cerber | 9abffaee18a87032e9db459d1309da167460acdd98dfc4c7fc4c3941f2cbbaf9

Analysis

max time kernel
130s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Size

218KB
MD5

bf244a0d9ac81f0ca62e5b3ddfb7b72c
SHA1

ecbdbcfab600d5cfc2a1ce67bd5a1819ae340a33
SHA256

9abffaee18a87032e9db459d1309da167460acdd98dfc4c7fc4c3941f2cbbaf9
SHA512

d2f5d096b09446cb2c5ea99c33dad75b47e76cc5b0509c6d9d571d89b6f245ef86b3c63e4958d2766ef11f4483fb78af3cba49354912ed7c1f8a5497def44a53
SSDEEP

3072:2ELO8OxPh5XJkC456AhqDpl1nBTVS7R9WsL2VaAsJmzcsxoY9N/M75kDthsQxMWi:2EcNCCBAhqDNu7RhL2oAsUj/DgQxa

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". <hr> If you are reading this message it means the software "Cerber" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li>Please wait...<a class="url" href="http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C" id="url_1" target="_blank">http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://pmenboeqhyrpvomq.dd4xo3.top/67F5-5E77-3351-006D-F89C" target="_blank">http://pmenboeqhyrpvomq.dd4xo3.top/67F5-5E77-3351-006D-F89C</a></li> <li><a href="http://pmenboeqhyrpvomq.vkm4l6.top/67F5-5E77-3351-006D-F89C" target="_blank">http://pmenboeqhyrpvomq.vkm4l6.top/67F5-5E77-3351-006D-F89C</a></li> <li><a href="http://pmenboeqhyrpvomq.y5j7e6.top/67F5-5E77-3351-006D-F89C" target="_blank">http://pmenboeqhyrpvomq.y5j7e6.top/67F5-5E77-3351-006D-F89C</a></li> <li><a href="http://pmenboeqhyrpvomq.onion.to/67F5-5E77-3351-006D-F89C" target="_blank">http://pmenboeqhyrpvomq.onion.to/67F5-5E77-3351-006D-F89C</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is Please wait...<a class="url" href="http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C" id="url_2" target="_blank">http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address Please wait...<a class="url" href="http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C" id="url_3" target="_blank">http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is Please wait...<a class="url" href="http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C" id="url_4" target="_blank">http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://pmenboeqhyrpvomq.onion/67F5-5E77-3351-006D-F89C in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C | | 2. http://pmenboeqhyrpvomq.dd4xo3.top/67F5-5E77-3351-006D-F89C | | 3. http://pmenboeqhyrpvomq.vkm4l6.top/67F5-5E77-3351-006D-F89C | | 4. http://pmenboeqhyrpvomq.y5j7e6.top/67F5-5E77-3351-006D-F89C | | 5. http://pmenboeqhyrpvomq.onion.to/67F5-5E77-3351-006D-F89C |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://pmenboeqhyrpvomq.onion/67F5-5E77-3351-006D-F89C | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://pmenboeqhyrpvomq.wz139z.top/67F5-5E77-3351-006D-F89C

http://pmenboeqhyrpvomq.dd4xo3.top/67F5-5E77-3351-006D-F89C

http://pmenboeqhyrpvomq.vkm4l6.top/67F5-5E77-3351-006D-F89C

http://pmenboeqhyrpvomq.y5j7e6.top/67F5-5E77-3351-006D-F89C

http://pmenboeqhyrpvomq.onion.to/67F5-5E77-3351-006D-F89C

http://pmenboeqhyrpvomq.onion/67F5-5E77-3351-006D-F89C

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	resmon.exe

Contacts a large (523) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
1404	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk	resmon.exe

Executes dropped EXE 3 IoCs

pid	Process
576	resmon.exe
3056	resmon.exe
2628	resmon.exe

Loads dropped DLL 6 IoCs

pid	Process
2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
576	resmon.exe
576	resmon.exe
3056	resmon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	resmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	resmon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	resmon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp60A7.bmp"	resmon.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 576 set thread context of 3056	576	resmon.exe	37

