cerber | 27774522cc4848729069300e39654e834e34809f42821d0194ae1f81a412e52d

Analysis

max time kernel
137s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Size

189KB
MD5

fef9344ab43ca53984e45b9de42b07c1
SHA1

b816b11ebebcefb845a5ce52bef81d4ab6977174
SHA256

27774522cc4848729069300e39654e834e34809f42821d0194ae1f81a412e52d
SHA512

ca804be21964c00c6f1e6b6194a1db5515fba86d23ff3b38afc142140e4199d76bfae1e3f420a07f014082026df9532a3864a8b7bade636cad05984229c212d8
SSDEEP

3072:o/xkurCTnSOfXJv451a6ahso77pRoh8ottNZOUaWK1vbcHPjjPmxrJTLftFc5zEv:o/uTZFua6af77e7Z69lbxrJXKgaTJO5

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E</a></li> <li><a href="http://52uo5k3t73ypjije.hlu8yz.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.hlu8yz.top/01D9-9A97-41C8-006D-FA1E</a></li> <li><a href="http://52uo5k3t73ypjije.thyx30.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.thyx30.top/01D9-9A97-41C8-006D-FA1E</a></li> <li><a href="http://52uo5k3t73ypjije.h079j8.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.h079j8.top/01D9-9A97-41C8-006D-FA1E</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.onion.to/01D9-9A97-41C8-006D-FA1E</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E" target="_blank">http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://52uo5k3t73ypjije.onion/01D9-9A97-41C8-006D-FA1E in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E | | 2. http://52uo5k3t73ypjije.hlu8yz.top/01D9-9A97-41C8-006D-FA1E | | 3. http://52uo5k3t73ypjije.thyx30.top/01D9-9A97-41C8-006D-FA1E | | 4. http://52uo5k3t73ypjije.h079j8.top/01D9-9A97-41C8-006D-FA1E | | 5. http://52uo5k3t73ypjije.onion.to/01D9-9A97-41C8-006D-FA1E |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/01D9-9A97-41C8-006D-FA1E | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://52uo5k3t73ypjije.b7mciu.top/01D9-9A97-41C8-006D-FA1E

http://52uo5k3t73ypjije.hlu8yz.top/01D9-9A97-41C8-006D-FA1E

http://52uo5k3t73ypjije.thyx30.top/01D9-9A97-41C8-006D-FA1E

http://52uo5k3t73ypjije.h079j8.top/01D9-9A97-41C8-006D-FA1E

http://52uo5k3t73ypjije.onion.to/01D9-9A97-41C8-006D-FA1E

http://52uo5k3t73ypjije.onion/01D9-9A97-41C8-006D-FA1E

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	rasdial.exe

Contacts a large (518) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rasdial.lnk	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rasdial.lnk	rasdial.exe

