cerber | ae92a50a665ad98b9be56a48026f45f479b9058541687d94ed390be55c1eb4a5

Analysis

max time kernel
137s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Size

264KB
MD5

8e8f6906971c9e1ab1f2501fc964ed7b
SHA1

49c3ce2c107bbd56ae100d2791431ecac5a911a2
SHA256

ae92a50a665ad98b9be56a48026f45f479b9058541687d94ed390be55c1eb4a5
SHA512

4e1275226c49c5b1f299c579084393e5cf5e0b9028a0419873cb0d397a30620d7387a79b7c9b772a6f21d0ba03323f132885f6133a56f19987218d3456fcd455
SSDEEP

6144:xSu7ftzi1GUIxsMVBGKnNhIMM/CU8Qmabiw3n3nvnnn/nnnPnPHnnnhnDK:xSupzozKngMFU8Qm2/3n3nvnnn/nnnPc

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". <hr> If you are reading this message it means the software "Cerber" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li>Please wait...<a class="url" href="http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984" id="url_1" target="_blank">http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://4kqd3hmqgptupi3p.k9z7pm.top/D037-B794-3FBB-006D-F984" target="_blank">http://4kqd3hmqgptupi3p.k9z7pm.top/D037-B794-3FBB-006D-F984</a></li> <li><a href="http://4kqd3hmqgptupi3p.daigy0.top/D037-B794-3FBB-006D-F984" target="_blank">http://4kqd3hmqgptupi3p.daigy0.top/D037-B794-3FBB-006D-F984</a></li> <li><a href="http://4kqd3hmqgptupi3p.dd4xo3.top/D037-B794-3FBB-006D-F984" target="_blank">http://4kqd3hmqgptupi3p.dd4xo3.top/D037-B794-3FBB-006D-F984</a></li> <li><a href="http://4kqd3hmqgptupi3p.onion.to/D037-B794-3FBB-006D-F984" target="_blank">http://4kqd3hmqgptupi3p.onion.to/D037-B794-3FBB-006D-F984</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is Please wait...<a class="url" href="http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984" id="url_2" target="_blank">http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address Please wait...<a class="url" href="http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984" id="url_3" target="_blank">http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is Please wait...<a class="url" href="http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984" id="url_4" target="_blank">http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://4kqd3hmqgptupi3p.onion/D037-B794-3FBB-006D-F984 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984 | | 2. http://4kqd3hmqgptupi3p.k9z7pm.top/D037-B794-3FBB-006D-F984 | | 3. http://4kqd3hmqgptupi3p.daigy0.top/D037-B794-3FBB-006D-F984 | | 4. http://4kqd3hmqgptupi3p.dd4xo3.top/D037-B794-3FBB-006D-F984 | | 5. http://4kqd3hmqgptupi3p.onion.to/D037-B794-3FBB-006D-F984 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://4kqd3hmqgptupi3p.onion/D037-B794-3FBB-006D-F984 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://4kqd3hmqgptupi3p.3odvfb.top/D037-B794-3FBB-006D-F984

