cerber | 6ce06d88de7cf0deb2f52a309dc3e779c37b53a1e5370f2eab5a5e3ab3ea2273

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Size

175KB
MD5

cb82368879cd1f929e34eb621b7042bf
SHA1

e97bb759d42c0f40d7b7f5d48bfbb2c615a14d45
SHA256

6ce06d88de7cf0deb2f52a309dc3e779c37b53a1e5370f2eab5a5e3ab3ea2273
SHA512

bbf4d1e4e5f072cd29ec744ba1ea66118c41bf68824a8cb99920c8af9de4232d606822fc2d13fae98975e967a45058b684dd811a826158187398f59008db7aa2
SSDEEP

3072:2yAaQqe90u5DdXJB456ZbBL441hR+TGJlWiDtGp8dZuucrZx0KY6Sc8Hvhs:2yAge9RfVZ9h/R+YBZ8prn0kScEv6

Score

10^/10

cerber discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43 | | 2. http://cerberhhyed5frqa.xmfjr7.top/1599-5E9C-D27E-0063-7D43 | | 3. http://cerberhhyed5frqa.qor499.top/1599-5E9C-D27E-0063-7D43 | | 4. http://cerberhhyed5frqa.gkfit9.win/1599-5E9C-D27E-0063-7D43 | | 5. http://cerberhhyed5frqa.305iot.win/1599-5E9C-D27E-0063-7D43 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/1599-5E9C-D27E-0063-7D43 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43

http://cerberhhyed5frqa.xmfjr7.top/1599-5E9C-D27E-0063-7D43

http://cerberhhyed5frqa.qor499.top/1599-5E9C-D27E-0063-7D43

http://cerberhhyed5frqa.gkfit9.win/1599-5E9C-D27E-0063-7D43

http://cerberhhyed5frqa.305iot.win/1599-5E9C-D27E-0063-7D43

http://cerberhhyed5frqa.onion/1599-5E9C-D27E-0063-7D43

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43</a></li> <li><a href="http://cerberhhyed5frqa.xmfjr7.top/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.xmfjr7.top/1599-5E9C-D27E-0063-7D43</a></li> <li><a href="http://cerberhhyed5frqa.qor499.top/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.qor499.top/1599-5E9C-D27E-0063-7D43</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.gkfit9.win/1599-5E9C-D27E-0063-7D43</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.305iot.win/1599-5E9C-D27E-0063-7D43</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43" target="_blank">http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/1599-5E9C-D27E-0063-7D43 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (16399) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	unlodctr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	unlodctr.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk	unlodctr.exe

Executes dropped EXE 6 IoCs

pid	Process
1516	unlodctr.exe
2608	unlodctr.exe
4420	unlodctr.exe
3920	unlodctr.exe
1084	unlodctr.exe
4572	unlodctr.exe

Loads dropped DLL 8 IoCs

pid	Process
3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
1516	unlodctr.exe
1516	unlodctr.exe
4420	unlodctr.exe
4420	unlodctr.exe
1084	unlodctr.exe
1084	unlodctr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	unlodctr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\unlodctr = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	unlodctr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6ECD.bmp"	unlodctr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 1516 set thread context of 2608	1516	unlodctr.exe	100
PID 4420 set thread context of 3920	4420	unlodctr.exe	103
PID 1084 set thread context of 4572	1084	unlodctr.exe	108