Executes dropped EXE 4 IoCs

pid	Process
2516	rasdial.exe
1236	rasdial.exe
1556	rasdial.exe
984	rasdial.exe

Loads dropped DLL 8 IoCs

pid	Process
2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
2516	rasdial.exe
2516	rasdial.exe
1556	rasdial.exe
1556	rasdial.exe
1236	rasdial.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\rasdial = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rasdial = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\rasdial = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	rasdial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rasdial = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	rasdial.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rasdial.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8A07.bmp"	rasdial.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2516 set thread context of 1236	2516	rasdial.exe	35
PID 1556 set thread context of 984	1556	rasdial.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rasdial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rasdial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rasdial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3024	PING.EXE
2544	cmd.exe
804	PING.EXE
1584	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019277-52.dat	nsis_installer_1
behavioral1/files/0x0005000000019277-52.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
2560	taskkill.exe
2848	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop	rasdial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	rasdial.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{24904338-379E-53D6-B3B4-47BAA50F43E4}\\rasdial.exe\""	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004b934737864b364494d2d1b5fdb024250000000002000000000010660000000100002000000052639bfd0115afc652fb7ef71f9df9b03b60d29958da116068ed8bce0bb4c0f2000000000e8000000002000020000000275a526f7e86f610ac25f339ac0796ebe246b75d58e8ce784e7192c071cdab759000000052ea40c38b776ab47ff04350c0dc25073f4f10924eca4aabbf76f945f6e8044e7507cabd1c86408fe313dccc7908a88002d5539cae57c8c98c5f6a72553a320f2b7a30862b17ed82acb37bbe836205b2462efc6bea641c100493661565997cd5786c3583a5da1ccf988b9ff0e8222c1fd6ed79683a20e0e38f6466c5562abcf683e0abbf5bfe1f54e985d5acf50a685540000000e1bbc927466c1232ff539202782793800fe77bc2866f74aef539ef1b7893e74f3ad36e946e56eb240e529b0eba218b005636475ad2514f33df41b6d0fc689124	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e52d71e751db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE422791-BDDA-11EF-B895-D686196AC2C0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004b934737864b364494d2d1b5fdb0242500000000020000000000106600000001000020000000dd08f625ac29a49c32ac723998cc525fe9e4598e3ba299b0e829023798a4bcac000000000e8000000002000020000000621fe660dcada12897b2616f456cde134dec9fafcd92c6b7ab1dfa2e619ae61d20000000ce97d61a4816e4c7249adbbdcdca8be1204ae2fb95a0cdbd7f877cafff150e494000000068a53ba7a93e47be9145ac37d2d980b3e7645d8ec412642adfe20e09015a483de2ac5f1a527c3f9e50114340f8c71af1167b7fc2ccce79b8603800a30d8b4b9e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE506FD1-BDDA-11EF-B895-D686196AC2C0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440755107"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
804	PING.EXE
3024	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe
1236	rasdial.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	1236	rasdial.exe
Token: SeDebugPrivilege	984	rasdial.exe
Token: SeDebugPrivilege	2848	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2556	iexplore.exe
2556	iexplore.exe
1980	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
2556	iexplore.exe
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
1272	IEXPLORE.EXE
1272	IEXPLORE.EXE
264	IEXPLORE.EXE
264	IEXPLORE.EXE
1272	IEXPLORE.EXE
1272	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2636	2320	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	28
PID 2636 wrote to memory of 2516	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2516	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2516	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2516	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	29
PID 2636 wrote to memory of 2544	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2544	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2544	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2544	2636	fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2560	2544	cmd.exe	32
PID 2544 wrote to memory of 2560	2544	cmd.exe	32
PID 2544 wrote to memory of 2560	2544	cmd.exe	32
PID 2544 wrote to memory of 2560	2544	cmd.exe	32
PID 2544 wrote to memory of 804	2544	cmd.exe	34
PID 2544 wrote to memory of 804	2544	cmd.exe	34
PID 2544 wrote to memory of 804	2544	cmd.exe	34
PID 2544 wrote to memory of 804	2544	cmd.exe	34
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 2516 wrote to memory of 1236	2516	rasdial.exe	35
PID 1324 wrote to memory of 1556	1324	taskeng.exe	40
PID 1324 wrote to memory of 1556	1324	taskeng.exe	40
PID 1324 wrote to memory of 1556	1324	taskeng.exe	40
PID 1324 wrote to memory of 1556	1324	taskeng.exe	40
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1556 wrote to memory of 984	1556	rasdial.exe	41
PID 1236 wrote to memory of 2556	1236	rasdial.exe	43
PID 1236 wrote to memory of 2556	1236	rasdial.exe	43
PID 1236 wrote to memory of 2556	1236	rasdial.exe	43
PID 1236 wrote to memory of 2556	1236	rasdial.exe	43
PID 1236 wrote to memory of 1944	1236	rasdial.exe	44
PID 1236 wrote to memory of 1944	1236	rasdial.exe	44
PID 1236 wrote to memory of 1944	1236	rasdial.exe	44
PID 1236 wrote to memory of 1944	1236	rasdial.exe	44
PID 2556 wrote to memory of 1156	2556	iexplore.exe	46
PID 2556 wrote to memory of 1156	2556	iexplore.exe	46
PID 2556 wrote to memory of 1156	2556	iexplore.exe	46
PID 2556 wrote to memory of 1156	2556	iexplore.exe	46
PID 1980 wrote to memory of 264	1980	iexplore.exe	47
PID 1980 wrote to memory of 264	1980	iexplore.exe	47

C:\Users\Admin\AppData\Local\Temp\fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe
    "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe
      "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1156
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:537601 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1272
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:1944
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:1144
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "rasdial.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1584
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "rasdial.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe" > NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "fef9344ab43ca53984e45b9de42b07c1_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:804

C:\Windows\system32\taskeng.exe
taskeng.exe {7039787E-E38A-44D9-AFE1-BE097DCB8841} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe
  C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe
    C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
d62142318c4e6df23b6f2a7e0fdbc89c

SHA1
2bed63a311e0086079e924bfcf9c534edeee001f

SHA256
a5747fa5e154f06ecd1bcb26325051da5ce902e82791a8a1cfd3f1144a22c4e3

SHA512
ff400738c13b61cc6b4b3e4da57d90830ce08d663b3be994b9684acbb297ca8d9f1a2a61a8ec2dbfd236eedf640baa236684a640b80db71b577c604fe51b18d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75273ed518099f2cb55b53b09cc13189