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	resmon.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	resmon.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	resmon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\formulas	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
File opened for modification	C:\Windows\formulas	resmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1404	cmd.exe
276	PING.EXE
1196	cmd.exe
2696	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000193ac-49.dat	nsis_installer_1
behavioral1/files/0x00050000000193ac-49.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
3052	taskkill.exe
2968	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop	resmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1591EC7F-A229-1145-B746-F357D6852359}\\resmon.exe\""	resmon.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30240061-B1B7-11EF-BFBC-7694D31B45CA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035b06c32cee6a341a6be336e6d2c7a820000000002000000000010660000000100002000000046877bd224a963d5c3b24334c32afabc2aedd431829fdb097b49461c0d1ca794000000000e80000000020000200000009bed3f5406db4c1b8ed745da6adf21b498dc14a15b576711ea43946a635a186290000000064d48c646a58806d466417d1b3432c87f0c9d20b35149bd03b37b328f6840027a3c70565d92d14aa164a06aa7aa83e91d0428f10a5ba7e86d99f11d5c8c0b1d20fe0524cd383ea0b16353a957631b3dc9f28ce4163459ef2b10b4ed200840b2f034f9047783356ab29a9c5ebe2b6e9efbf2c51c89070711230adfeb1474e016b0a8dee7f0943d65d8a8ec555181e01b40000000518572198a0367e6fdab7d1d000a2d4bc8d54a1f5a478309641de39775ac2bdeef522b2ff7c630687fb57ffbdf5e08fde666c9058e72e4041aedb9893e8dc757	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439420450"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035b06c32cee6a341a6be336e6d2c7a8200000000020000000000106600000001000020000000b31adec4838375ffc7f13bb1b7342e185b9b452a68fbf1fe33f28aa864f0bb6a000000000e8000000002000020000000a83429a022695dc3b418134bcef120ad9a4542fc98fe5ba269278e37b3c2da8620000000e000e40675b7d29090c14167a3368aee1cb7389d2d7882be043a9532b00e1d784000000015f95150a1aa6862014e36df3eaaf5743c10fa3cbf4de0a3c6dd263d0f465eb7111c5f0b50ca39b6f545fc8c7f2ef06fa19ac04cbf739a5dfa54311ec5697507	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d867f3c345db01	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
276	PING.EXE
2696	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe
3056	resmon.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	3056	resmon.exe
Token: SeDebugPrivilege	2968	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1632	iexplore.exe
1632	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1632	iexplore.exe
1632	iexplore.exe
1632	iexplore.exe
1632	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2744	2784	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	30
PID 2744 wrote to memory of 576	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	31
PID 2744 wrote to memory of 576	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	31
PID 2744 wrote to memory of 576	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	31
PID 2744 wrote to memory of 576	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1404	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1404	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1404	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1404	2744	bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe	32
PID 1404 wrote to memory of 3052	1404	cmd.exe	34
PID 1404 wrote to memory of 3052	1404	cmd.exe	34
PID 1404 wrote to memory of 3052	1404	cmd.exe	34
PID 1404 wrote to memory of 3052	1404	cmd.exe	34
PID 1404 wrote to memory of 276	1404	cmd.exe	36
PID 1404 wrote to memory of 276	1404	cmd.exe	36
PID 1404 wrote to memory of 276	1404	cmd.exe	36
PID 1404 wrote to memory of 276	1404	cmd.exe	36
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 576 wrote to memory of 3056	576	resmon.exe	37
PID 2408 wrote to memory of 2628	2408	taskeng.exe	41
PID 2408 wrote to memory of 2628	2408	taskeng.exe	41
PID 2408 wrote to memory of 2628	2408	taskeng.exe	41
PID 2408 wrote to memory of 2628	2408	taskeng.exe	41
PID 3056 wrote to memory of 1632	3056	resmon.exe	42
PID 3056 wrote to memory of 1632	3056	resmon.exe	42
PID 3056 wrote to memory of 1632	3056	resmon.exe	42
PID 3056 wrote to memory of 1632	3056	resmon.exe	42
PID 3056 wrote to memory of 2288	3056	resmon.exe	43
PID 3056 wrote to memory of 2288	3056	resmon.exe	43
PID 3056 wrote to memory of 2288	3056	resmon.exe	43
PID 3056 wrote to memory of 2288	3056	resmon.exe	43
PID 1632 wrote to memory of 2884	1632	iexplore.exe	44
PID 1632 wrote to memory of 2884	1632	iexplore.exe	44
PID 1632 wrote to memory of 2884	1632	iexplore.exe	44
PID 1632 wrote to memory of 2884	1632	iexplore.exe	44
PID 3056 wrote to memory of 2856	3056	resmon.exe	45
PID 3056 wrote to memory of 2856	3056	resmon.exe	45
PID 3056 wrote to memory of 2856	3056	resmon.exe	45
PID 3056 wrote to memory of 2856	3056	resmon.exe	45
PID 3056 wrote to memory of 1196	3056	resmon.exe	47
PID 3056 wrote to memory of 1196	3056	resmon.exe	47
PID 3056 wrote to memory of 1196	3056	resmon.exe	47
PID 3056 wrote to memory of 1196	3056	resmon.exe	47
PID 1196 wrote to memory of 2968	1196	cmd.exe	49
PID 1196 wrote to memory of 2968	1196	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe
    "C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe
      "C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2884
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:2288
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:2856
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "resmon.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "resmon.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "bf244a0d9ac81f0ca62e5b3ddfb7b72c_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:276

