cerber | 33b8c7c3d12e03465f4438e5431b0801dff1cfc8b16534619c009ac4387fc7e6

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Size

253KB
MD5

fa8dff8ebe3d919ebc72ed83c58a2351
SHA1

f98a4f7bd317a4a90790bdff2d13fdb8291c6357
SHA256

33b8c7c3d12e03465f4438e5431b0801dff1cfc8b16534619c009ac4387fc7e6
SHA512

8f5ecc6863b845cfc6ba86026b8771a3a43a923a92f054661e6d10013961d92d833c49626de02a9aa9a6592374c5f8987eba1d9fe747dc9b83d7b4a1419f5cda
SSDEEP

6144:UEcNCL4CqbmP+xNaYlQdmipcCYG2R7MmZFUDz7GJM:jL4CamP8FlQFC+m0v6JM

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998 | | 2. http://pmenboeqhyrpvomq.0vgu64.top/BB8A-A708-A3BC-006D-F998 | | 3. http://pmenboeqhyrpvomq.y5j7e6.top/BB8A-A708-A3BC-006D-F998 | | 4. http://pmenboeqhyrpvomq.daigy0.top/BB8A-A708-A3BC-006D-F998 | | 5. http://pmenboeqhyrpvomq.onion.to/BB8A-A708-A3BC-006D-F998 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://pmenboeqhyrpvomq.onion/BB8A-A708-A3BC-006D-F998 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998

http://pmenboeqhyrpvomq.0vgu64.top/BB8A-A708-A3BC-006D-F998

http://pmenboeqhyrpvomq.y5j7e6.top/BB8A-A708-A3BC-006D-F998

http://pmenboeqhyrpvomq.daigy0.top/BB8A-A708-A3BC-006D-F998

http://pmenboeqhyrpvomq.onion.to/BB8A-A708-A3BC-006D-F998

http://pmenboeqhyrpvomq.onion/BB8A-A708-A3BC-006D-F998

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". <hr> If you are reading this message it means the software "Cerber" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li>Please wait...<a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998" id="url_1" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://pmenboeqhyrpvomq.0vgu64.top/BB8A-A708-A3BC-006D-F998" target="_blank">http://pmenboeqhyrpvomq.0vgu64.top/BB8A-A708-A3BC-006D-F998</a></li> <li><a href="http://pmenboeqhyrpvomq.y5j7e6.top/BB8A-A708-A3BC-006D-F998" target="_blank">http://pmenboeqhyrpvomq.y5j7e6.top/BB8A-A708-A3BC-006D-F998</a></li> <li><a href="http://pmenboeqhyrpvomq.daigy0.top/BB8A-A708-A3BC-006D-F998" target="_blank">http://pmenboeqhyrpvomq.daigy0.top/BB8A-A708-A3BC-006D-F998</a></li> <li><a href="http://pmenboeqhyrpvomq.onion.to/BB8A-A708-A3BC-006D-F998" target="_blank">http://pmenboeqhyrpvomq.onion.to/BB8A-A708-A3BC-006D-F998</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is Please wait...<a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998" id="url_2" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address Please wait...<a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998" id="url_3" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is Please wait...<a class="url" href="http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998" id="url_4" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/BB8A-A708-A3BC-006D-F998</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://pmenboeqhyrpvomq.onion/BB8A-A708-A3BC-006D-F998 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	expand.exe

Contacts a large (521) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk	expand.exe

Executes dropped EXE 4 IoCs

pid	Process
2804	expand.exe
2360	expand.exe
2128	expand.exe
848	expand.exe

Loads dropped DLL 8 IoCs

pid	Process
2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
2804	expand.exe
2804	expand.exe
2128	expand.exe
2128	expand.exe
2360	expand.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	expand.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\expand = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	expand.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	expand.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp976F.bmp"	expand.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2804 set thread context of 2360	2804	expand.exe	38
PID 2128 set thread context of 848	2128	expand.exe	42