SHA1
10ff7d333809ef026cc8fb0cd8cfc3cc06ab8117

SHA256
d76f3a4e6ff37d141b41aeed5ce06c3bcd883ddc479037440b72755a8fb2e871

SHA512
6e3dfb1526eddbe2e0735d991f1d3c01c4e3501832a5e258d2a8efd7076403b2396887bdd40782bf0b864a8a50be7651d169ad33bdfe9e863ddc6d09670046c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b50040aa107f9bbf4201a964295794da

SHA1
431be8947e6004fb8417c557353a346834f2c1b7

SHA256
dde280aad56b5164d6d8f453486fd80fd1cbd5829afab006cc2549b00ef71470

SHA512
4185b3e14b9a75a9c48b0dc2d3dd868803ae61d1cbe956a6cf4ba81c2f918fccf0063b07513a08c2e51019428af33e7cd55720874eadcb1ae5d8ab764a37620c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b464c743107d3deb287d158641c765c5

SHA1
693d457eb1bffc823b29d206523a40626e91853a

SHA256
e7e2d1e53dc72580cadbd8621fa126bc21adcb5526a22d5fcd6af546abf1a128

SHA512
d5a293a96f3740081db25e05cbfead4c67363d5f9c67ff13000f1c3a96f0fe431e02e4d7d170898bc92c26683839a3e96ed8276f60706abdbe2ea18af221fa8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1711624c7b2eadbbf11ec02727e60821

SHA1
b2fa09c2b17da1bb86ad8a8b871dda431880b804

SHA256
325e35de46b3c29f5a6cae4dc4d2d014865673ffdf377092dcf5ec92506c8fe3

SHA512
a55ea22e0f886603590c06e65a91c4fffcff353ea7c772a9dc6077eec6a013f79d056a7377358e3c2c941e37e94e8a248007199ef53220136785e631e3b20146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45e9fb030889265e5e688cbb861b3ea5

SHA1
516d9de12db0ea917e62704dbcd6975c7a65c438

SHA256
a2ee9c004ad2adda8f2f8fba4e22d5994797363fd81fc4c41a1b074d874269b1

SHA512
a793f3a8298932062c7a262db63682926c6f3c5ab9449964fb9502df01536a0c6dc8c5fdfc9a52dc5eb8f91e552ebdc0c0ea67b28e1ccdcdedd93cbdb00e9b27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba9fd2e4b83eed206d72e8e5d7cb46df

SHA1
89d4b4bb56d55e0e4701bc45be163641c76673f8

SHA256
ea38c026b62c75ae9a226a2449cade58904559b185a5603f2b64e20370722940

SHA512
95b84bcbfadf531c2363468d2da7955897fc5559b0f5796937110ff51dd1e90e737a630e47832c0cb16d17c9990ce42e015aee785a419f68d77eb0e26d1bb092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17576d6d9fab071c88d73e654d55e8a7

SHA1
5ffc3d2d61ec2be2cef2d69436ee031e1627e73f

SHA256
f72a08dc49a87ece917ae6925a32efe46dbd8d3f6d5daa3c3c15d111b2c062bb

SHA512
b0f91bd5527291d3a4219af0d8702e1d0c638cfec5b971c0e8cfd8869d16608d5fa4523bca5c5450b334a466846ec00fc4b19c6111d3d2e2ff434721f24a1606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6f4702cf1c7f6006ec032f1c5d84577

SHA1
c9abbc36f844da60b7eb9980951b065fa27f4b0c

SHA256
63af173b5ee579490b34565e76b5e3495d7910e58d99cf90e8eff4af476fd472

SHA512
21dd5a5cd76341f8e4a2c87deaa13186b9a0dfa6ebf705345b12a712c49fa8fa734a95ebdc9ff329f911d84194c173265502360592c971f2f6d10a3b92ae491a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ec1c24dac5d5cf9c7e44e0dfefd5e86

SHA1
080b850143b97706dd55776269e6591d80fbfb9c

SHA256
c57cdb599acd56a93524b4f801db70ffa148a1f0bf683682aceaba5c0496c0ae

SHA512
362bcda37e21de723bf3a458830767d60b41ebd60a20c2e2041b9b5d744e2208704e9d8275101e9bd00e743fd00063da5d189ef17a430e630c3f73afb6f462ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ac2aa7fa9c8e9762be6af4ab69b8a28