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	unlodctr.exe
File opened for modification	C:\Windows\	unlodctr.exe
File opened for modification	C:\Windows\	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
File opened for modification	C:\Windows\	unlodctr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlodctr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2240	cmd.exe
2924	PING.EXE
4372	cmd.exe
180	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002349e-36.dat	nsis_installer_1
behavioral2/files/0x000700000002349e-36.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
692	taskkill.exe
4488	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop	unlodctr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\\unlodctr.exe\""	unlodctr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	unlodctr.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
180	PING.EXE
2924	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe
2608	unlodctr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	2608	unlodctr.exe
Token: SeDebugPrivilege	3920	unlodctr.exe
Token: SeDebugPrivilege	4572	unlodctr.exe
Token: 33	4900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4900	AUDIODG.EXE
Token: SeDebugPrivilege	4488	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3448 wrote to memory of 3636	3448	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	87
PID 3636 wrote to memory of 1516	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	95
PID 3636 wrote to memory of 1516	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	95
PID 3636 wrote to memory of 1516	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	95
PID 3636 wrote to memory of 2240	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	96
PID 3636 wrote to memory of 2240	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	96
PID 3636 wrote to memory of 2240	3636	cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe	96
PID 2240 wrote to memory of 692	2240	cmd.exe	98
PID 2240 wrote to memory of 692	2240	cmd.exe	98
PID 2240 wrote to memory of 692	2240	cmd.exe	98
PID 2240 wrote to memory of 2924	2240	cmd.exe	99
PID 2240 wrote to memory of 2924	2240	cmd.exe	99
PID 2240 wrote to memory of 2924	2240	cmd.exe	99
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 1516 wrote to memory of 2608	1516	unlodctr.exe	100
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 4420 wrote to memory of 3920	4420	unlodctr.exe	103
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 1084 wrote to memory of 4572	1084	unlodctr.exe	108
PID 2608 wrote to memory of 2148	2608	unlodctr.exe	117
PID 2608 wrote to memory of 2148	2608	unlodctr.exe	117
PID 2148 wrote to memory of 1468	2148	msedge.exe	118
PID 2148 wrote to memory of 1468	2148	msedge.exe	118
PID 2608 wrote to memory of 1408	2608	unlodctr.exe	119
PID 2608 wrote to memory of 1408	2608	unlodctr.exe	119
PID 2608 wrote to memory of 2352	2608	unlodctr.exe	120
PID 2608 wrote to memory of 2352	2608	unlodctr.exe	120
PID 2352 wrote to memory of 4768	2352	msedge.exe	121
PID 2352 wrote to memory of 4768	2352	msedge.exe	121
PID 2608 wrote to memory of 1016	2608	unlodctr.exe	123
PID 2608 wrote to memory of 1016	2608	unlodctr.exe	123
PID 2148 wrote to memory of 2908	2148	msedge.exe	124
PID 2148 wrote to memory of 2908	2148	msedge.exe	124
PID 2148 wrote to memory of 2908	2148	msedge.exe	124
PID 2148 wrote to memory of 2908	2148	msedge.exe	124

C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
    "C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
      "C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe"
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff855cf46f8,0x7ff855cf4708,0x7ff855cf4718
        6⤵
        
        PID:1468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        6⤵
        
        PID:2908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        
        PID:1276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        6⤵
        
        PID:4016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        6⤵
        
        PID:3612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:2168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
        6⤵
        
        PID:1716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
        6⤵
        
        PID:5364
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
        6⤵
        
        PID:5520
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
        6⤵
        
        PID:5688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        6⤵
        
        PID:5696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
        6⤵
        
        PID:5704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
        6⤵
        
        PID:5940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11130574392929832556,18313090049197765576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        6⤵
        
        PID:6092
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:1408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfkr8.top/1599-5E9C-D27E-0063-7D43
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff855cf46f8,0x7ff855cf4708,0x7ff855cf4718
        6⤵
        
        PID:4768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,1140572201054524719,7999429703019874940,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:4424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,1140572201054524719,7999429703019874940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        6⤵
        
        PID:4536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:1016
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "unlodctr.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe" > NUL
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4372
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "unlodctr.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:180
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe" > NUL
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "cb82368879cd1f929e34eb621b7042bf_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2924

C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
  C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3920

C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
  C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59bd70502a57cb92dc7d564a8cad03f2

SHA1
2b6f8882e05ea4ec61142b49915b2a86aadaca76

SHA256
8de27234c478bed9e3ad4831d15d5a467776fd3b8acf96d2ea4af991654e14dd

SHA512
f0585a36189e92f55400ec12422cb2842b9ac16c4f79e13268be40376c97cf66caf37ec1920f13e54c6b215b53c2db8564e2eb5f2dfeba8752d1e0fb463a287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b744e025ce01de5d59c316bc0395eaa

SHA1
98aea2f70686f59bca6bf8df7a150a6f47cca972

SHA256
fdab5eff9b4c3883be7ed1a2c449b559b64b552aa31389a623c00a7f90022d4d

SHA512
e22b00ad838a6e79e38a677a60aa5ea0066e18a7bbdbfba92df10c530320f3f08f4c05b4bdbc47a13c2ad72800b5efc18e7b20b7f8f5960b322e415fe3fcba0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f3bae154704cf9d6c0750b3d14f79d38

