cerber | 6ce06d88de7cf0deb2f52a309dc3e779c37b53a1e5370f2eab5a5e3ab3ea2273

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Size

175KB
MD5

cb82368879cd1f929e34eb621b7042bf
SHA1

e97bb759d42c0f40d7b7f5d48bfbb2c615a14d45
SHA256

6ce06d88de7cf0deb2f52a309dc3e779c37b53a1e5370f2eab5a5e3ab3ea2273
SHA512

bbf4d1e4e5f072cd29ec744ba1ea66118c41bf68824a8cb99920c8af9de4232d606822fc2d13fae98975e967a45058b684dd811a826158187398f59008db7aa2
SSDEEP

3072:2yAaQqe90u5DdXJB456ZbBL441hR+TGJlWiDtGp8dZuucrZx0KY6Sc8Hvhs:2yAge9RfVZ9h/R+YBZ8prn0kScEv6

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0 | | 2. http://cerberhhyed5frqa.xmfjr7.top/BB80-0C74-BA33-0063-7EA0 | | 3. http://cerberhhyed5frqa.qor499.top/BB80-0C74-BA33-0063-7EA0 | | 4. http://cerberhhyed5frqa.gkfit9.win/BB80-0C74-BA33-0063-7EA0 | | 5. http://cerberhhyed5frqa.305iot.win/BB80-0C74-BA33-0063-7EA0 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/BB80-0C74-BA33-0063-7EA0 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0

http://cerberhhyed5frqa.xmfjr7.top/BB80-0C74-BA33-0063-7EA0

http://cerberhhyed5frqa.qor499.top/BB80-0C74-BA33-0063-7EA0

http://cerberhhyed5frqa.gkfit9.win/BB80-0C74-BA33-0063-7EA0

http://cerberhhyed5frqa.305iot.win/BB80-0C74-BA33-0063-7EA0

http://cerberhhyed5frqa.onion/BB80-0C74-BA33-0063-7EA0

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0</a></li> <li><a href="http://cerberhhyed5frqa.xmfjr7.top/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.xmfjr7.top/BB80-0C74-BA33-0063-7EA0</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.qor499.top/BB80-0C74-BA33-0063-7EA0</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.gkfit9.win/BB80-0C74-BA33-0063-7EA0</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.305iot.win/BB80-0C74-BA33-0063-7EA0</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/BB80-0C74-BA33-0063-7EA0</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/BB80-0C74-BA33-0063-7EA0 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	perfmon.exe

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnk	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnk	perfmon.exe

Executes dropped EXE 6 IoCs

pid	Process
2076	perfmon.exe
1628	perfmon.exe
3060	perfmon.exe
1356	perfmon.exe
2516	perfmon.exe
992	perfmon.exe

Loads dropped DLL 10 IoCs

pid	Process
2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
2076	perfmon.exe
2076	perfmon.exe
3060	perfmon.exe
3060	perfmon.exe
1628	perfmon.exe
2516	perfmon.exe
2516	perfmon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	perfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	perfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp65C5.bmp"	perfmon.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2076 set thread context of 1628	2076	perfmon.exe	37
PID 3060 set thread context of 1356	3060	perfmon.exe	41
PID 2516 set thread context of 992	2516	perfmon.exe	53