SHA1
9ed3c3cf45ae7f45a8d82ef9c1d6829b69826963

SHA256
e9776d9baacf1d8d80fc75ceb232422cc4d602a7dbd6e03cc794be92317efff4

SHA512
25bc774dc88b998f72dcf76adb6ef1745360797d338459b549be64bb1d22a162dda2134bc69a78baa2379847d1e724c5a9e0719fc21388ee89ab19242a56237d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f6cc06d460b339b36ef8048e96944e1

SHA1
469327c5834c289934113b3aa9c5f7fc8aac683d

SHA256
1b4435de2020f9b0ab37d5fff13d20c958c03995afb9ad999c2555f87beedbd4

SHA512
541218cc220525dd84ea007063cc839291f41ed6d45ac5665e910cb205789011ff3537d9f3966d02ce4f334697dd9a3e835f9df9d7a9c0a6fcb2ec104758b3b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57eac50584b65cfc9426750148e6ba74

SHA1
c3bd564ccd6e9e1b7f260ff93bd35c52346b0f80

SHA256
0532ac2f25afaf2e6331086c217868262e72439af49d3e4b459ed29b11788578

SHA512
f03b0e1aebe5cbe23881920b4996ae46ff1936b3dc065ac88de5f4d0e2a09da515344d706f1ba619037ea198a49bc9bf488e02730f9c5ea0d0a41ffd2f8cd7d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88082c8d1637ad58356b0dfc9f9553d6

SHA1
2f78a5ca2e4c0292b74e9889cb3ecb31b666f8ae

SHA256
8ace3666548aab82fd9da372a0a7d7a16f30801c176de5e1f4923ffb468891e8

SHA512
d5934ac6037fdb9220e5fc8e219cf0f69ba4c73c4539fc4039d9fc46c40bef3929d82228038f87e64adc00b23637ecb474dd655e790f4a8d4176151306646a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17f536d43a9d68b447d45ea4afed2e76

SHA1
eb50d5d61ae2ebfeb5d702e5460110b8f128f1a2

SHA256
c34664819ae84718248a75c83c5f6cab6b2ca3466d96fbb8e044b2db7533a778

SHA512
cb1e5b1e7cc83e2b539743a0425a123108f562704f1def8d889767731c2ea55a6282a992184676cb976465d0f6dcebdd0b9ab874a7e3620c40accbb3a30e6f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d292bc6b7e582a79104e6a34fc136eca

SHA1
e5d09d1626bf4c6527080df981e24cf367d43274

SHA256
cd03d2af7905b346565576deb8fc097b6736d14c8ab75cfc6e0f90bff4f80f1d

SHA512
83024fae02ab338c8398d1f520a177d2250697611263a62b7f0db66d19ada48f1658f12fad602038a6675a7991db9620fa2930dde6dd0686962a23428fdad51f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fb48ff2722c923cd570719d996afdbc

SHA1
9cbf9aec7be4a5f394859d0e1d1b5c2e78a1e0cd

SHA256
9811679856ad1823349a696f9b33252417fc8da79683d52f90214b35593535f8

SHA512
04740bbfd573db0d812b6cee536286285aa43076a682cb15da32dfb8fafb6f859aaef6aa40a571b04ab7a5449ff0955da40cb29c57128422c67b04f5111d4c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03bdb0a778dea023ea5413efa982fd2a

SHA1
8c9469ec8431ae824dfb2fd50035398110bf2899

SHA256
32a05d1aac6b1ae5578f71bcb760c69a21c444bbddcc922a51d63ce270bccdfe

SHA512
0a757f1a79e229d1516c0a727322b4d38f52c4b5e93a15bdeac1657105bccd2289e28c2d659c05b74046ddb1dd49ef4efbedbcf8ca8eb66dd3ad53bbf17a796e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e14ad201471d088d0d878dd6dfad518

SHA1
b90984193afcdb88c5559ab0d67a4adf28c33a65

SHA256
40bcb1108fb704fb16d4b3681bb2fdac7a9a56c0a7210905f16582955804b02f

SHA512
621fc3eb52fb30bd155b28f99361e78dcc794bbce14d0d55abe69f3100c1b90d6321839d388fe2eb5c4bf5e738e99c00c729c9d868669351086e2e7b70a3a48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
385a8da0e289d37adf7cd9b846046285

SHA1
d697c072eafa2889cfc7839f3fd3a24e91749474

SHA256
538badfd8f6815293ffc50b7189c872696cd17755abad8d279312d7f93bfe2c4

SHA512
9e32ac020d62a6bdfeba7abaa79f7ca2ad7f66982ffa43dfdd94ecee85bec0257daf81867413d986d74f1ec732ec68efb99a7f2c462a4a8310e9923467e9648c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA0F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA154.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\AsteroidVertexShaderInstanced.hlsl