C:\Windows\system32\taskeng.exe
taskeng.exe {5BB2E5C7-6098-47D6-8EDC-752BFA51E504} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe
  C:\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c51241fbe9a04243a871b0e631f5391c

SHA1
a6192c48339587bb135f589f174bc5593937d49e

SHA256
b8294dae7500e21bfe8e5b3a8ac0565cb01329e7f95bd0376cd475cd96576d13

SHA512
6ddd7842fed84305648cd7e5d93775a9e3693d1c541ec133448907ad3c82e76c9a10fb0b6f4181d7722e62db87637914f2f2ab949a867bff698651331de06004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b38b88b47ec9f6b1da78421020d7e338

SHA1
4d8ca51100303abf5cc21de99d74c1fe6744c54b

SHA256
1bc24acd4ff287bfcd0ea107b4af8cae9e13367574f57de913772de50cbd0973

SHA512
714da8243f3653852821527066d3d1348fd22d0c8f9ab98902a60133fe221764a0ff5074798fbe77f15ae6853f82def376f58645236448f192735128e4b25079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d081644dda0a30933533b60f688a3fb

SHA1
cc94705abf4494053255be5620d1319ed83abfcb

SHA256
4ed9ae6fdd68d149321266e80f2bfdc982933be41aef96ee2a41b99172c0f522

SHA512
4f3e0fe6e8a6beb557fe448fc25cc09229c61096b8f37f22237bf1ce49111f3ed9640d31c6215d926c3cff45e67ee0ffc5d1d91d25e15fe4a08140e3f3bb610f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02ef5eb428bfd13535e0e4b5442b49f

SHA1
9deb95b05e8fae58282fcace82b10eef8ab6faf7

SHA256
be367abdeaa8a17578210146528ca897a024480c588b6ce1ee0fb8e89f0696d0

SHA512
31b93497f2932fb2da0d2c77e951dfdcea856e9a50424c35a2be6a8b27d3a1e5d78dba6defcd211ecd5b747990724ddf1419125ddaa6457079b2f09349ac8ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04b97fd562fb992f2765ccfbd095c7f2