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html	expand.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	expand.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1812	PING.EXE
2748	cmd.exe
2200	PING.EXE
2160	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a4a0-47.dat	nsis_installer_1
behavioral1/files/0x000500000001a4a0-47.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
2608	taskkill.exe
2472	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop	expand.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	expand.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\expand.exe\""	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d5c5b6e710db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F409B3B1-7CDA-11EF-A97E-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000007dd7139f0fdb8a4d4cc6c19085159b57b512f7d97a0ccdf6b2ca7664552d1752000000000e800000000200002000000072e1cd94ce79279f0fc200aefa5e4892a8d08c0d207bd8d4c5050d867f983640900000009ae9e18ecfebbba958a362ae7b54b9dde23e0aecfb0fa2b7e7abeb606f745f0bbf592641fe614e1083d7781a5649aed751bcbb6c401da3ad16263cf79707d1af407934be0c8aafcfd3eef3a3e4b4f34b8f4748f3c218e445add40a8c19f914d961c9fa02f89e1a00e42c33fad72457b67c217880f555595e9b2730c432858c4578640464bbb4b88fee18047815aadcda40000000b35ae47640baeed3a0892c5fa43cb5f1c19b3adc803e231ed6ef59cf3d2d07083679e3634436d1381572c250089122b6e60ff8d6fe80c6fcf1c641122dc40112	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433608398"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4002E31-7CDA-11EF-A97E-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000457f23e780f74f12928e2c0f3773c4a2a041da17d6fc57a8c0c420f9a5fca7a3000000000e80000000020000200000008699151b2fe9da814ceb13b898e16f45967cad44e2fd7fe34e416cea0afc7bcc2000000000bc2bf47bf6e3b60b0c3d9760771fccce10e51c887cd025d1e0348beada7f6840000000520be8704ce48b49ea1aaee61558aba1dd98ffb3ea2174479fe33565fe5cc078191c0702e43829c15bddb06ca31a4deb2982d9717ced41922fd2d5eb6a41c1e0	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2200	PING.EXE
1812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe
2360	expand.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2360	expand.exe
Token: SeDebugPrivilege	848	expand.exe
Token: SeDebugPrivilege	2472	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2652	iexplore.exe
2652	iexplore.exe
2428	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2652	iexplore.exe
2652	iexplore.exe
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
2652	iexplore.exe
2652	iexplore.exe
2428	iexplore.exe
2428	iexplore.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2252	2548	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2804	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2804	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2804	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2804	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	32
PID 2252 wrote to memory of 2748	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2748	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2748	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2748	2252	fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe	33
PID 2748 wrote to memory of 2608	2748	cmd.exe	35
PID 2748 wrote to memory of 2608	2748	cmd.exe	35
PID 2748 wrote to memory of 2608	2748	cmd.exe	35
PID 2748 wrote to memory of 2608	2748	cmd.exe	35
PID 2748 wrote to memory of 2200	2748	cmd.exe	37
PID 2748 wrote to memory of 2200	2748	cmd.exe	37
PID 2748 wrote to memory of 2200	2748	cmd.exe	37
PID 2748 wrote to memory of 2200	2748	cmd.exe	37
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 2804 wrote to memory of 2360	2804	expand.exe	38
PID 3060 wrote to memory of 2128	3060	taskeng.exe	41
PID 3060 wrote to memory of 2128	3060	taskeng.exe	41
PID 3060 wrote to memory of 2128	3060	taskeng.exe	41
PID 3060 wrote to memory of 2128	3060	taskeng.exe	41
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2128 wrote to memory of 848	2128	expand.exe	42
PID 2360 wrote to memory of 2652	2360	expand.exe	43
PID 2360 wrote to memory of 2652	2360	expand.exe	43
PID 2360 wrote to memory of 2652	2360	expand.exe	43
PID 2360 wrote to memory of 2652	2360	expand.exe	43
PID 2360 wrote to memory of 672	2360	expand.exe	44
PID 2360 wrote to memory of 672	2360	expand.exe	44
PID 2360 wrote to memory of 672	2360	expand.exe	44
PID 2360 wrote to memory of 672	2360	expand.exe	44
PID 2652 wrote to memory of 1252	2652	iexplore.exe	46
PID 2652 wrote to memory of 1252	2652	iexplore.exe	46
PID 2652 wrote to memory of 1252	2652	iexplore.exe	46