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
File opened for modification	C:\Windows\	perfmon.exe
File opened for modification	C:\Windows\	perfmon.exe
File opened for modification	C:\Windows\	perfmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	cmd.exe
2952	PING.EXE
1764	cmd.exe
2728	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001939d-48.dat	nsis_installer_1
behavioral1/files/0x000500000001939d-48.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
1552	taskkill.exe
2988	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	perfmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{60972720-909D-A185-0C1B-0BF0E687BFC2}\\perfmon.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop	perfmon.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400fdfdc12fbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A0FC301-6706-11EF-B90E-5E92D6109A20} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000617997d50b631ad0830880cf3fbc558ea09568d05d13bf4c25a6da032f59653c000000000e800000000200002000000078be8ffc5c68f3e4f4b3abd0e13b6a92a9f776ad09e76bb22abd8294c4a58f7590000000e040ff0e321504bb3d6b517d55559238207e2098ae4cc83c4c5e3a2241e23fb367fbdf2e830fd45e9b8d011c89bd3e9c8cf9661539f1ddba4aae8128ec6f9092925714d10b4332158fca4b1781746c92be1341b88e1f8a40c74fdeffc17435d5c56820daea22cab0627b04e0b0eb7ab9cfc83e95a5ea2871162438513ff4c9ec7df87e9f4218c0c84f101e2df6fc94da4000000093aae0c07ac32a7b25113a55e8614a4135ff6548efdbcb0ebdad50d2bad12f888a35f8ae663c0da26b19a7b048a85a76373361055e1206447d310dc15f0f80a3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A1E0B41-6706-11EF-B90E-5E92D6109A20} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d9909000000000200000000001066000000010000200000004a4e3da72aac61f50746e7bb7665e13adb5855d168dba7a155516d20df284e5f000000000e8000000002000020000000a24c35c4a5ced2d0618b1a0fdf89f4bf5e08b371b9208e6e428c32427b385e062000000092c423259f4ab977f810d8e1439988eda62c4bee81aa967021111c14d9ce4d5340000000c99f43b12ac3e0a4ea74da158d2c639946c76aa5655eff888dab5ccbead85b0ba0145e7f7af3b84cebeea3742d7a0996a68b844c7c5d2de2200a1ded9b627606	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2952	PING.EXE
2728	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe
1628	perfmon.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1628	perfmon.exe
Token: SeDebugPrivilege	1356	perfmon.exe
Token: 33	2100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2100	AUDIODG.EXE
Token: 33	2100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2100	AUDIODG.EXE
Token: SeDebugPrivilege	992	perfmon.exe
Token: SeDebugPrivilege	2988	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2036	iexplore.exe
2036	iexplore.exe
1508	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2036	iexplore.exe
2036	iexplore.exe
2036	iexplore.exe
2036	iexplore.exe
1052	IEXPLORE.EXE
1052	IEXPLORE.EXE
1508	iexplore.exe
1508	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2796	2220	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2076	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2076	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2076	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2076	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2812	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	32
PID 2796 wrote to memory of 2812	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	32
PID 2796 wrote to memory of 2812	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	32
PID 2796 wrote to memory of 2812	2796	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	32
PID 2812 wrote to memory of 1552	2812	cmd.exe	34
PID 2812 wrote to memory of 1552	2812	cmd.exe	34
PID 2812 wrote to memory of 1552	2812	cmd.exe	34
PID 2812 wrote to memory of 1552	2812	cmd.exe	34
PID 2812 wrote to memory of 2952	2812	cmd.exe	36
PID 2812 wrote to memory of 2952	2812	cmd.exe	36
PID 2812 wrote to memory of 2952	2812	cmd.exe	36
PID 2812 wrote to memory of 2952	2812	cmd.exe	36
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 2076 wrote to memory of 1628	2076	perfmon.exe	37
PID 408 wrote to memory of 3060	408	taskeng.exe	40
PID 408 wrote to memory of 3060	408	taskeng.exe	40
PID 408 wrote to memory of 3060	408	taskeng.exe	40
PID 408 wrote to memory of 3060	408	taskeng.exe	40
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 3060 wrote to memory of 1356	3060	perfmon.exe	41
PID 1628 wrote to memory of 2036	1628	perfmon.exe	42
PID 1628 wrote to memory of 2036	1628	perfmon.exe	42
PID 1628 wrote to memory of 2036	1628	perfmon.exe	42
PID 1628 wrote to memory of 2036	1628	perfmon.exe	42
PID 1628 wrote to memory of 2604	1628	perfmon.exe	43
PID 1628 wrote to memory of 2604	1628	perfmon.exe	43
PID 1628 wrote to memory of 2604	1628	perfmon.exe	43
PID 1628 wrote to memory of 2604	1628	perfmon.exe	43
PID 2036 wrote to memory of 1052	2036	iexplore.exe	44
PID 2036 wrote to memory of 1052	2036	iexplore.exe	44
PID 2036 wrote to memory of 1052	2036	iexplore.exe	44
PID 2036 wrote to memory of 1052	2036	iexplore.exe	44
PID 2036 wrote to memory of 2340	2036	iexplore.exe	46
PID 2036 wrote to memory of 2340	2036	iexplore.exe	46