http://4kqd3hmqgptupi3p.k9z7pm.top/D037-B794-3FBB-006D-F984

http://4kqd3hmqgptupi3p.daigy0.top/D037-B794-3FBB-006D-F984

http://4kqd3hmqgptupi3p.dd4xo3.top/D037-B794-3FBB-006D-F984

http://4kqd3hmqgptupi3p.onion.to/D037-B794-3FBB-006D-F984

http://4kqd3hmqgptupi3p.onion/D037-B794-3FBB-006D-F984

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	rdrleakdiag.exe

Contacts a large (524) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
1792	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk	rdrleakdiag.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	rdrleakdiag.exe
2184	rdrleakdiag.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
3064	rdrleakdiag.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	rdrleakdiag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	rdrleakdiag.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp275E.bmp"	rdrleakdiag.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	rdrleakdiag.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt	rdrleakdiag.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url	rdrleakdiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdrleakdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdrleakdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1792	cmd.exe
2872	PING.EXE
3068	cmd.exe
1688	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
1972	taskkill.exe
1820	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop	rdrleakdiag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	rdrleakdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{3948277D-206E-C453-92EF-7A792F7F3E4D}\\rdrleakdiag.exe\""	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436856021"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6990FF21-9A64-11EF-9A84-E699F793024F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69B71521-9A64-11EF-9A84-E699F793024F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000008b48dda44e501a30f7ca07e26049ac9371b735f9c1cb7a3bfd0fa9f3022f2230000000000e8000000002000020000000a64c742e39bce8b0b5280c3a7e9a0e39d1e88a9aea67527c10a8aabeb478d74020000000c30243438bb1e216f605f665f76c127f5d2b99bb7f1aacf35edff85fcf8dec0f40000000e211c25504e5d67f1cf82bdfb7acae208a4cfed04b1c3a3c352a7d6b80998149783c479cfbb6631ed3b0d54e3c6fbad7df417c7a59d08052a8469728fa71ed9c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c4c12c712edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000027ec59f33c1c57a4bcf8d78a7d9ef46640ab573898bf92d30bd2f3a4886cf149000000000e8000000002000020000000514d2439c91ed31e1711cb520f22b4df69b5471bc5989d8339ef910ffb3e86cd90000000ca7cef2a75fec78a43d4dfb5e172a5a51ca16bd9f3ab1eb60e10ad36b2907928507651b8f90472c78065a8856f6476ff41e131aa7b541abe3ca50f7e7b8c1a0ce0f0cdcd035e9cbab3714f11f7b35d8a42dc20ff2a90f2158900882bea1c80fe0bb55fbeae640d65c449f09a15e3024847b9d367c7f2b8aedb885adaa5404d4664199ead0bd68a5d69ae172bb20e7b13400000006bc6730e0bce72a4f910c5f6346c9f24fe0b7f6e89ed336f1b631f135dc779acaf8312139faf1e4b695eb62a0456007777e57aeeb2a46c2b21753932c7852af9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2872	PING.EXE
1688	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe
3064	rdrleakdiag.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	3064	rdrleakdiag.exe
Token: SeDebugPrivilege	2184	rdrleakdiag.exe
Token: 33	2408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2408	AUDIODG.EXE
Token: 33	2408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2408	AUDIODG.EXE
Token: SeDebugPrivilege	1820	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2760	iexplore.exe
2168	iexplore.exe
2168	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2168	iexplore.exe
2168	iexplore.exe
2168	iexplore.exe
2168	iexplore.exe
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
2760	iexplore.exe
2760	iexplore.exe
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2328	IEXPLORE.EXE
2328	IEXPLORE.EXE
2328	IEXPLORE.EXE
2328	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
3064	rdrleakdiag.exe
2184	rdrleakdiag.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3064	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 3064	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 3064	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 3064	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 1792	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 1792	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 1792	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 1792	2392	8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe	31