SHA1
ffdff21cae112053b164c9c94d83709611efc42d

SHA256
a26098154e8dae9f5bfecdae607aa3282ce7f4b4b03e073671e6ca39e34fbf84

SHA512
e37fce113df9fd6d9366b2a72b91c03c7f7e13bbe7fd96df5fbf38b4ed0b12e7dc2885c97f4bb539b5030d6566fa3fe0b262bbc8526d1542fa6306561d446edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc49f5d6112ede71137069e5a6a2dcc7

SHA1
7876af511debff21ce9ba3b7b3e70246dbc0f908

SHA256
80058f39482a9aaf10a4f770fdef24181f316661c1dea7a22f596f04b4cd5c92

SHA512
d0b68da5bb86f391f4e0f5905778d8f285b91f552b6dfe20b40bf33357a60744455a9762b2b4531dd1279820ff0d6b3dcf78e363603637d239a77aa6318b1c86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a067640bcd4cbd1c0a46d8dc14c1a44f

SHA1
68b09a671bb05ec46eda51653966a0e00129132c

SHA256
0337212d50d8e623dd555dee33b49d5d8b3efc5928f49f77fca356b17fa9a284

SHA512
6303b676f5bf3d393d78cbad1656a12992938391ebe2a9d19beaff216c620b2c361a66e8fe0c0ec6226ed13980f11aee95b14db6c4c3e94e13cf446f2f6448ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c095babc0d314cee05e9233b0d7a558c

SHA1
dd9be0acc85ba4b63bce7c4f7d69e4b2b466f270

SHA256
bf88688c567d02949c8b472879711629ffbae7ad1a1923e75578f694634fb117

SHA512
806dbc790f22ea9444152a1f63f69649928b9884d269b008cdd43edcbc70495394a99a06cae05c003d1afb488b108da7cabea33c95cfa531602404ed1a7e5127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99cbc9f9af951792ca5b2e1ad00113a6

SHA1
603ed0481436143a958f87efd3ff19cfd2f6d9b5

SHA256
7eebd2683512ef8f1839e8112193e6a4bae42adb44b20f8203d4e2104401b110

SHA512
8c431c34a9871838fcef773d335261f60377b211dc4f1d210bbfb6b366415504876cac90d610b28da9e77b78658c40e00a5a3a43b6556732fd2569dcf1ae4751

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e9f227d6f16e3f729d37e7b6481b9e3

SHA1
57a613aa572375826df641330dc4775d60785ec5

SHA256
3ac87aff7c09f83378497a3b6862fc89043437d225693b0ce8cb147304b8d09d

SHA512
b3d65b3093cb477b4c4433a9de0c22f20c70fcf42cb50dd765642588677f741eb60878f15a274aaf08c1cbd123fbc5cc10d979fc14eed35eb03409745b7cfc3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66b1667505d862f6206145b378aa9402

SHA1
ac41d2994561ec5250b0563776812a851c1d8b35

SHA256
ff799997cd1b62a77f5a5e5b4f958291f692ef0c10b684fedce8af66f5ff2b64

SHA512
5940fee625723ca144ff9192610d1de4fc568d3e4135343a27c41941d96d4d3ef2bf51ed5eece6d99acbb1b670d4ddfafbed32d332d8a894e160d51e5e13dbcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
45a64faa42b447b0ee9338b8d00ad4e6

SHA1
7b143e0c33137792af69e06c39dd27a5904a76a0

SHA256
f5c8f9b8e866489a7c065d19a566b6467ec4ffe7d51ea9b1d930209e5f1c9588

SHA512
dbeab4c0f2522beffd91d8fdf6e5b655e34d7ba0443536631a008a5336b15491295348f70e74fa380a2f1fdd39feb577c77b2ff31b8915f45eeea85a78eb37de