C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe
    "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe
      "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1252
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:472065 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1296
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "expand.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2160
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "expand.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "fa8dff8ebe3d919ebc72ed83c58a2351_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2200

C:\Windows\system32\taskeng.exe
taskeng.exe {C8F99950-FCC7-4B70-B68D-2FF52C06C257} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe
  C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe
    C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2116

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url

Filesize
90B

MD5
ec4aca482b4222b712d843af5c3afd50

SHA1
c150eeeec3f8bb6b2b1f4042b3c1fb8b3489d85f

SHA256
a5e106dec0bccb1b72ba030be9962d488048e27628b5e5647d1b29ef8d50f32b

SHA512
eb9d37b5dcef349e450b10011eab21e10c170a78a41ee583a0a6e27b4c95f934678780268a62030bfff1bdc24c3b1912fe3b63fe4113164d900e720445443c88

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs

Filesize
213B

MD5
1c2a24505278e661eca32666d4311ce5

SHA1
d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

SHA256
3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

SHA512
ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21b74dccf9a13f4c16efa428774921c4

SHA1
b21aa4bcb9a71b7aa4b3997fe67a73b67dbde0dc

SHA256
fe911830c3e7f2878ba32350f1d13ca8b01638fafdf0cbadb9f1226ce14068d2

SHA512
f86bb138a579adfa9c30db4a6630c1fa8af475a5c872bc5549ac28817f1534c71d2ffa4b80955570f07721c90b16473f7c4b9c2a8a26300df8c8b0ac705f987b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e59d2ca1af7fbc0cc7ce96782d29088

SHA1
1bc3d9be9197d996399db1120a8b843e11b03bd7

SHA256
6fee7a2ea4fae76363ac58d83443cf9971da6ebbaffca8f75ab715342635ba05

SHA512
1c4a7056e936922915a23ba4776068dab2abfbac6053c47d325eed400061c1b364aafd3fc551ccd6d365462e3c507b7182506383a2df8cc8bf2e9eac75bf00eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cfbeb5f04ad291f7b5cb5cbeaf98442

SHA1
e1eff483cacef1565d102dd22d028813fd7e64c3

SHA256
d39589934fc272a0e55c017c4454e1af1f91ef6a84d81738e1f06b6d57906b07

SHA512
73772e66432f0ff6dd245dd2e2871131ea1c7e61ef16199bfacf4ecd6be5d09cca84fd16bb1e0207b4f2a612a3bd333f55c05e8d3f2865b77ab83156f9412876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1974f5902d21ac6d128568237e7f0e5

SHA1
85e70e3b7b9f19d71a9ab476070b0d9280cb1155

SHA256
92278c500d196cabd6ae7407f8a0d7239ad9400483d5e00b00b6c465f54e7a77

SHA512
d57f2e3338eee751cd99dfb1bc3042cf4afe461138bd04e830c4ef921310be82e479a029f397d267f1edec7f9731d5f4825ab86e0065fbbf033afb7ada1b76f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a33e6f8581d6d28d6181d2151154b94

SHA1
2fa43fafe940f782c5c794479b96245caa9344f0

SHA256
b476e2c86da4e8f62996373d3d29c7ef9a750977e21775e5cbc8040e9f557dc0

SHA512
1eb56cf92e33a52e1ccec57e3a04413e9fc1ed56274c5feedcd2c5b72b7d6d0a0f38de1b2cc8ba57617b77ff907c0891770afd08fef8eaf3a99f5f5236e68039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d72f576d75193a8ca5b95cfe0a719e7