Filesize
1KB

MD5
fe97ee17f001e5724ef103754fb32f7e

SHA1
b12ad571d8201d5584446c20df7302947b94ae5e

SHA256
c44863944bc085c1c8af13b0d22d79f44689c0dcaa19dfefcab8532906baf27c

SHA512
30cb641808fd1959915a0e1fbcf45da3be5630f1df0a859377737e9651bd56ab1fdf2d94594233f36a093ee74d919a102e3e2ae2a66947c109c9780ed31d10b2

Download Submit
C:\Users\Admin\AppData\Roaming\Bl CG10 WmG4 CG3.ADO

Filesize
524B

MD5
02710317e2ed8cff32667d51f5b66075

SHA1
4864ad2b003b38295a26301488366d5ab02ce546

SHA256
d0807c59413e8607b26eda3f20989ce2baaa57ed387e8754e050ac64df39230b

SHA512
698f08773b1cd7702a96dd5a0fd3dc5185abe070dabdc2c2907ab9968bf39cd2ad67ffdec778997e60e3785b56d0ec288b66cfe6a37bfa0f69f2a3be962a1c83

Download Submit
C:\Users\Admin\AppData\Roaming\Cenobite.mdC

Filesize
126KB

MD5
22ecb073f20fa7aaa0632df14f5413e2

SHA1
f4357bd1101d63c09c8ae615760e0ed6457ba1b9

SHA256
e15fb74281f181b806253b61bd416ff02b534732bf39c1d01d540ec7a33ccb2e

SHA512
2837f49a675a2ab5c703ea387a905894a96961aa4f17ad3ebc3f0c85b95cc8c4ce45681e30da5aef1f7d27d95d7607197d7da05006e813953e8ce978846d67c5

Download Submit
C:\Users\Admin\AppData\Roaming\Dawson_Creek

Filesize
509B

MD5
e48f88be96ebc26dbb0ffcc604997483

SHA1
99f857985e9eeb3e78b1d07ecf93701349a1772a

SHA256
71b97cc87cc10a413bd1ad45e5c131d99acd5053d7a326bbbc8e041b0b1c4926

SHA512
86221e10d4626779cda787e3b83e4d5f042660b6e5ea31f43c448fc831b0c6a26ea749699bb9676362984c6e798df1e6bd4a45b6897599e5e17d0efda8949ced

Download Submit
C:\Users\Admin\AppData\Roaming\Edge.mpl

Filesize
3KB

MD5
c2b143dc4ee1df5f628a40c06c9553a0

SHA1
01b6854f5204656b7d35681fb7ad871385a6cded

SHA256
001902229a1cf8b5774ced9a929320f9f3bbc7cd6ff44c692b317fdf68fbf93e

SHA512
8cd0cbe90f17a55b20d1a1a85254dc56322fda6ba5456eaa6a617936b10f724edb72dc490569f2b1b48cf8ba699c6a556b18d782a999d737e7f21553f5a4aa8f

Download Submit
C:\Users\Admin\AppData\Roaming\Fighter4 Flight Path.mesh

Filesize
3KB

MD5
c22dce2c95e3fbc8ac2f569b7fb8474a

SHA1
9e5b1c407424004fa5c0c1d96af96a9b0e10353e

SHA256
423cad4eca8206b5b3ef851278a749e5246042e32759abe6b2026d14ed2ba6d6

SHA512
f516531af2f75cb949ef6fbd2bd18e12aa07f94e2b7cb1398d0b13033f84c91f32ca28dc76c6e8caa8191c7b115a3cf59fddc241bfb3e244ae50247c6eee69f1

Download Submit
C:\Users\Admin\AppData\Roaming\Fiji

Filesize
588B

MD5
03eeedd6926392057b761444ea01871a

SHA1
e3cc8ce79e0625854e1f922ebbe4ba2f44d0248c

SHA256
ba6662dd53b64810a0449f9ff4a9ca3a46f2d5ad63ba66507d00988b64bc043e

SHA512
c8516e29e3b8a2b9d9f8e43d472cd4d4af6393f5be2cbe59ee6422f7238a3bfb7523c821d9ed1de25136f58905af54b724528e80562f20e2f250927851b17968

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
71d66046280ad4b9ca878ba99c682940

SHA1
c08d4d20d600c1b5ab246da2229d608416adaa11

SHA256
b064f907443ef1d16a3217973bcb21b356112cbc54174e7afcb8931edd738349

SHA512
ca720d299df33ad03e6b6338971fd2e3bb774bf00a4f0ff50f1c0d974aa9fdf29951d6599c0f4628ec4e58657de6780d6c030f9724ad81dab353b68b97ec5bd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.url