Download Submit
C:\Users\Admin\AppData\Local\Temp\16_9-frame-image-inset.png

Filesize
3KB

MD5
d0b27d901155b40f518d158f5e491028

SHA1
93a71de9454d0e94edad1bf7c3c7659c2cf99c45

SHA256
fef5272cc87850a7e422d6bc5be7986fec6aad06f57746a728d58b7de6dde0f7

SHA512
7b4a732ff48df05c895e07245b1370f1dc530af45f592aa60224bb9c17bf0a7066449cfb2c8f0c93d00ee61f34e8da3663f7f60585846d795cb329015f4b4b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\405.htm

Filesize
1KB

MD5
1c7d2b2fddd34b82883053f74613a7f1

SHA1
5ded4a3340c5baa2f7875a09234200662a5fb6c5

SHA256
f42aa8b08eac61b29a5cddc51819a28a692b69480948f7d003485c0dbddedd8b

SHA512
2d54662a2a3f852d88e27232a93e5807bfa84be55460f4d9c9d2082d22e7818a337d75edb3fcdbf2fd5e6e34721722df16ada243576ace9598701a51797f50db

Download Submit
C:\Users\Admin\AppData\Local\Temp\4to3Squareframe_VideoInset.png

Filesize
3KB

MD5
1e75354ac7277ac7d729e9d934b3fdf9

SHA1
05ec2efcebd31cff1c77d9896c94c11a4722ae32

SHA256
b6c74c438f6cff931161a5ab8b0757ed185ad6c02033deac6503c9381414cac6

SHA512
e6db1edd746250f9c12c63785c4139bcfa29ec4de4cf10e9532588584f4532b6a990f3304306dc888ec6a24f04b94c7f42f615d580bb08e9db395c7244bd065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab62B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambridge_Bay

Filesize
1KB

MD5
89de3d027493b9dbe3298a06fef9a89d

SHA1
3d8ac130c5dab1becabb0a17cae55c9aa42e50cd

SHA256
4d1380365eaceb6082c783f733af0ec9fd99e947c1c08c84fa6ff1d370b551ea

SHA512
d7699a070cc465d5d960bd3d712fe72f68b24bd6e6bca6e67b5a17fa9581bb0cb02d10bfca2c32949ef86c3156c08e8bacdb33f1bcf4b5b188f149fc52870829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Christmas

Filesize
27B

MD5
02bc5aaee85e8b96af646d479bb3307c

SHA1
1bf41be125fe8058d5999555add1ea2a83505e72

SHA256
e8d8d94f0a94768716701faa977a4d0d6ef93603de925078822f5c7a89cc8fca

SHA512
e01d82ac33729e7ee14516f5d9ff753559f73143c7aa8a25ed4cc65b59dc364b1a020bc28427f8ec43fec8ef139cf30b09e492d77f15d7b09ae83240cdf8bc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dawson

Filesize
1KB

MD5
0b8717be9826ff70ed75c74131f1a776

SHA1
471eb762c3dafc031ac6a790c7e9201a4f644d60

SHA256
0759787339284a189592ad2a6b8aea00b7c3cf37354ffea6bd9979348d14387b

SHA512
710ebe69e5fef8e57903b588ec453daf6507072f2b539e14c7eb284de96092b573cd2d9e4701ed4cf9773ad6bea77de5fa26cd402d74f54f0ce6733924e4f4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIF 32 Dithered.irs

Filesize
1KB

MD5
ad7857a8abf9bde686b7507079b9bc75

SHA1
c9ad654502127f32cc9658d9b17b9b84a45c3e4a

SHA256
622ae0e9a6c1012b7aef688cf4b9a57a3659066e23081f67b2565ddd9d55e170

SHA512
5ebf99464292a5a94d610ba04cdfcd53b4fa39b05715948e14a876cd58a83f42759ea0ccb6aa72f75459fcd9199aa988ab5793847b9d7cb4118b059ba8bb7f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InulinWaistcloth.g