SHA1
b172aa1bb0439a4cb6a39ee32dd7133ae38e1150

SHA256
e93ea25e308893320fec8807a0a532d265fba51817a3592dde758fb745c18220

SHA512
c0efe6fbe58b8ea3b6bb3769a45c2dd915ff6637d71ae16623089c787f3002400209e8a492cd8cb223cda4c565e200df1a4054a99f665a84f8086ae20a733a9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cead0c1f0364699f7fbe14b8f1551a51

SHA1
e260b718720ed6a181dddc0d1131a5214e868e4c

SHA256
28e4bfee8366ebd8c538a9d8ead777a0d453017f7f3b014f347b5ee0ecdf42db

SHA512
7170e96cc4a11b4c28a5b30ae9b717cbab276a0d247f3ba46f0ff0503807d93a24493201b5b59aa5abebcf44b36833dcbeca93d68e5110d679b329d71425d5eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01ff0984d0b75cc2f90f12c206a7564b

SHA1
a6915421ee3984dd6d26dbd5d1ca7393e5dcd781

SHA256
6e0fc9dc8026ce9dbdcf06be58a4aa0fb2bf365b251fe54b57c1edd0680ee509

SHA512
e88f8a128fe311a88a4fff16150c285bb003cb0db14246b1b9b97ee45af4898d15fb2f2b5bf359f9edc4089de7c06b37a81ee37083bc5af42f7754e0971c8c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e9d2c70380b74fc852d6366bfeeb72

SHA1
c69ab4e97d9f9fcbce08b3537e94d4d43182a93a

SHA256
7310c45d0e1a89083ae3a1575ed6f059baae5e6e821c1ffd41b33df0a06aea67

SHA512
d60cecc1968deb3cc01eb909b06b093f0dcea82c32a5d126ce5c8ff3a3967c2fbd0116a731b53c30e1637572e35dc56b35e9a943bec683db36ba2ceb23ccde4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
693bec1212fa9d185116d1bc799ae725

SHA1
cb0649449f508b897e03a0e8628cfc4e55aab6cb

SHA256
297672db3b8bf6dbfb325d6a14edc6ad42e846eaad0b267e29601d7e1609a9d7

SHA512
33afe6882161eb7666459cd4e2c5ba3d8304f7d3c3cbdb8936fb62a5f7164ee6b9dba68203d89580453d0d5bb4cf7e2adcbb7f2471fc1a39f3a8a6680da47ba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0e42bb592cdbb8e695d0f7212fe1277

SHA1
990beab9e3b314b9c83ff0e37fd65950e3eedd70

SHA256
a32be53dfc51c7ba783569f966f178ec956c6dd8abd4f36b28c1dfe6df4fbe38

SHA512
32a484ac28cc0c1f0fa5e2a39429538347f7999204b707a918c12cb9a3317ecbf6b1bf0c1a70bbcd75630c3957f5740f7778cbb1ba5c9b9b04416dfb8d278dca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2599aefa1820b8fe89903e91628744c4

SHA1
d43997f0bdd2819f243e7a837a3668141ce57215

SHA256
18b67f89350e02edf3935efdcb718fae566b8925ae15854eba05cff8f51a97af

SHA512
f49742bc6a4985e7b8fc05c9b42353b4a060a91da3b8b8e91869fed729a82704881b24892cdf3faf2eb8261af3aa6ba17d1c144c40a826732817ac2648ead1dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2a5f387ea00ead0a588feeb0067e659

