d694cd8ecc787defbc5c233b8e442e010435c8f6e662f75b1a67597804f971e8db

Download Submit
C:\Users\Admin\AppData\Roaming\Cool Gray 7 bl 3.ADO

Filesize
524B

MD5
6c55602d113c4ae021a2f9d39e31b91c

SHA1
0ead8715297d1fa05cf511f41e284b4620fdb1e8

SHA256
82e20ebd46ee61262bb8b8053704ef164d53adcf325bdef1cbd285de7f5df470

SHA512
8cc1a4f4ebee4c5bfb7059d7f10470343ff16269b41f8c7fb2a6ebb75ce55ca8faaeb4c465365deac9af6c5cfc84055114fad5b8a0ca9bca8ce4f0507263e4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Dili

Filesize
93B

MD5
1d53889d180f80681c4fb6cb9efbb553

SHA1
af1803c04a3c84b7392de65905bd5055d7eb1337

SHA256
a0d20babce8ff6af57e38323e9a0ea1768b5b9bdf9fe59086c3337e771e29066

SHA512
28c5e50cc70caf29d5a8fe723d9a6c49bb8c83b81f2ae13959f801dc262c06a3c0ee8e57c0f21420740a9d73e9dbccd12a86071fe3f9d75c4c5618b343e222a4

Download Submit
C:\Users\Admin\AppData\Roaming\Flat.hdt

Filesize
112B

MD5
279a2aea35c02e3bfa03458920b09185

SHA1
c99130fd7897b8555a7172fa4933977c35818f9d

SHA256
0f5bf6d6da96e5ef6a580a4b578b488fca84e62f004874fadef444d4c351723d

SHA512
3f2a8e0e969c5fb913fe88134ef4a0b64feae82f82d015ab70191822dcc5de57116260f3f643f45ec0357c6a76fb188d89ceaed9147ac2433190cef467d67c06

Download Submit
C:\Users\Admin\AppData\Roaming\GMT-12

Filesize
27B

MD5
aea56e4cc048a9d3ff31445372d346a1

SHA1
29ac5ffe91a926df97e1a3e04a0c76a22a6f5c8b

SHA256
500ebdba5c37298efc86410f21dda65d2c0e59771605cd647694879de03533fa

SHA512
15d93c0e845eeaa4d010077a0032c4dc765f71895089b3c04a2bd6315373e43ca473e65caefa8927a973a664093d585c58295ed7ad708cb20f9b8452de317920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\forfiles.lnk

Filesize
1KB

MD5
322af158f3fa4faf052e1154f3ccc059

SHA1
d3eb0cc79074a873115328175ec994539336f14d

SHA256
aba242239d56b8401efe911cc34a1d78130c46c90658655c45f9e390f576c667

SHA512
31f3f8d7aea9aea5e3deae4b508ac3feff0a48bca32925fc9ccccf39a6786e4d6822fba0903306ff9349f0df20925d7dd5a59031ccfdff528270a266d97de82d

Download Submit
C:\Users\Admin\AppData\Roaming\additional_tools_backup_recovery_icon.png

Filesize
3KB

MD5
e60b8b9dc8e97d97862cc4bace00e705

SHA1
cf147d9776bdb2cbd743bca965d9d7f2ea4a3e6b

SHA256
a6fb8e79295f57f0c12230a5a23976f28d838a22428d9a2e0163e6400e0e7cd2

SHA512
d08623d7f6c791738285aeb9e61b3271a11c4830589e5725fbff79a52f24e4ba812066d415a9933f427bd586445f59c8a13b58009298de7835f79393a0215214

Download Submit
C:\Users\Admin\AppData\Roaming\alignment.xml

Filesize
1KB

MD5
370c70320cdcba10bcfb8afd5267888c

SHA1
fe7d143794554dad4776c43066581d4fe094e6c8

SHA256
b0ec9d1769d4dd4aba3ab79593972e1326e8008798d39fcff8857283efca836d

SHA512
f5e44b869969619f0aac46054d10d1b75c915b4363cdb74ce3616867f48644e3f5508520b412b43e31a82767dcb925598a4653f7cfb3cf0e11f18ec6ed9ce39a

Download Submit
C:\Users\Admin\AppData\Roaming\callout.unicode.start.character.xml