Filesize
90B

MD5
96625a9cc00bb525f96eb3684ab85303

SHA1
e2a379830f4d6bfeebd9146c940f9cce72cba005

SHA256
ae69ed4fa207cefdcb0f35af40bef756b9900de260580df9e4b530edb781a52f

SHA512
47a96a297216a2eeafdab4d3c56abc129f1f3d3bff1e5115536ab060144f45abea3d6738e975c9f06428ecbbd1ab9ac22767a2999ded67d84f70eb5dec509fc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.vbs

Filesize
234B

MD5
6f84dbf74ef41dc3d861f5fb3e0f45ff

SHA1
3e5f17e9b9589f33ce6add7f2518a666ff2253a4

SHA256
df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

SHA512
9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rasdial.lnk

Filesize
1KB

MD5
f56f996fb665bc3a6227bb9cffa78cfd

SHA1
decfed40859ad3de844c33fbd90269d0ad1c7088

SHA256
ca36cb5b94ceca3eb8e1729c0e136fda983e9ab348ea6d74b1a7231c6f4d66ad

SHA512
8a363104ecbf503a2dd4797202805f3c92849135dfac24ae96bcdaa0671482d77870cf46cc52595d572f5a6326d7b7b8944061fb8dcc8d45102212f6bc3469d2

Download Submit
C:\Users\Admin\AppData\Roaming\TrumpetArchonship.X

Filesize
4KB

MD5
a965af7d9d63225f8fbd5947909e941b

SHA1
5a6ce8d181febfdc105fa87a029f486ad4db05df

SHA256
8aa4eb889b983f8cfeaaade7e82f43e716e10b93d1cb22f5d4a84ebe71ea4a70

SHA512
07e698cbc5d7c81e9e5990acd23132a45f44133ffa2c8fefbfd0a3b37be67eddc156816f91ded035bd4997cffbc0d578b72cef8e31a136ce02e2b300bbf1eaf9

Download Submit
C:\Users\Admin\AppData\Roaming\ai.js

Filesize
5KB

MD5
ff31c548bfa9e2d4d2ef741f590c6f4b

SHA1
ea436bc092885dd81b6144bfd6c251fd3548cbf2

SHA256
0ba2a5720cf7fec2d9e3fdcbfd39167be12920630b285b99ffa4dd7979507ef1

SHA512
9710ea43723eaba0b5aff8233db2436467fd65294e4b138269d6e52d2c0d857c44353a64ea1d6a13c676c69d83ba1d915fbf493a9782f2cd5bced72ba73c734f

Download Submit
C:\Users\Admin\AppData\Roaming\ai.js

Filesize
4KB

MD5
a02394f8f25479ed529c5985951740c8

SHA1
2721f2ca6d3a943015968eb19b2276af9c01a8b3

SHA256
6955aebcd757be32733285604886270e0bd77a2b0c2ce91531b5a17fb0658c06

SHA512
2dd6c075877b50e6c7e5f778ace158814e34065844b13437eb0b9a34d7f6365bebea8a3964a44a83373465d28063ecc1ad665fe8d1ba86a0454e6ba0b78d3ad7

Download Submit
C:\Users\Admin\AppData\Roaming\alert.jsx

Filesize
765B

MD5
b78fded48dc97b8ed5a456e9889be8c8

SHA1
2ca874bda004a87b0b0b62fc4e5125378d7070e7

SHA256
79e83de442ac0d00e464785d9c9293e2c88ee98a176b304b01857231c603868e

SHA512
0b00eb7d3f96435ea0c58d7ad6c59d5e59f9a7e408259e72c79e4dc05364d733ca239c2f44e6343f7fa8da7ec2a04ab144428adda01cc8586b89335e8a3aaf31

Download Submit
C:\Users\Admin\AppData\Roaming\arrow.png

Filesize
1KB

MD5
13c9b9e64fdac18c0aa7bd4c6a78748a

SHA1
3c05eef29faebaa3e7ae3d8e6282eef68dfd4276

SHA256
9685dfd1e87f387651a40051fae9816a720ffdb0f90292524088ee815ca87b26

SHA512
a4358decf919eff4b97f42533b3d6b83d870f4c1fe0f0bf3884fd8c2ddb02274fe6769c4435e6536a437e2c4a2e935ff7e2714b20bd1330dade381116aa00e43

Download Submit
C:\Users\Admin\AppData\Roaming\arrow.png

Filesize
826B

MD5
d0b4c9740f9346823e21d7dfc5bd9f1b

SHA1
019c25a3c797e9bd3c526c73698077ba703712de

SHA256
e634695e0e798533dba1ffb41062867c6a43f10393ac0482ac64a5c8eecd6013

SHA512
1979573472b0a010f1c7988427a09872dce90a9b9652396c65a45eb26a2a27838369467d1b5f34411f74c1b216b2e70b000d7decf0e04fcad17650d6a1fa07d0