SHA1
57877260f8d41f5ac050e48865500179c1f8b2e0

SHA256
d17bbd4d7f5f102dbac358723fb936c8e560222431fdf766f41e2fc6ebde7b48

SHA512
a560cc069de6ffee395d750da2ae4ee99826c9dfcd76ae98621b850709774c2796f964fc3a5be0470b873c0894b22e26781be99864d7bd00f56a0debee2795af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9759756455770b2d2564655be525ed80

SHA1
24c6f9ae5bc1b17086e6b7efcafdeba4b7eaff0c

SHA256
3a371bc7a788047122476ac7d545cad902ee8e12c78f82c5165e8d193213dd87

SHA512
6f8682164cbb1ff57a726515a72a1d1296d88b781d17f862687add171d9fd4ab0f2e1c3d718366761c823f623c167d794abae4221301e56068e2fc30de6551c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e5825cd6b665ee502964bc8bee63007

SHA1
e76f07c2a035ce8b9d42473738c902776d5baaa1

SHA256
13cd063adeb40054d1b302de737910d03674d0ced610b9c3f2fceccce6997ba5

SHA512
0ae93bd1362a56fca6e5ad374009d7e97a016c679ec25a4ed19b84f19165a57070cb4ea85a70c9426dcdf432ad23389812923cc773ffc77ee118bd48b924a986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9730343446f74f136dce9b200fdddcc7

SHA1
3202c327cf8abe0434b6f5ef3047de9ba3ee716a

SHA256
f4445d7cd8d01de7414fa75f79534ca4ac41e20028e1c149c6b9cc9b3a1d9cb7

SHA512
11ae4cb2eefe924d6bcc614f000b67b19152384f1936b31a4a169fa519429e5a4c0f3261a36237f57408f2aed8fb39473e6dfb01e19646942e33127d042e8ccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
471f513290af12502aafc29900e93d56

SHA1
4c8697dbd8d870aec706a9925fb095ea4d537e3d

SHA256
6b73639d9fcad7b0dcace7f86507fe4f23e4d0f7f1b6ec8c2225eb9d2e332acb

SHA512
c8c901ee7562882cae319b1e5793380c8bbca502f8919609b8eb6c80ec7b9286ea1c8efebe08dcaaf7a68c1d92ab16e2e3a03da297281bb31b4bc800f33d3bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f6ace8078753be4cdd62b0ec3a2a0e0

SHA1
3b2aaaad2cadf67d5df05cfaa1f3dcc788bcf903

SHA256
f7b349e3c74489a2a707496c5a94f180490bb5ca61e1a0890021e3f9d56eb7f2

SHA512
edb91079e56e3617bff3865a6d92010d167c5a0c99f970bd4888b15ac91e03f5b5d987d237372b7ea4f31679d47fe33ae320e5b36eae2adec95cd83e94d7c5a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
993c12097ea7de80b0927ce64dec7de5

SHA1
84b718fe693f4a8683e039a2b8f2817b2bded73e

SHA256
eaa5288ef5b780d49789f486ac887f4e1b30fb7f695b4c25c351b29661f6eb06

SHA512
8f2e3bbbc7d6c91e339c13149e3b65dbe75f17f1d3f6007c79c59c72ff505e0da41111513bd4c02367a3dba3bec79661e8c55da956ef2dbe960cb40cc3167644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57264bad11cc235be4c418da7e2122e9

SHA1
eb25c205f3ddbf62e301236988a099e672042442

SHA256
5a7dd08de0ab2d92bf6f5e7a5ffae8464aff44f1af6304fa962d56e9ed8c03c3

SHA512
bb3acb8be78181cae5b9e32f2151baa10d57c33f8109fbd681142f235c4db0749315038309d42261a26dfa9baa3e787c2e8e23deef9b77585c11dc8cdadbca6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21e295399e0cc20fc02f37a117f09350