SHA1
2f19dc328b4a93f97b5ec6fef410e4d8510f79e9

SHA256
4a098089efdbd4910f522f9e4788eca7b625ffaf7ad325d8257410e4584f3036

SHA512
02264571b305b3ce1b4eff1d46685f3799c08cbc6ca4a884912fdb9cb158f6c6d5e9cfdb835192a8be0efe24eab21bab6459be921b28795ee71aec44ecc35bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12a47ff3dea474192c3494184d565645

SHA1
8ca8b6ab9c7317a696c67a3601c6a53488c6075a

SHA256
1771f42319510693c26de18298efb947f63f3d1c8512c67fa3f25b7c915ce558

SHA512
c911b240a27576593512ad80aeefa7767a6c0255e3d67a7db494048b1be78873b6445b762b56031986356cef1ac94e5507f76bdf5e7dd90327abf38d4a1a123a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9404.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
C:\Users\Admin\AppData\Roaming\22.svg

Filesize
1KB

MD5
6314b8f5d4c1b14d970745da99656b0b

SHA1
8231138a4637a9570e3608f0e588bf6a53e5a07b

SHA256
283302fb83e70941d2ef5829a82fd40cbdac95f706b943cf702d4563c4cd6b17

SHA512
b65a5ce5a747f2a78e92d223c818492fb2e4600ffe84ea155c43bc6c644e22663c268182b3dae3ce74b94fe0e51ab18cf8dd34be3c257e2d5a55af0fe1463e30

Download Submit
C:\Users\Admin\AppData\Roaming\404-11.htm

Filesize
1KB

MD5
76985a11cd066027bda86fafb79c16c8

SHA1
8aed1b070c1511cd2e03e81b5d625407cb2a1274

SHA256
67b078cfd1274e9fc4ff2fea2b2d94c317674b46dfeb6fb493080d350924ba6c

SHA512
7f7d6fbae9f3bafa0a654b4c53f2bc46ab8cb0b8a7457a5e5daebd426cba2ad6cb50049471be2ff55db2a20d7eaa88bb3f7d76fdbf2339f3cc9f05ebfaeafb42

Download Submit
C:\Users\Admin\AppData\Roaming\50-user.conf

Filesize
245B

MD5
0165add6524289f6eb0461ba0be73be2

SHA1
241d74bd3a97839c59e76b4bd4c9b153fcdb946a

SHA256
d5920277fe37c1f079f4aca15da1b677423a64596437142b001e718974e2e0dd

SHA512
f768a00f99b0f30ef7db086776573661d7596430636faf460d3c76f9de4428f5e66c81e24f434239bd44177e038508852ad4b30d74815fe67a1748c84ced29db

Download Submit
C:\Users\Admin\AppData\Roaming\Arrays.dll

Filesize
9KB

MD5
b587eb0b16940822bba3569ad97b0bee

SHA1
6a5e2e416a9959c0c927e53b83c009552181282a

SHA256
051ddb847f1f65002a8916ac1f0233d90a848e597962cc2f4d7b7a8532259477

SHA512
62c76e9cd4a609bd95796217569f4d2a86d77027752aa0d230a63fd4f66c88b6e0b9423ca45fe00f396ac618975ab190edb94b5d5c86b5bd52358620e88dd6f3

Download Submit
C:\Users\Admin\AppData\Roaming\B5pc-UCS2

Filesize
2KB

MD5
3c261dd687fd42d4b97b2ed2befe5201

SHA1
1199a4a49ccc3e729fa6052e3e3ec67c78394a22

SHA256
9d80bf7d6122a3940dd8f1c7318a18598559b074a4d9d305c989c3b0edda8dc0

SHA512
59ca5885ba84f4f06ec10fb159682acf7ba3a60f7a92a6779629e40a88900eab525f6b1e4b8a02027f3746d02bac34dd2f85966a742fc159cd59b78d1840f2a2

Download Submit
C:\Users\Admin\AppData\Roaming\Ceramics - Eggshell Blue.3PP

Filesize
1KB

MD5
e83ab70fbbe4313da354090b019c93d5

SHA1
a3706e0604ba7d341646a383017c6dc259c4e29c

SHA256
15565a7fb183a4d86ad3d32e01544d01b99cf9feeea31476620317dfd993b01c

SHA512
f95b4302c06491b56077d77566752f6a700d95752118c2cb9ae6b50b48a95f6ef8abb2c0b96dbb3ff9bf1ec2a830db66b2c26d9b6124224b6bc93a21d38344fb