C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
    "C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
      "C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1052
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:537601 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2340
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:2604
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "perfmon.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1764
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "perfmon.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2952

C:\Windows\system32\taskeng.exe
taskeng.exe {DCB7979C-615F-40FC-9E65-5E644866520B} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
  C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
    C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
  C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2516
- - C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
    C:\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2260

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
56501c7aa1e4023cff3ad1dbc76a5ff6

SHA1
77fdede1d875b7d05141bba566416a1ef07ac7e0

SHA256
a595d204273254590079096a294b6f41e2d20c3a6bf9eecd64a375bc4179875a

SHA512
0c3eaeba0a977f32ab7758002aa9cf3371a0f6830be667deaf9a2bcd131565cb8f912265e9ba94c8f1c20962735795b63cd819dacc96194b6e9f0d5e891a41a4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url

Filesize
85B

MD5
0b31709dad6da7f154e35d998336aeb0

SHA1
92febd9899648603d886eb1417c728dce60549a2

SHA256
bfb66b4797e936b7955a549bf424c93a7ff5fc66ec3f45e591573bf10ba10fa5

SHA512
8226189585c7c20d00e7aa2c49c71985d39220173dadd9fa7273cda7b852491e88ef3fe1a1be665b06ebb11244f339e4d9d9ee517219779cec7019c6ff39558c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
2783ba5accc6a830cda44bb36da774b2

SHA1
9cbf1c8e5a68a0278fc4a259550ef65d15482ff8

SHA256
0d8a4e749df87e4a760add8a86655fff620d31be89ae7a3828d6f09b8b6b2abc

SHA512
3acfb7d57bbbbd0dc9f7d58e3aa4bb55f601c5b3bf79f249b483105dd89f078fdd948dda12e546aed0c9eb8fda00b5eab34a8af3441a41ee940b4b0adaf0c81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6587a3f2b704de7e569351e29611116c

SHA1
4ce56bef06db6aad43fa7b0b1e11140743a324e8

SHA256
cf18ab1e755671eb8c4a95e5f33e052508501eb41980da0721a35546a7eda42f

SHA512
32870aa9c29aad3803a6d17bce334939363130b053a5f5bf73ccb53329341ecc54420d696cdc9c75a1b051607adc8ee90cbfa30d5f255ecb9343244cdea31d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
492cc2b036eb3d80c6c00a899820865e

SHA1
3962df948b4effcb7ac73238cf7423fca247cffd

SHA256
f4776e4bb1b6964d5d3c5b74e3aaee34451bb4d1ce0b56eebc7ba83f9249a9e6

SHA512
77734bc4fa5ac4c3e7755a96326fbce56216478d373a8123e4115e61351479bda04aeb34580df15ee81dc0b14b105681623a8dc2b5544169e12c1fe459bbddc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acd5b003fca3f71b157cab4f26ea9108

SHA1
72f24ccb7ad5877c6eb806b8638cb23c06e301bf

SHA256
8a0004312e946545b348b0e7b9e4664f63fcee50f0f9495545a3c8886d88cae2

SHA512
6aa67934423094dc48fd85770bee01611c547e0fdd6cc92112e3d4a736fbd42aa294ba6063b0edf8c03ae2ebe0ad1f10f8894ccbd66c0b807613730f54ac55c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eae0f7a6e1f69324fbd8d86a851006de

SHA1
291e06939cf0d4cee25c850d3072e6b605fae8e1

SHA256
f586dd4c01cec8c4102c9e98970c5a7765f6f8e2312b760acf53faf8260b705a

SHA512
78450f0e24e3ce669d07d702c525557150ca7b0592ee1e1c69e241afcc61f74a523a889a5b49cc1dc48c37a68dfc7e2fd38b2175f0a2bfa5660a56c507accb30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5e4048697b828dbc9c64526e4cb49a3