SHA1
e0c20389b03d858bbadfe9693c6a66db986480ac

SHA256
014e0c481554f7078b9a4c6913fd6774ae1094db19540ac7ac5b1f034de020c8

SHA512
88cd36acafb278f764f6c7a9edcb204c9f0c249a036bfe7807f0fa722a4946e2e4e761412fcaa40da889edd4bbd429d36218b322a9fc7ef99c537b54b2724a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e040e622b58821ca5028d1fc86253e89

SHA1
93d02fb07c918b5f537aef5400bc37edc66dcbc9

SHA256
01aa275eeb13f154dd563101ec0f61c64241f1d823bdb5093b24fedbb5035854

SHA512
3c8d828614feb5811b0395d68a5d5029ca03d2239ef1e0c7f9e709b66354467faea879595bd623093700ee3d8996f8339256a99ddaa37bd849015da7cda4bc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4002E31-7CDA-11EF-A97E-EE9D5ADBD8E3}.dat

Filesize
5KB

MD5
f0cfcb46bc75eb4a72e92a3e02291479

SHA1
db751e48b744bd89c5aa48d4072a995d0f190c97

SHA256
26f14944c3c5e4eabd0aabff984521aa29d447fdf57d939c2b941aa0c6d0ad0f

SHA512
693a5b9ac49790e811ce538c023e2c355cbc715de3542734f8f9ccdf9514a238b53042503aabf771cfd4cde5a9d9b9fcd184ab1e5ef7f8b2387f1eed5d1af32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\404-13.htm

Filesize
1KB

MD5
0267ef0118f917681a00b350c9e6911f

SHA1
314e8f5329983d234959a4f7e94736d99d039d12

SHA256
7bad2da380f6fa6f9aebdea5a0350d377086cc68a04b92b68b32b0b272719e92

SHA512
2b4eab9fef989f1d325546b1deaa9a40f1a421e619bc9cbb757abf20ba8e7b7ff236fda375b40983f3b7a6fac2a04b6b803bf8e0d0e1d5558a171eea14000a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.gif

Filesize
218B

MD5
f8969783e9d4873af3f58346c9bdb15b

SHA1
536d3ea983a350fc2983e2a3844a87485d99d373

SHA256
ecf6f7686acbf209579bf90789e2608e9f7cfe0c6a2bbb6aa45713b2b7f89d71

SHA512
463b26a875e11b285286b4eded330580b868216e8bf7f9d5945371ce465c8955ef6e37b0663cb71bedc28c448ed16de71bebfa89cd99148dc6ccabce509c9773

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbstractObjectReader.java

Filesize
4KB

MD5
2c75cdd8a8d68a50bc179649b7aeefc0

SHA1
d178afb5dcfedb35e70f445c15984d5203408811

SHA256
908f92f69a4583e55275a9a97f71a81984b5c598deeb379a58c4ae6352b99dfd

SHA512
bf316cb91a4b3bc4ec374bf8cf75efde1c6ae4dec2f1877d995844224a1744a85230f9d1661b16e4628f73875ed1c8337a73b0420200ff93a5dbd615758139a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BasenjiMicrofilm.S4D

Filesize
3KB

MD5
fda6512a5f61cecd95dcc31514c26fe3

SHA1
2b1fc8b3bb931b8ae4fc6e6750144761720fdce6

SHA256
3f4a51a5a1001937ccfd4bd056c69c5d713ce4b91a109916b265e1a80dd316d2

SHA512
658782117e20ab15927c813ba92835e0f518fbb5f11b18397042c01a3d917f6b2cb348256d3bf42a9ddc6a6f45a0c5550bfbc3f15663e033ecb286b9a2f84f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bishkek

Filesize
485B

MD5
ad8baefe636e08b8d937ee4303d37231

SHA1
0f58d13ae045ea62f4f64dedd7de4bdfef7e985c

SHA256
b510a9f128b96f387a21d7b719fdc1d7ae81480a94620d11456699fd76271442

SHA512
31b60710c0c59c882d21dd9d4eb5449c62e4f1bb75366d2b006b68f28e49f7cf63058272c0e2f8621d4bc80ccde0cc1e4cfdb503f3a513f0e2123c97524cc485