Filesize
1KB

MD5
4ab850cbbc8203dd0272494ccc005144

SHA1
3713848ecbb70b421956290a24cf5b966d9d6dec

SHA256
61b9afd95c0598c0cd16099a19d5d2b3dd1b3ce3441ad00f55be5dc40441e910

SHA512
89aa963cc1a79d48b48088c9d6963e0b19a2d8f528ade67e5bb69fd9c084147f46ed220cb6573da1b10416951ba22f8cafa7fe0b181b09644dee03c67274f67a

Download Submit
C:\Users\Admin\AppData\Roaming\changes.png

Filesize
1KB

MD5
2fc983127c4e54d2a2f004b3fcd4aeb7

SHA1
d32a9b0592ce32b65c12284a2900b6c9f65b4755

SHA256
9502cd0cf4bcf5427242c3d38d24585749cdd5f6b931d03d3897e4a59e855fca

SHA512
fbada65474fc42cbb93e88856f2f752eded10ede2b769099e044e742e0ad829c8c5e0420ce67cd08a3013cc08119539401e69f7e3eeb87e6395c1d84fb46c965

Download Submit
C:\Users\Admin\AppData\Roaming\cleanmgr.png

Filesize
1KB

MD5
f341233b35df61978a142487b89c6f4b

SHA1
5bb6c709ead39c4642dd9d5666a4cab1cabd25df

SHA256
6e70478b7b9618d1615e1bf96667dba878142ce57749c30f467c18dd5f9688c7

SHA512
2a608c9b31d603686fd109b4bb75d8fe6d3d212fdcc8d02349fd2b83278db0836a7e45d886727d7df20c3eda1b8f2265809c214efd5970082b680ac95dd862ef

Download Submit
C:\Users\Admin\AppData\Roaming\compass_marker.png

Filesize
3KB

MD5
227fb8e068d500dc6ccbd62cc1682bc1

SHA1
16f3901b9b4c74fbb6f8f9cc71748196eae09f51

SHA256
1b0b09e8f1108de72f11263b1b7f3932ccf9b38d7c3bfb47a1e697ef58ea93e5

SHA512
b17dbef4878998037ed65f75bccaaeea63ed7cff13c7c088c78c8248317e5b05a641cadd2148a634fe8e2a04951a6d54970ea1d234c7a0dd97ae57ba5b2cb905

Download Submit
C:\Users\Admin\AppData\Roaming\computer_diagnostics.png

Filesize
3KB

MD5
bd8078dcc074aaebdc63ba53082e75c2

SHA1
a3887f75154e5de9921871a82fe3d6e33b7b5ba7

SHA256
9e35270e3510c195a64635292dfcc6dc508e93dcb5715c3e30cf3ec15af6951e

SHA512
9a0b6c67c52ba0a0c9175a62680e9e35793676e4e06dfc6b5bafbff3b50474c94c5434e700d19eff4c46ee84ef0a424e850a3e7fd78d6f62d1d19912a8a38e66

Download Submit
C:\Users\Admin\AppData\Roaming\computer_system_desktop.png

Filesize
1KB

MD5
6bd4db7937c0a36cffafcba31dbc8194

SHA1
ba3be76059ba7ec43bb731d7d7b7c179294cd400

SHA256
8a2cebf633a67d1d8facdc122851204aa996f0edbae727e4d30a1db9cfed0e9a

SHA512
b57bf52958ea12e5dd1cd662a08710b232e717f00c449108c94c3084e93e55678dafcac881be872d2961db492e11cc9655e0d213ec92eda20396e477eec4b103

Download Submit
C:\Users\Admin\AppData\Roaming\cpu.png

Filesize
4KB

MD5
21ddceeb0c385676eb35365c4ff1d24d

SHA1
9cbcd87590720bf2ce80304d0b298fbb44cb61e3

SHA256
82a9d562fac82452d5a767c2d0355e2e8f2d8550b62091522ab3985f6ec7ed0f

SHA512
15e115831e4ba38e8d73044cf50de8f8777faba3d1d099dc5eaba7af53ff87cb7c752f708b25aee35e1a416cac9debcf4f94e85d45a58ab109ac45d435c22840