SHA1
c8e9ae3c282fda3ee0fad2241a1c28f61fc3b2c8

SHA256
28c11682695b54f76a4798a6cdd747ebd04021cfb41f31fb06aedafdc0d0bb2e

SHA512
6e95f6ce901398dd4cc98ecad30df17f184bc5fcb0a3bfff3fd618fa01841a55e5f83d78a1ef3137b40cacc660dbabc320d7311dc3b762bb415e117d915cb2ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4cccb23ae8e5f46e57249c80c196315

SHA1
6dcec10322c556174f09ab35af737d49b17c6f88

SHA256
45203158a6ad2baf4ed174d6fdfd8a23dd5038c1043a17e558a8e09e9b01b513

SHA512
58898d98e6a004e295d8421f403630386d5d2065b3d7faa991e428b61f35f22ba321e305b27242be7f1ba2de1a3aa637b9a9f6ad3bea7f92bca456d6f8795eed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b7ad6fd17d6ab13ba31d93709dec589

SHA1
a3094388a095b97d65f6e27d4439745a66aedf0c

SHA256
a8ebc8466ec011deb6dbec65a1442cf929d2fea8d9b5e3a173d74aa4b55dc3fa

SHA512
3d916e1c3b7a2b5df8fb83df11e69388f2e8f9b284a61ca11b2cbb99cabfda2b35656cb0c5b0d197fdaa5efd80b5bef2b0640d79b5917027f89abe34758f8104

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ede3c5fc7e97f3a4cc445c043752bf37

SHA1
f5d6911685a040e27c0dccdd737fc8a0808d8ff2

SHA256
87f3241a60149b78a7871109e9d0ea800e14481a97d649a094b34453512a518f

SHA512
7441fe91d8763c626a20d16d3211413ffcdcf57f438dd96e65736455b76afeccba7375c552fef24db7d312dcd032c371d0e2df85451d4187b33a34df43c757fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
185653691ec538b616ad0b11e79b7d72

SHA1
8b0cab7e4c0ecef46a1e1d7039d684bf4d28424a

SHA256
b11f3574a4e8abcf2bd860a49fc48df4690d886f843951f095caec4e28e9e652

SHA512
18f752fbdbfcceca7418e8fde33e039a96ffe5f451a2397fc276700096535efe7f168ec3b59cea1432d64e834aa8977e3aa9b994f08b2d7c199cc1be7349c7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C72.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CE3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\22.svg

Filesize
1KB

MD5
a6d970cfa70d0efe3da25bdf48a4b87e

SHA1
aa4d537937fc6aa6ac35d09c1040168c546dcfd7

SHA256
5818b65adfa7db0b10dd062a1ef84aaf3b2e28401b4d48d89a5fa95aca3cda30

SHA512
ee59b08b255b0f67a6312e36975a6a356e3d0d5b01b2bfb9e1840789a2b20c71f8bf4e412c458d1afc214d144e14341f3fff00491f20a3aec833ee77fd13042c

Download Submit
C:\Users\Admin\AppData\Roaming\22.svg

Filesize
1KB

MD5
6314b8f5d4c1b14d970745da99656b0b

SHA1
8231138a4637a9570e3608f0e588bf6a53e5a07b

SHA256
283302fb83e70941d2ef5829a82fd40cbdac95f706b943cf702d4563c4cd6b17

SHA512
b65a5ce5a747f2a78e92d223c818492fb2e4600ffe84ea155c43bc6c644e22663c268182b3dae3ce74b94fe0e51ab18cf8dd34be3c257e2d5a55af0fe1463e30

Download Submit
C:\Users\Admin\AppData\Roaming\404-11.htm

Filesize
1KB

MD5
76985a11cd066027bda86fafb79c16c8

SHA1
8aed1b070c1511cd2e03e81b5d625407cb2a1274

SHA256
67b078cfd1274e9fc4ff2fea2b2d94c317674b46dfeb6fb493080d350924ba6c

SHA512
7f7d6fbae9f3bafa0a654b4c53f2bc46ab8cb0b8a7457a5e5daebd426cba2ad6cb50049471be2ff55db2a20d7eaa88bb3f7d76fdbf2339f3cc9f05ebfaeafb42