Download Submit
C:\Users\Admin\AppData\Roaming\Doctrine.b3g

Filesize
1KB

MD5
43411d45295067cca9c0e978d4fdab49

SHA1
b0bb937df1ec998b2db2b42c741b74f297d99a3e

SHA256
d68a2d7a8023926f19dc90ad3f38ef487706e736fe1a08d57b199921f3c8e5fd

SHA512
352069094690dcfa688c110c3fa5682f5352c3053f147abf7d3ae575f9b38662638dafacab3a15a7bd4b58d1aaa5de7102514436d2899f3bfaa21115dd0fac6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk

Filesize
1KB

MD5
b8eb87ebf008924a14b46429c7893f39

SHA1
df0daffe9a312cc34d0c982d985246351c2755af

SHA256
67998dc2967b1833ac0f90321fff1274d321b2155144404f7ca1a52cd587f7c3

SHA512
f941228232eb4f432915c28899c585404809b4058e14c28839c98bbc277e761d5a35e605a19a54224652b5f371debde9a223dbd0e9f870eacfcc31fa6fe037c5

Download Submit
C:\Users\Admin\AppData\Roaming\Secrecy.UKV

Filesize
125KB

MD5
eb58a7a364500ee7492362426fddc875

SHA1
2b9cc43270e8a259b3c8ca4918dc25d7aa69f5d5

SHA256
2743cf29665f94e35ff9e432814b3c0dc354c4af1e7b12043cf536d7a7c39c43

SHA512
24f0c61b4b7497157450557bab4d29568ebfc8c215d0b60619c91cb469ebc05c52aa8819170a90e9f4f47e156355ebbb220afd91c347c884e3648b8e328edfc9

Download Submit
C:\Users\Admin\AppData\Roaming\callout.unicode.start.character.xml

Filesize
1KB

MD5
4ab850cbbc8203dd0272494ccc005144

SHA1
3713848ecbb70b421956290a24cf5b966d9d6dec

SHA256
61b9afd95c0598c0cd16099a19d5d2b3dd1b3ce3441ad00f55be5dc40441e910

SHA512
89aa963cc1a79d48b48088c9d6963e0b19a2d8f528ade67e5bb69fd9c084147f46ed220cb6573da1b10416951ba22f8cafa7fe0b181b09644dee03c67274f67a

Download Submit
C:\Users\Admin\AppData\Roaming\catalogue.xsd

Filesize
1KB

MD5
509f7b3f17b24a3d692cad3d247e389d

SHA1
67a12101983e734e87b5f529a57ff03b6bb06abb

SHA256
46da0b6bc18a55f87b2b943bbd61a603170cf13b3b865e078f8bfad0106f5169

SHA512
2307dbb5172519ac82c790b054459b0d4805e691bb1fc38a5819bbc976f4e4bcea331b9e05c7c7742c3b799615d563b9144ad990f638e6b4aac03ec481076ef8

Download Submit
C:\Users\Admin\AppData\Roaming\changebars.xsl

Filesize
4KB

MD5
3a91f0918b78182b7a331c0b46f4dd92

SHA1
42622d7e5b49db337a98a2bdfbcecc8a3fbe83a8

SHA256
5d73d69ea322ce333a84baef7bee0b223896d220da2866fcdb9232d526a46250

SHA512
e693948383a7a142ad4276227593b11b02517aa17143a11b217b9c1a2d5e3e45b55b7754444a232f90cb1c15fbae31db83d1dffcceffddde3676c01d813505a9

Download Submit
C:\Users\Admin\AppData\Roaming\close_down.png

Filesize
2KB

MD5
0b4c456e11bf25d883e8f265368e5989

SHA1
30bc42209dca7f0e39d68485d226ada5e5f0d18c

SHA256
01bddb021ba9db0385876496c4b3fea84708b0e8e304d2ac9df15205e3f51dac

SHA512
3dd02c261d2d091988008fbfb7b22043d2ca64170d464a8ec23f60f38fa90eeab0e7d28793048d5b70069b75fb515dd94188f7c28725fc14ba1b2d766b076681

Download Submit
C:\Users\Admin\AppData\Roaming\collect.xref.targets.xml

Filesize
1KB

MD5
b315d71c7feca1a5c1611675c577d2df

SHA1
df93907f42140b3c6f932a2b5b40deb730dd5109

SHA256
575d396d6995c2f4c9cfe493c76847df2d468a49d2a379139521bd00fa1c1abf

SHA512
0a0513f58f33a27803bfdaa3e635928317d40de7488bef0b6d040d58414e60fd252f7ca348ef9d50827192f03e9e15675c5a5e3870cc8b36252671d4bbb5e680