Download Submit
C:\Users\Admin\AppData\Roaming\axf.xsl

Filesize
3KB

MD5
3e6bfa45474395fcab8c295d63fe0ca1

SHA1
532af3f2b90b3b1cbc7fd7401777ae271aff5f74

SHA256
973a3d4fd3db35ef04dcd3b99176f9df936f4729b1880c189f39507e97ba8732

SHA512
058551c718aeff1749dbac4a6d02ff540a8e29c13a9b15ddaaae64afad0fc78b4a91805a69aa210b7c3f14df31ecf539b866fea276bad9dfb2a05a06c702c653

Download Submit
C:\Users\Admin\AppData\Roaming\dell_connect.png

Filesize
973B

MD5
9dbd18fcb213900b1ee960a53c18fd9c

SHA1
ed77794c8c9d5fa6ca6b5c85115ac40ef9c93c7f

SHA256
59225283f389298e60ae723d030c29861105379f506c2494522c0baa4e0582ed

SHA512
9238616509f1eabfd941d9af8df2a98ac652da86758ac9346b73a9331afdab1caa1def00164d65b02f0fa1445b69d2b2562c2b8327a138eb205c26997d5e9aee

Download Submit
C:\Users\Admin\AppData\Roaming\dell_connect.png

Filesize
579B

MD5
9d4ccffd63ccbfa1ebab9328c85bdbdd

SHA1
3c3e8ea7850acc45d4c03e888e7db4bb743d757e

SHA256
04344cffe2ee8caa003981ca6941c23730a3e6a27ed6bc7a1bb3add804ed04a8

SHA512
4291e48c7501591dc3f9e4746c6f852702365698c7c2b34bf9f09565a963a2809ad66161c4da348c0dae51128906c577056bd5bba3b066a92a704359fe055c81

Download Submit
C:\Users\Admin\AppData\Roaming\eclipse.autolabel.xml

Filesize
1KB

MD5
b5d4d664346b442cd7d4b6dc5f3657bb

SHA1
f3c94cd9c7dd431c75ced3bb4cf72ebf1b9d6770

SHA256
75ec11ecca31d2fdbabf59112e63d49857aa0903f06e883559373d061b3e60b3

SHA512
7ad300a6f5919aaf897e4fd467937bdb941a33b98b77aebf5c9fb39e7fe0e32beb197e898af6dd0f5e049feae547de6bd30e2fe0cfb1b1dd7ad93ff0eaae3448

Download Submit
C:\Users\Admin\AppData\Roaming\eclipse.autolabel.xml

Filesize
952B

MD5
19666991fea55b6ce99dcecf85ce420b

SHA1
2511d4fbfff7c777a1f648bbdb49e68e47b39b94

SHA256
362d8efc2b18b4eadd65be44ce7bf25d28e2e17b58f109bb724c2c68517e33c9

SHA512
11804caa55ef65220c21f3d5ef85f0853a7199d205b20e415c5d88370f2fabd1608b8dc30e9d5b19a1e003c2e8f5ea91bec9227b77dc0b4e39dbc7fb3b68d19a

Download Submit
C:\Users\Admin\AppData\Roaming\frn.fca

Filesize
1KB

MD5
420be751ebc4ba1db0066cd8abdcd653

SHA1
1f046369b9e98c4efa5e342b479d32843467197b

SHA256
5bbd13fa185a62a97a1eeece5278d87f68333bc22e8aab0c26d10dd17a0b1070

SHA512
f8715e5d71570f5d7b81e9bc39efe28de97ecbaa5782559644562da1875adea3ef4693d142378332cfc412077f8530fb9755efa0e98e215e572eae714fc04200

Download Submit
C:\Users\Admin\AppData\Roaming\g2_Letter 8.5 x 11 in 300 dpi.IMZ

Filesize
46B

MD5
633d34ead61d11ef8028e7ae3f22f062

SHA1
964f641288254491cf203ad9966e145ae04750af

SHA256
2798675ce2702d03c99a831e3794f40d08271ccf74856383c41601aa0dd6f502

SHA512
65dfbd479b5eb7294899d503440997172e0fc00754e12caf56a26cbd58fa5502351abd8a1970ac132ad3ca55982dec3a231acfd0031232246386dc484c8e5956