Download Submit
C:\Users\Admin\AppData\Roaming\50-user.conf

Filesize
245B

MD5
0165add6524289f6eb0461ba0be73be2

SHA1
241d74bd3a97839c59e76b4bd4c9b153fcdb946a

SHA256
d5920277fe37c1f079f4aca15da1b677423a64596437142b001e718974e2e0dd

SHA512
f768a00f99b0f30ef7db086776573661d7596430636faf460d3c76f9de4428f5e66c81e24f434239bd44177e038508852ad4b30d74815fe67a1748c84ced29db

Download Submit
C:\Users\Admin\AppData\Roaming\Abidjan

Filesize
65B

MD5
d803a36bdfda24206049e32cde7c2b2c

SHA1
6d2b22926cfff7227cbbf062e85ca77ff3b2be77

SHA256
a3082cb00066566478bf0e36e608d979628c3ab3df3dba0f8a67c2c1e99cd4b8

SHA512
bb600833c2e1f137fc1b1b236f0fb6548bf30667c3a51ddade1bf6f8bf380db00afd1942f8c9981b7aa7c54a1037dea26ce5cc176538db586c051cdd9ef12f05

Download Submit
C:\Users\Admin\AppData\Roaming\B5pc-UCS2

Filesize
2KB

MD5
3c261dd687fd42d4b97b2ed2befe5201

SHA1
1199a4a49ccc3e729fa6052e3e3ec67c78394a22

SHA256
9d80bf7d6122a3940dd8f1c7318a18598559b074a4d9d305c989c3b0edda8dc0

SHA512
59ca5885ba84f4f06ec10fb159682acf7ba3a60f7a92a6779629e40a88900eab525f6b1e4b8a02027f3746d02bac34dd2f85966a742fc159cd59b78d1840f2a2

Download Submit
C:\Users\Admin\AppData\Roaming\Ceramics - Eggshell Blue.3PP

Filesize
1KB

MD5
e83ab70fbbe4313da354090b019c93d5

SHA1
a3706e0604ba7d341646a383017c6dc259c4e29c

SHA256
15565a7fb183a4d86ad3d32e01544d01b99cf9feeea31476620317dfd993b01c

SHA512
f95b4302c06491b56077d77566752f6a700d95752118c2cb9ae6b50b48a95f6ef8abb2c0b96dbb3ff9bf1ec2a830db66b2c26d9b6124224b6bc93a21d38344fb

Download Submit
C:\Users\Admin\AppData\Roaming\Dar_es_Salaam

Filesize
85B

MD5
253929cd23dc4cd8beac8f00bbb8466e

SHA1
7cdd935a2023ed85d44eaca37997f9e96812fc0c

SHA256
fe4a98c46f988f436c4081002b85728f44d48878b89b61c440be0a8911610c6b

SHA512
f0a39af5fe038fed658b47890e58ece92f5a34dddee9644038c1dd2982155010f0e2a7d6407bb82bc40ac987412de0298d0a1012873b620507061de3e35a9c27

Download Submit
C:\Users\Admin\AppData\Roaming\Doctrine.b3g

Filesize
1KB

MD5
43411d45295067cca9c0e978d4fdab49

SHA1
b0bb937df1ec998b2db2b42c741b74f297d99a3e

SHA256
d68a2d7a8023926f19dc90ad3f38ef487706e736fe1a08d57b199921f3c8e5fd

SHA512
352069094690dcfa688c110c3fa5682f5352c3053f147abf7d3ae575f9b38662638dafacab3a15a7bd4b58d1aaa5de7102514436d2899f3bfaa21115dd0fac6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnk

Filesize
1KB

MD5
acc43eb0158fd9331dade711660f4821

SHA1
85a35dcc1a61ef48d9d0e4070c13fbabb8494ec4

SHA256
1408109d21edd8b5de77cf58c1661837d1885da93c8e11ba2934c1eaa4175689

SHA512
7d3d92f1e97672b9f945c8ccced6fd7b5ed08de54908a5f05ecf71a7bfbba4c25f6f6efb269ea8fff8b349950263332fb19f1b06c65bd396621ebb9891944b54