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE4A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBT-EUC-V

Filesize
3KB

MD5
a33b205d2c07a68475fd1ff3ba7ce6c5

SHA1
9ad672f39f10b822c18196bd9d06ee7afa5e0740

SHA256
1454f5f35a4472c53c37efb4c965b9f0c5318bce978d7c09d4e586bc6b98b2b4

SHA512
7835f185f136751174eca88837bc2431c5f6ad45a11363d6c74695b6a829d7037f1a8610c54a369e509b076bf22d854ce79eaeb95218e25869b45d8f26d247e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Makeup.V

Filesize
15KB

MD5
fdf59b25376da680b49701fe319aa58d

SHA1
8ec95b2f0e5c662c74be9669960e0710aefab87e

SHA256
74132f7b460da1822e1fc55a9052233ddbb04fc958876d17ad167d4de1a2323b

SHA512
5cefc9d71da2af6900c85f9f346889ec4babc3b71e089176397ed0d92cbd1e75f4d68bf0bfeae219a4bbac1182356a326cc2fb3919d25191e70d52bba6510f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Makeup.V

Filesize
148KB

MD5
80fed5c28b0bbf5e6f2f29755a984a1d

SHA1
4a0edf53ff1851e7a91f0f635b04aeccc6646970

SHA256
a1c040049534c2c6cbde308ea120cf35f6805863d6ab3ef4eb9985ee04985d7d

SHA512
d63c59f487991d0fc2d9aa1cb47d23707d45ef2ae82e801355de1171a5db7c04a2977e3f5c5229fcd3ffa5c4f8a150bc9e11aee9ba2b19ced7ab96bfdf4a7a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAEDD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\change_options.png

Filesize
3KB

MD5
c6010e77916c990c8e5e7e7b2546af36

SHA1
fd7a8c5b49c66ac4b1b05622032908e8101aafdd

SHA256
fe33a076cf6ae33766d202707e04ea439896850950419a68e2569c4d9a48d205

SHA512
090395590f02b438017bd1433f7fc66a5d135c59b10a66f562d81b1b328af68b5bf90d84fa6d3d16747edfef86efb42e95a4cd505a6e1c3fab2be91fc3954f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\column.count.index.xml

Filesize
873B

MD5
c97ff523785684bfafb523e994710d63

SHA1
dd1d166ee22825a7b1a659e69cce500c8726823c

SHA256
1d7295b88c7d37f8c59c7002281f8f3a5060852b2fadacb826b7066bbefe2284

SHA512
4e51fcc9d64efc8cad482cd293fd440436222886267eb586a9ab70023e5f12b6b6115f7955d65419f431a9af492e1056dd8193a03983baf60c678bd9a6305aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dash.js

Filesize
750B

MD5
533b30fdbd4ab5d87fb8e2081f93b797

SHA1
7262676dd0af789afb53085f1b352455ace74552

SHA256
8ef1f3da84d39926c50645696bae8175d8465a64f2e51ffc35e9c50854d915b6

SHA512
93e97129fc6687be7eea739774f3524d3a5fb2e552aa8069b37d51524dfbff8928155b088ec019b85fc4b26597fceb1755b7cdc5c9d86ad7c401cdef91e2fdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3_11 x 14 in 300 dpi.IMZ

Filesize
46B

MD5
e67bb39e43493d3882b7673ef76d4a3c

SHA1
e5273781bcef374a1586c448e1f08b46d2532211

SHA256
97807b9b758a5a8a70fe85a5a4a70b7b931ab76b1e530e226c97415766d1b8be

SHA512
768ad4a01a0f32fb9851919b8e10f46b637f1dd31308942eb21c66db4ff1941f3e8289c5b5632754ff2bd82344fa5ec029d0bc751463cdef5f5ada335f348883