Filesize
3KB

MD5
49b34ea2cbae50de619d8128e6fa3b2c

SHA1
35e02fa92a71c32153f9907b72ec9a38833f6cec

SHA256
e6e3a86896d639a24240ef4ebd68228567e28b7f8c382d2680d698d2e2ffe3e6

SHA512
2468f066f6356a8eaa790a31407eabb68e420b047d9153562c28386f13f3768ba767dcbd5b47c5dc9e25c6e8c3c800c84ecf56704a9a58243923535009c92122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Piddle.azc

Filesize
148KB

MD5
3e45eef93b3cb1119e3510dc9b5719c8

SHA1
adf13f7d221ee3e0f6f443b01bcde4a10b54e33d

SHA256
b68684a53123fa290b5ea29fbdc4eabb930a3f179a690554366d3ad63a3cdf8b

SHA512
7fe8d4fdd541333c8b6720e8d3902f59a181606d87bcb38c6ae79d3af3e8c92f227fc7f6078c897018921868ece16ba34b521904cfc75d7bdf83132a5f80b665

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62BB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\alerts.xsd

Filesize
1KB

MD5
275c7bebd1f409bfaa98227f7787d3b3

SHA1
73edaeb7a5de0b98b922414191d69ea6617edcac

SHA256
51e2e5877b9e355118cc27ad284db0bd6fce616a78e64e9d905cf836277376b7

SHA512
3fcbfefa952b0f122fa6798f471805c13643a11fe060bcb8c22ec13ea7d0571717e0177073cdb3c4d43fc755cc476036b7bf0426f621515975c709a503d8433a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avalon-framework.NOTICE.TXT

Filesize
622B

MD5
141edc03b0f0c08bf8847a4d20a2d140

SHA1
8fb3d2fdebb7f5cf86e7d33b22b676f37a6a34eb

SHA256
c19de564c3d24b412a55e8d39cc4aaf4b226ad1d87e41f1dd676e82e6ad2f56a

SHA512
15ddc9e4cc13121c3687494753ce2a3341bfd1c9263150c32620000ca2a1839529f9c497f75c41783e647e49229eb518b382b3ac229cc08c134395b06614d1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\blue 286 bl 2.ADO

Filesize
524B

MD5
a4c0299e39c677afd7a7517d2980bf15

SHA1
8748961f6bda83bec226430bf60589d6b2344211

SHA256
5b2da553b3587b710311b4b6318464456cbb2cdfd1c8bd7a831b3bb36aa8ca23

SHA512
1e0491cbb298f18b192e96d23fd629739ea48de85ee1b7ed3a7e96a3a645d1ca8471580b6bb0545f10d0edc845612d002920071870bf69a7c90ed9705f8f52d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chunkfast.xsl

Filesize
2KB

MD5
4b3b2473db1fd9f3f04044bb47d000ca

SHA1
a52a3fd19e5a1b72f9285ce4d0451650507a5dea

SHA256
d116d6e0ef1c1b5cb1512e2de16fb266e86960f636e4a608147d214fd2055a76

SHA512
2e110bc9822145b8347fe656b8021d985840a9a44c7659e9524059c94f3617c444900c248a263940f11b32ff82d3efcaa9a400e64d34303055ed9db63aaf3b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\color_mgmt.png

Filesize
4KB

MD5
4039f96ce68791185b4bd6c6836791ac

SHA1
bce49bc0c17ba5c461e77f840b4f7c66f7203202

SHA256
b764c6ade27c74321310e38e47f72d79827ee2ce99d41f3f5b8e2711906f8a70

SHA512
6f6feb92364ff863fa63750f0a0123934a0f7417aaf5a38485642b278b9ad2564520ca8ce4b62c6b794aa0f792dda95b0c99f9a793952ebd445f74d6714e1ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\getOpenDocumentIDs.jsx