Download Submit
C:\Users\Admin\AppData\Roaming\Secrecy.UKV

Filesize
125KB

MD5
eb58a7a364500ee7492362426fddc875

SHA1
2b9cc43270e8a259b3c8ca4918dc25d7aa69f5d5

SHA256
2743cf29665f94e35ff9e432814b3c0dc354c4af1e7b12043cf536d7a7c39c43

SHA512
24f0c61b4b7497157450557bab4d29568ebfc8c215d0b60619c91cb469ebc05c52aa8819170a90e9f4f47e156355ebbb220afd91c347c884e3648b8e328edfc9

Download Submit
C:\Users\Admin\AppData\Roaming\callout.unicode.start.character.xml

Filesize
1KB

MD5
2406f4ab68c7dd40fedf8e38405c7b20

SHA1
43067214235231e66861ffa3e72c7dc78353cf25

SHA256
8a45d81f4246a0fd98effb8b9d3321fe75bee39847753100d1522e83bbe9f1c0

SHA512
46c0cfedee35669760a7433d5e280f74a4c64a8ec9321e33a14f4f3d6a3f17397096db9bc525d7acc4565368d5f7559eb5c8e811db9285e6fe780c7b019b4396

Download Submit
C:\Users\Admin\AppData\Roaming\callout.unicode.start.character.xml

Filesize
1KB

MD5
4ab850cbbc8203dd0272494ccc005144

SHA1
3713848ecbb70b421956290a24cf5b966d9d6dec

SHA256
61b9afd95c0598c0cd16099a19d5d2b3dd1b3ce3441ad00f55be5dc40441e910

SHA512
89aa963cc1a79d48b48088c9d6963e0b19a2d8f528ade67e5bb69fd9c084147f46ed220cb6573da1b10416951ba22f8cafa7fe0b181b09644dee03c67274f67a

Download Submit
C:\Users\Admin\AppData\Roaming\catalogue.xsd

Filesize
1KB

MD5
509f7b3f17b24a3d692cad3d247e389d

SHA1
67a12101983e734e87b5f529a57ff03b6bb06abb

SHA256
46da0b6bc18a55f87b2b943bbd61a603170cf13b3b865e078f8bfad0106f5169

SHA512
2307dbb5172519ac82c790b054459b0d4805e691bb1fc38a5819bbc976f4e4bcea331b9e05c7c7742c3b799615d563b9144ad990f638e6b4aac03ec481076ef8

Download Submit
C:\Users\Admin\AppData\Roaming\changebars.xsl

Filesize
4KB

MD5
3a91f0918b78182b7a331c0b46f4dd92

SHA1
42622d7e5b49db337a98a2bdfbcecc8a3fbe83a8

SHA256
5d73d69ea322ce333a84baef7bee0b223896d220da2866fcdb9232d526a46250

SHA512
e693948383a7a142ad4276227593b11b02517aa17143a11b217b9c1a2d5e3e45b55b7754444a232f90cb1c15fbae31db83d1dffcceffddde3676c01d813505a9

Download Submit
C:\Users\Admin\AppData\Roaming\close_down.png

Filesize
3KB

MD5
72c8df7bba006aad82e214f56f407b87

SHA1
b4ba0a49efc260c44706d9430599049c5530a2dc

SHA256
f1a8164417061ed2c9c70554e7938db4dbf5c138dc9357348be2aab85c36f078

SHA512
06f97a676ddf254df3336ac865bf2387214db6d6c96f8015231035e799ad35ecbc83c1855214c7d6a5bb8ea8839ef1d29dc62ed04849854f002cb536740e1190

Download Submit
C:\Users\Admin\AppData\Roaming\close_down.png

Filesize
2KB

MD5
0b4c456e11bf25d883e8f265368e5989

SHA1
30bc42209dca7f0e39d68485d226ada5e5f0d18c

SHA256
01bddb021ba9db0385876496c4b3fea84708b0e8e304d2ac9df15205e3f51dac

SHA512
3dd02c261d2d091988008fbfb7b22043d2ca64170d464a8ec23f60f38fa90eeab0e7d28793048d5b70069b75fb515dd94188f7c28725fc14ba1b2d766b076681