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk

Filesize
1KB

MD5
a3d86b8b26d94ce44b66b0e6af841115

SHA1
73461bbc6b01676aeed822b716fdde2109173edd

SHA256
0608ed282769cf91cb8966b0e852518089edf127831fa96ceb6e0795868d6bc1

SHA512
39201e8166a9e1a95e62d5dbd8c729f1a67c9318423a6e1b7b9c31af9a7cc89943dd63eee1b13c62e7fb6b5cd316fb979cb0dda2dae594120bd87399e1ef6e82

Download Submit
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html

Filesize
19KB

MD5
d86267a706b8d1802d7c8114cf2d222c

SHA1
fe2230fc1ec25cb07997d2ef6ad7d11970e0b62d

SHA256
7b4f75cb065a2fc391e019653f9ccc08f914b356051e7b7750d8f2fdec95f261

SHA512
f526dea14fd3744c03d092ca6ee35f118a5cb3795240c7d62d8acbba70914f29d3e4068f376d794a18b0f8e446fbc6cce2dde8f734adb4369617bacd3297f51d

Download Submit
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
2b7fc8c7e1791e19631cc97d39030ff0

SHA1
46a94ed6cf9d40eaa6555282f6dcbfc71b97ee3d

SHA256
f2b9a3bf197899ed8dac14e143af265e20c3dc9ccba56165512dddc8083db1fa

SHA512
2bf7f6efa4fd9e8637e10ffaacaf825be3c431076cf9695d48319cf847abb521e6dcee30b42dee5087954b44ad8bc9a2aa40ec58cbb3b1d5627f9666348c490c

Download Submit
\Users\Admin\AppData\Local\Temp\SFhelper.dll

Filesize
79KB

MD5
0e8e72d3531cecec1518d1c3929671d6

SHA1
5e7153adfea4cffa64dbbd8caf78f0e50f6733a0

SHA256
8bf396d466b453d594cc7816884351261b5eb5602324a855953b45678bcc7254

SHA512
b4002806ef09c61bc50167e45407660e0564b54732ef70c88b1b8e4f43081ccd3468fa2fb07c7c8c2197bac66fd5ce3e7b42b0aa068f95385c7371b09cd98214

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB211.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\expand.exe

Filesize
253KB

MD5
fa8dff8ebe3d919ebc72ed83c58a2351

SHA1
f98a4f7bd317a4a90790bdff2d13fdb8291c6357

SHA256
33b8c7c3d12e03465f4438e5431b0801dff1cfc8b16534619c009ac4387fc7e6

SHA512
8f5ecc6863b845cfc6ba86026b8771a3a43a923a92f054661e6d10013961d92d833c49626de02a9aa9a6592374c5f8987eba1d9fe747dc9b83d7b4a1419f5cda

Download Submit
memory/2128-164-0x0000000002F90000-0x0000000002FAD000-memory.dmp

Filesize
116KB

Download
memory/2128-166-0x0000000002F90000-0x0000000002FAD000-memory.dmp

Filesize
116KB

Download
memory/2128-147-0x0000000002F90000-0x0000000002FAD000-memory.dmp

Filesize
116KB

Download
memory/2252-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-112-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2360-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-109-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-108-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2548-37-0x0000000000370000-0x000000000038D000-memory.dmp

Filesize
116KB

Download
memory/2548-38-0x0000000000370000-0x000000000038D000-memory.dmp

Filesize
116KB

Download
memory/2548-20-0x0000000000370000-0x000000000038D000-memory.dmp

Filesize
116KB

Download
memory/2804-107-0x0000000000580000-0x000000000059D000-memory.dmp

Filesize
116KB

Download
memory/2804-89-0x0000000000580000-0x000000000059D000-memory.dmp

Filesize
116KB

Download
memory/2804-105-0x0000000000580000-0x000000000059D000-memory.dmp

Filesize
116KB

Download