Filesize
175B

MD5
a6b21e84cfffda8936b29e7c9a99be33

SHA1
52c8d102768228cf95165ce94482efe077250693

SHA256
16aebcb843ceb74d45a814c633c1f2fc2577bc8ab485da16d20700efca8b80b7

SHA512
f049f65179fd715123f193f18c201ee23b05589dc16f9c08d4d04b4deabde2b01fb63cb905e09ed3bae6ce17ef290b26d19b66fb3a724399f450b0ba8d2ca4af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.html

Filesize
19KB

MD5
cbdb0d25b29793e35bb88b068c67fecd

SHA1
794019ec634a87e36343ab59547985860f3183e7

SHA256
4807745b62acfb0b5794abaa625817fac5d42cf2f605b16b7930426fc18dba62

SHA512
723573f68d3eb118088001f57100fa7c6d9be9f3e4ce8c5e150f60880612b72c7daaaef3cd4ca2110b468366c982ff07c515333393c8667791ed4ed218ae21b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
fc48c8538bb6cdbf791a0bf7bfeeabdf

SHA1
501aca8e180252ecad7fdebdd8aea45e2b40ccc7

SHA256
44c55d2632f9392955dc542bcd94899ea9c123f5d2d489ddec3e1b32c0b7d080

SHA512
c88155fce49841ee190df6f42efa022706d5d09a0eb2593c770aeece5f01a03fb1f4d96e25f8a7d812dc7bd24c784fd77975f8b475b07650fd9915e881aad837

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.url

Filesize
90B

MD5
aad366f3e996ad390271e3c686fd685e

SHA1
f61737c14497f3410f4f900d57e688c2bf0feabd

SHA256
3992d91fb1a84ca5645026326c6f140d2b0b0192ed48ee2f6cba56b4065dfabe

SHA512
3a24c85f2f2c4b643bbc99692d37e48844d77f08d5c044fb757625471db22c61bd61efa9c68a9babfaaa80703a1565714e124d5f63cdf9135f7c72227dc1208e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.vbs

Filesize
213B

MD5
1c2a24505278e661eca32666d4311ce5

SHA1
d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

SHA256
3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

SHA512
ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk

Filesize
1KB

MD5
6fccf03434ad9dfd871bf3a92b63411f

SHA1
ac857c4d1b399377a6052d553e712c9b5037d34d

SHA256
8afc331f2931b8f5a46262f509b56dcba1a91ebf68553c5c6cdde8730712a119

SHA512
d47129bd7307f663952e450892453d8728efc4c7e97ea98b9304c773f49b5a8d0e4bec03c165912879d2f383271a602c788e714387abe17e988e6e59859713ce

Download Submit
\Users\Admin\AppData\Local\Temp\SetCursor.dll

Filesize
13KB

MD5
eca26c61607b5b8f511f73a2c820de3d

SHA1
cfd03bc71cb462edb70a476c956ba8a9a9a44ea5

SHA256
ba57adfeaf6cbe5db7e19b428552900b083e3cbf19f0d1d30f5c35c9e01f51ea

SHA512
b9a065b75e5f8d81de2c2bc3333ab775450c13b7ec16ed7f17c3963e969b35a4cd4a71533ba7058e2f3398136727a1cb90c1e76a3d489379299d9c89278567fc

Download Submit
\Users\Admin\AppData\Local\Temp\nso6E2F.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\{1591EC7F-A229-1145-B746-F357D6852359}\resmon.exe

Filesize
218KB

MD5
bf244a0d9ac81f0ca62e5b3ddfb7b72c

SHA1
ecbdbcfab600d5cfc2a1ce67bd5a1819ae340a33

SHA256
9abffaee18a87032e9db459d1309da167460acdd98dfc4c7fc4c3941f2cbbaf9

SHA512
d2f5d096b09446cb2c5ea99c33dad75b47e76cc5b0509c6d9d571d89b6f245ef86b3c63e4958d2766ef11f4483fb78af3cba49354912ed7c1f8a5497def44a53

Download Submit
memory/2744-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-45-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2744-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-116-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-552-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-528-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-531-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-534-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-537-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-124-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-122-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-121-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-117-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download