Download Submit
C:\Users\Admin\AppData\Roaming\collect.xref.targets.xml

Filesize
2KB

MD5
f09c4bcc5df73eae0fa44cec0862eefe

SHA1
b8ca406e822715f62871e378fd282639c871d220

SHA256
87cd4f65986e196cf01e3bfee3f3fc9a51be983004cbc50c4c5fe379443b9e43

SHA512
b096a570f2ab06f7d65f84a194e85d154924b026544c17af858554e042e6a0eb9d1e68acb3d271a6dbc7b6f54e9aa87145311ceb6f8dc466a7b1e02a5a0b12ae

Download Submit
C:\Users\Admin\AppData\Roaming\collect.xref.targets.xml

Filesize
1KB

MD5
b315d71c7feca1a5c1611675c577d2df

SHA1
df93907f42140b3c6f932a2b5b40deb730dd5109

SHA256
575d396d6995c2f4c9cfe493c76847df2d468a49d2a379139521bd00fa1c1abf

SHA512
0a0513f58f33a27803bfdaa3e635928317d40de7488bef0b6d040d58414e60fd252f7ca348ef9d50827192f03e9e15675c5a5e3870cc8b36252671d4bbb5e680

Download Submit
C:\Users\Admin\AppData\Roaming\cursors.properties

Filesize
1KB

MD5
b92c29f94e268e7bb210b7aea4cf0d95

SHA1
c33059af1b5f74da238efeb1636d54b5dab9108b

SHA256
779c8cfd088520536f6e77ad0266d4668075116c72a90c41f19ae6ca993496b8

SHA512
36ddf6ef84d1a8c839334b1bddc5a069126f6446ec61fb84bb2be4f89974d362ec4e41e7363d6fb11529e56ddb6f6d481dad56c35d7f09de34d12ba7580c3cc8

Download Submit
C:\Users\Admin\AppData\Roaming\delete_1.png

Filesize
1KB

MD5
1681d0f14b13cf44018cbc43c6152711

SHA1
66d28ef2287eb0bd97ec409da6b5b9f85a229453

SHA256
56ef0a3bf169419427ee592b1d65121507740b78ab94fbf41c84f6946e554081

SHA512
7133c22cab97ac736e3dc3dd202c05e8a6beabb04d668fe90adc3781c96575a29a175169f0c42a986ee8d110c5b270bb4f48ca2861fe8a0942b44b57dc7605d5

Download Submit
C:\Users\Admin\AppData\Roaming\delete_1.png

Filesize
1KB

MD5
4323deacac4a6138c00f9babd4cf00b3

SHA1
ab9872864c3d712912ff43af850d1257a418db3c

SHA256
7c5f6acc2b19d4f677f58e1a4fb4456f0ca33b9af7f3df0605d7a0ede3ef7213

SHA512
5ce4971e5fce124296ad0c6a9bc2cf8087f46d59d226b1676e1ff27af38c2d585a59e600ff2da9eb57e029c0ccd55d0032a158838d6b36e63906190918067c32

Download Submit
C:\Users\Admin\AppData\Roaming\description.txt

Filesize
417B

MD5
73b5f3bd43afccbf0c994b45ab19c5da

SHA1
d36edf98d9ccbd0ba9567c3041db69e0af39c101

SHA256
648a87ee628ff9ffd8f26787a66fd5d7d9da4d6a974548c9508d70ae09373269

SHA512
e9f632f97e5c47c134452884e44d5487ffcc0dad2a9cfa2c44e5a8028ea4cba8564929c945662adca11161fd7f92904f5ad677514e0848e295cf23ae028a9f83