Download Submit
C:\Users\Admin\AppData\Roaming\cursors.properties

Filesize
1KB

MD5
b92c29f94e268e7bb210b7aea4cf0d95

SHA1
c33059af1b5f74da238efeb1636d54b5dab9108b

SHA256
779c8cfd088520536f6e77ad0266d4668075116c72a90c41f19ae6ca993496b8

SHA512
36ddf6ef84d1a8c839334b1bddc5a069126f6446ec61fb84bb2be4f89974d362ec4e41e7363d6fb11529e56ddb6f6d481dad56c35d7f09de34d12ba7580c3cc8

Download Submit
C:\Users\Admin\AppData\Roaming\delete_1.png

Filesize
1KB

MD5
4323deacac4a6138c00f9babd4cf00b3

SHA1
ab9872864c3d712912ff43af850d1257a418db3c

SHA256
7c5f6acc2b19d4f677f58e1a4fb4456f0ca33b9af7f3df0605d7a0ede3ef7213

SHA512
5ce4971e5fce124296ad0c6a9bc2cf8087f46d59d226b1676e1ff27af38c2d585a59e600ff2da9eb57e029c0ccd55d0032a158838d6b36e63906190918067c32

Download Submit
C:\Users\Admin\AppData\Roaming\f1.png

Filesize
1KB

MD5
9632d740e720b8a989e0996b6b4a498c

SHA1
d448956c025b6936a06774fd3554c731a6d89d36

SHA256
ddca49055d86ac88b39358c49a9145fb80cd6feda14567c36108226119f85028

SHA512
51255390750610ce104b03ecffff09e17313e3d94067bd5ca16ac3bbd5c6bc2273fad5be7b172503ec23bea601f946d3d3164c6e13fb1206dd414bc225452a2f

Download Submit
C:\Users\Admin\AppData\Roaming\{7B5857FE-798A-A38E-6410-EC0D9EC42F21}\unlodctr.exe

Filesize
175KB

MD5
cb82368879cd1f929e34eb621b7042bf

SHA1
e97bb759d42c0f40d7b7f5d48bfbb2c615a14d45

SHA256
6ce06d88de7cf0deb2f52a309dc3e779c37b53a1e5370f2eab5a5e3ab3ea2273

SHA512
bbf4d1e4e5f072cd29ec744ba1ea66118c41bf68824a8cb99920c8af9de4232d606822fc2d13fae98975e967a45058b684dd811a826158187398f59008db7aa2

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
805656541e467362bbfe5fccecdbbed5

SHA1
26fef8a097b6ecc1c2bea0d87142e3612b8902c8

SHA256
9d500760b7dd79a647b3b644d06ee70cbefaa05bbb16f3fe2f0209b2b053164a

SHA512
17567d3978a3b182c9dce856bdf1c49873b826ac80784ff857d25753c01828fcc6a91ed22ccf59eeb2db1e5691bb36ef393bd31b39697bd7b2f56fa554a9b61c

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
62cb70c10762c01c6d6403d26a2155e3

SHA1
50c3398469211e452c219a6ca122951f2fc0faab

SHA256
a1b2fa12f00c8b0032b51473c235c0f2af6d92f378163573e2d612383d9b5cda

SHA512
1c78775ff71c56a828343d496564fa5aebf6c654f5190ca2154e1d80ea1a7866c2167c38f44b387a1bb3ee88fe9801eca8a994f3fad70d930f10bb52e18c0465

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.url

Filesize
85B

MD5
42352eec308b493a302319350976e005

SHA1
463d8b7876d1ac5a698504bd036f6ac858b244a4

SHA256
8febccde050835c43c0ad1263560e9ca8c6e719d5535936ef222922cbac4b387

SHA512
54b946a1b571d237af99c02884fc8909aa37dfcc20b371694edc2bc1cd5c5722f21f02d0d82a92b11c15d967b0e816c27bbf215955ed729de75aacf53851f1fc

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.vbs

Filesize
225B

MD5
f6d629f2a4c0815f005230185bd892fe

SHA1
1572070cf8773883a6fd5f5d1eb51ec724bbf708

SHA256
ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f

SHA512
b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c

Download Submit
memory/2608-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-522-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-90-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-153-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-155-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-541-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-546-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-549-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-199-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-201-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-202-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-94-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2608-92-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-518-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-151-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-532-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-530-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-536-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-525-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-553-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3920-147-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3920-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4572-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4572-195-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download