Download Submit
C:\Users\Admin\AppData\Roaming\cpu_core.png

Filesize
3KB

MD5
823c348a508c32bc7d16d568126c34fb

SHA1
2b2f4bf49a7d8454474bf185e26b2c48cf43e461

SHA256
4f84fda6a4dc46d8577474025df6fead475e5ce750de8177ce51031b82b7221a

SHA512
c80ad925af22645a6ee1766036ff1841350387683db6210fff36c6f5fe321855e77aa50c765a3be4319b8a66032a14bb98655c31184ccc2dcf217a4e12df2842

Download Submit
C:\Users\Admin\AppData\Roaming\f0.png

Filesize
1KB

MD5
f98f487b9e0e5fc13d4c45e18fedb542

SHA1
2556be67db0db9a24e260d0b7e57e13964acc335

SHA256
592ae6664b9cd8f4064bf0c746f876dc2032f7d04ee28ff365b93f242b75ff4a

SHA512
19fed31f734ece9fa29f5b8876b8bac9fd1f9e189794e53864bd2cb2b7a8870575f1ec63d4e73d25fed99bb11e5dbc8cda90bd2ed19441caa1467ec115ab9e52

Download Submit
C:\Users\Admin\AppData\Roaming\faqs_icon.png

Filesize
3KB

MD5
9b66aceb64df2b3528071d542f5a82fc

SHA1
05a1c663a5712195e67c1c62668cd16184399f5b

SHA256
249f23414c801c82e236c9f08b81fbcd5deae75094445923c9db1aa2d440f5bd

SHA512
241cf6534a6f1e37037f0428fd5870494a1c7f5fcc1bac9db13c1157c5ac2a3efcd6d02886b1d4e928105db568a7d9811bc7c116c3b99cca25fd9b2d242dc2ec

Download Submit
C:\Users\Admin\AppData\Roaming\flash.icon1.ico

Filesize
2KB

MD5
5b6d410767b3f51805b65bd53047ddff

SHA1
7eae072adbc3b102a3e06873f643e5e11674d936

SHA256
c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3

SHA512
45a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4

Download Submit
C:\Users\Admin\AppData\Roaming\forums_icon.png

Filesize
3KB

MD5
303e1ead3ea7b758e3218a578a71ab1b

SHA1
b3a9876baa923259429ca0613ae33c4b86038383

SHA256
f35357168c00b5416b8bf46e1eb18d94f1947003aa9aed9695ec2a6db820533b

SHA512
42109fea02b2ca806057ccd5c3d79c79a825cd5f7c80fee9d02d4f78f21737bd190952fe69ae217032d050de068d019a87315355287aa7806aa91075da1af329

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_br.csv

Filesize
518B

MD5
af3843294c005bd5a56edecd08f33086

SHA1
f49f365144848964d4ffa237d38165ebe3ce2e84

SHA256
4520e164751237fe580545bb70006d05a2c11a896e2cd4a5f57136a0b22afa50

SHA512
466cc22447cd2b8f3b4bebb36c3338b6fa91c52747e1759d85e5df604d237a698847132860ccdcb5e87cd2ca37c45e225d5dc88ec2f74e93c267fb303f9048bb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy79B3.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\DumpLog.dll

Filesize
48KB

MD5
327bfc5b6f9166937a1b5b2a272135f4

SHA1
3e309a22c86200155457df21b1b796a2b5d5cc85

SHA256
f191f88ceb7434a68388fcc65c0d8bf630c21fb25eb1462839bade6ba8b16f6d

SHA512
3fe712c7d828875b73ec92e3750746854c39d2fbbd48dee62a32a673ece60dc1a46e4f3a94cb4d7dd69ee0b9670c135cc72153704321a0ef9838657117db7486

Download Submit
\Users\Admin\AppData\Roaming\{FC0DC950-DB7F-2E42-0A56-A49E2AA3B419}\forfiles.exe

Filesize
225KB

MD5
c98816fc2c87a9999388c5ec2d3be78c

SHA1
a7e21c65435b3be3f0226c72cd076c7d83e18f63

SHA256
4cfbf1fbc5335ad8ddcccc3f3deb1066872e30f0c0f01f9f3d633af15fab8c67

SHA512
ee6ce5e35ca3e1fdc0dea35d38e112c47edd281607bf8db459af52415cde9b310725d8e5cffe5d3ef27324c0096a929156f7d60163abcfbc233d0d7038cbb918

Download Submit
memory/2072-195-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/2092-56-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/2272-221-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-704-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-219-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-217-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-216-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-210-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-212-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-211-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-687-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-699-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-700-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2272-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2652-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download