Download Submit
C:\Users\Admin\AppData\Roaming\description.txt

Filesize
33B

MD5
7935837cea0cb77a065f95d391316c39

SHA1
b35256b80069d6037ac38d30f378a3e4acc2d757

SHA256
d6c84312577c56b5875bc19cc13b2aa1523ab2b1d29a6b8f81a6d6b95e1732b1

SHA512
777ad055e5ffbc7eae7d9a30ddd92163e153e75c714d6c016ab66dcbb54eeba3379845d3444bc53d976a0064eda0f7825b105a0605f293d9d4ec5b31baa2ef9f

Download Submit
C:\Users\Admin\AppData\Roaming\f1.png

Filesize
2KB

MD5
37f396203b2f1fbce5f5650834c83d4c

SHA1
aec93066a3552fd796473d0f61d12429bcc1b29f

SHA256
f4816cd23c67bd70a2cedbbce0b01fac2acb5714448649ba7a7028e5e41d0f4c

SHA512
d2afe15373aacd126e47999df7058ae4f0f2f28dc17053266ffaa974fa5f41c7cff3f2bdcaeccf2e1d6e385ad5aa3c13c4f18370907325f8d68998b409981e1b

Download Submit
C:\Users\Admin\AppData\Roaming\f1.png

Filesize
1KB

MD5
9632d740e720b8a989e0996b6b4a498c

SHA1
d448956c025b6936a06774fd3554c731a6d89d36

SHA256
ddca49055d86ac88b39358c49a9145fb80cd6feda14567c36108226119f85028

SHA512
51255390750610ce104b03ecffff09e17313e3d94067bd5ca16ac3bbd5c6bc2273fad5be7b172503ec23bea601f946d3d3164c6e13fb1206dd414bc225452a2f

Download Submit
C:\Users\Admin\AppData\Roaming\f25.png

Filesize
1KB

MD5
573e013a72dd564809ecbb0495b9b271

SHA1
431a26b95320d6a9d27f3421c6db7039307da686

SHA256
79173741ec650f965bfb569064c0705d335d0c7c8f89caea6556bdde40e01bb5

SHA512
8a3b43d920693189b789f78e711e75c9558214977c78638b7a2ec4bd626b2c94ebf53de1d5d86f65aa692bc4081db109ef10e2e0b0f453039fea8549e6773a2e

Download Submit
C:\Users\Admin\AppData\Roaming\f25.png

Filesize
1KB

MD5
7f4666d0834daef220c70850d2fc7297

SHA1
966b7675b3097497e436b19843f9d97acc152aa8

SHA256
2c5db192ee906b0ef5132351d160a649336773847859d896d8365b9bb4cb4210

SHA512
232659c4041e68464a94d510c5a02ab3f9fb50eaaad93e8e574c224937ddb5f301ecfd5b17b2adb4c5ec53e754f66539d07317241471ac5765e00e3d86c74784

Download Submit
\Users\Admin\AppData\Local\Temp\nst965.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\Arrays.dll

Filesize
9KB

MD5
b587eb0b16940822bba3569ad97b0bee

SHA1
6a5e2e416a9959c0c927e53b83c009552181282a

SHA256
051ddb847f1f65002a8916ac1f0233d90a848e597962cc2f4d7b7a8532259477

SHA512
62c76e9cd4a609bd95796217569f4d2a86d77027752aa0d230a63fd4f66c88b6e0b9423ca45fe00f396ac618975ab190edb94b5d5c86b5bd52358620e88dd6f3

Download Submit
\Users\Admin\AppData\Roaming\{60972720-909D-A185-0C1B-0BF0E687BFC2}\perfmon.exe

Filesize
175KB

MD5
cb82368879cd1f929e34eb621b7042bf

SHA1
e97bb759d42c0f40d7b7f5d48bfbb2c615a14d45

SHA256
6ce06d88de7cf0deb2f52a309dc3e779c37b53a1e5370f2eab5a5e3ab3ea2273

SHA512
bbf4d1e4e5f072cd29ec744ba1ea66118c41bf68824a8cb99920c8af9de4232d606822fc2d13fae98975e967a45058b684dd811a826158187398f59008db7aa2

Download Submit
memory/1356-187-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1356-188-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-195-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-193-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-118-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-191-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-184-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1628-119-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2796-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download