Download Submit
C:\Users\Admin\AppData\Roaming\generate.id.attributes.xml

Filesize
2KB

MD5
d47d80f968ae10bff626c4815565999e

SHA1
b09bbff21fce34cf4531bd58a12ef245d98a11b8

SHA256
9deb0518f60fec26fee7ebc468cf5d9be0dfbead1dae0917daf0fcf32f3428ed

SHA512
453221b70d7a2ceb5986726b42d991b0588bb7c3972ed45fa2b723bd19a2c58730d29caaed6ba5ff5f9804a7edc88537a9fe021841809e22e05ef0ac566e62c4

Download Submit
C:\Users\Admin\AppData\Roaming\generate.id.attributes.xml

Filesize
2KB

MD5
9c9a95e738765fc608d7c4e76b2f35cb

SHA1
9dc240f7154d9aaf682906a987f141b3dd4be7e0

SHA256
3c33893b88336ee1a3b8371c05ce32b51010b5ec73f67af002d53ca66174534c

SHA512
aab54fde37e68017852729846f7fd77db36bd38ba20ad2991ae95c534fa85c518e1d837c308db87c88412877eb5742555f512053b537b16d032d291cc3cc01d1

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_de.csv

Filesize
930B

MD5
75d5f9c89892397838677ccff871f32b

SHA1
2c0364d6abcc9914bbc4a964dd163dcb29a9be5c

SHA256
dca82b89990cc34dd9e843dc67189fd5d87e0a29488332573011721daea8ee07

SHA512
e346b90d8858f8e6591b17ebbc1ac6e0952dc7bfdd33314b61f23897744153c866fac5fd44fe8f9f3f1df6c9573f83e918cba32c31d2f85c9f80fed4fce474c1

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_de.csv

Filesize
518B

MD5
831f0622bf83e0f5106b5db122509ce0

SHA1
447d87d4ce42640f851cb9bae81dd09937bcb090

SHA256
6668dbf76737d19a74b9ca9d44e876c495aecd253bd5f62dbad13691dfc1ba6b

SHA512
36ecc5f60d4c0ae4f8e83947d88e5e2fa89802f4b10cb602fc5e83fec7c403d30b9c74df73fd87aa2d772a2eb78cdaaf1f323d7d6210607ee026ceef18783e76

Download Submit
C:\Users\Admin\AppData\Roaming\paresthesia.cxs

Filesize
63KB

MD5
3e11d432933fadcdfb3fb46a980890d8

SHA1
87de2600ded2c78c5e5c418abd1f492ecda015cf

SHA256
d104e85873c2648f0e7a9575412e0404d97dddb258dbf67dff7efe8b91c1544e

SHA512
dc315b9fa5a06c86cff5eccc91395044aa09f4b8c3c2a475d3940150023d725e5d2e9345ad5d43f9413c18e1f5b02c58f4a3864e910637ec6214f113c68964be

Download Submit
C:\Users\Admin\AppData\Roaming\paresthesia.gnr

Filesize
62KB

MD5
7316ffd8413fdf2934837736a562ca8f

SHA1
ad2be838259510ba2a626c414b2fd419b6f5bdd6

SHA256
86361d15a3ee2a09e80518c4af5f67c2eced91c3c7b19410b62c5120130736cc

SHA512
28ac9fc27f1c54f79f8155524188c2ee7afa473e82c6b4bde8e227346c7c35e6b11e42090ab88c0ea6cc01822b6685e80daf31c10958164f60404af1198ba39b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8BFC.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\Perl.dll

Filesize
48KB

MD5
d850fbd4283334bc6a8214cdee231e05

SHA1
164dd2e14e242de3270f2a768d36b729d56e33b4

SHA256
e67206ab8bd532b15621cc99c6ea8588e567b4b8b2211ed020ba6d25c166fe1e

SHA512
50986b5185b363d0a6b674bb3cd9db4308f2bdcfc4e36eb381a770cbafa6401c96a17e0c6f50a4da0afaabe9d08209547aadd5fa2b165e1346fd6d63a33d3fc4

Download Submit
\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\rasdial.exe

Filesize
189KB

MD5
fef9344ab43ca53984e45b9de42b07c1

SHA1
b816b11ebebcefb845a5ce52bef81d4ab6977174

SHA256
27774522cc4848729069300e39654e834e34809f42821d0194ae1f81a412e52d

SHA512
ca804be21964c00c6f1e6b6194a1db5515fba86d23ff3b38afc142140e4199d76bfae1e3f420a07f014082026df9532a3864a8b7bade636cad05984229c212d8

Download Submit
memory/1236-130-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1236-128-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-127-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-202-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-200-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1556-186-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2320-29-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2516-112-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/2636-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2636-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download