PID 1792 wrote to memory of 1972	1792	cmd.exe	33
PID 1792 wrote to memory of 1972	1792	cmd.exe	33
PID 1792 wrote to memory of 1972	1792	cmd.exe	33
PID 1792 wrote to memory of 1972	1792	cmd.exe	33
PID 1792 wrote to memory of 2872	1792	cmd.exe	35
PID 1792 wrote to memory of 2872	1792	cmd.exe	35
PID 1792 wrote to memory of 2872	1792	cmd.exe	35
PID 1792 wrote to memory of 2872	1792	cmd.exe	35
PID 3040 wrote to memory of 2184	3040	taskeng.exe	38
PID 3040 wrote to memory of 2184	3040	taskeng.exe	38
PID 3040 wrote to memory of 2184	3040	taskeng.exe	38
PID 3040 wrote to memory of 2184	3040	taskeng.exe	38
PID 3064 wrote to memory of 2168	3064	rdrleakdiag.exe	41
PID 3064 wrote to memory of 2168	3064	rdrleakdiag.exe	41
PID 3064 wrote to memory of 2168	3064	rdrleakdiag.exe	41
PID 3064 wrote to memory of 2168	3064	rdrleakdiag.exe	41
PID 3064 wrote to memory of 3004	3064	rdrleakdiag.exe	42
PID 3064 wrote to memory of 3004	3064	rdrleakdiag.exe	42
PID 3064 wrote to memory of 3004	3064	rdrleakdiag.exe	42
PID 3064 wrote to memory of 3004	3064	rdrleakdiag.exe	42
PID 2168 wrote to memory of 2516	2168	iexplore.exe	43
PID 2168 wrote to memory of 2516	2168	iexplore.exe	43
PID 2168 wrote to memory of 2516	2168	iexplore.exe	43
PID 2168 wrote to memory of 2516	2168	iexplore.exe	43
PID 2760 wrote to memory of 2044	2760	iexplore.exe	45
PID 2760 wrote to memory of 2044	2760	iexplore.exe	45
PID 2760 wrote to memory of 2044	2760	iexplore.exe	45
PID 2760 wrote to memory of 2044	2760	iexplore.exe	45
PID 2168 wrote to memory of 2328	2168	iexplore.exe	46
PID 2168 wrote to memory of 2328	2168	iexplore.exe	46
PID 2168 wrote to memory of 2328	2168	iexplore.exe	46
PID 2168 wrote to memory of 2328	2168	iexplore.exe	46
PID 3064 wrote to memory of 2396	3064	rdrleakdiag.exe	47
PID 3064 wrote to memory of 2396	3064	rdrleakdiag.exe	47
PID 3064 wrote to memory of 2396	3064	rdrleakdiag.exe	47
PID 3064 wrote to memory of 2396	3064	rdrleakdiag.exe	47
PID 3064 wrote to memory of 3068	3064	rdrleakdiag.exe	50
PID 3064 wrote to memory of 3068	3064	rdrleakdiag.exe	50
PID 3064 wrote to memory of 3068	3064	rdrleakdiag.exe	50
PID 3064 wrote to memory of 3068	3064	rdrleakdiag.exe	50
PID 3068 wrote to memory of 1820	3068	cmd.exe	52
PID 3068 wrote to memory of 1820	3068	cmd.exe	52
PID 3068 wrote to memory of 1820	3068	cmd.exe	52
PID 3068 wrote to memory of 1688	3068	cmd.exe	53
PID 3068 wrote to memory of 1688	3068	cmd.exe	53
PID 3068 wrote to memory of 1688	3068	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\rdrleakdiag.exe
  "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\rdrleakdiag.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2516
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:537601 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2328
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
    3⤵
    PID:3004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
    3⤵
    PID:2396
- - C:\Windows\system32\cmd.exe
    /d /c taskkill /t /f /im "rdrleakdiag.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\rdrleakdiag.exe" > NUL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im "rdrleakdiag.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1688
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe" > NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "8e8f6906971c9e1ab1f2501fc964ed7b_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2872

C:\Windows\system32\taskeng.exe
taskeng.exe {6CBCEA90-2EC1-4724-BD17-0214CB690F0E} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\rdrleakdiag.exe
  C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\rdrleakdiag.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2044

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html

Filesize
19KB

MD5
26be679947add3a1c08d61be9bbffc03

SHA1
5a520ee78ec368f3175dac7cb94335fc98c1c6a8

SHA256
2917a93a80aba08d1f0931a1be4f4210cc63810076a0aed01de4a632c12184c9

SHA512
42259e60ea3cab8adc892d9a5b0fd08f2d9df8dc4b289b16197291eb047bf01ffa9962dac374c5dfc2231adb411d39fa6e9df9514435e5e977cfc64823aa3515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d82c82458748d06f1ffcee51c9fe4ab7

SHA1
f5b1a56ca1dac6651a0145e630403e50f831bf0e

SHA256
d5c7b09421480f33ffe97c59c2ab871eb3f526c1054ba28df36c9d739028f1f4

SHA512
fe82d1e0482a554c2a42af9750ad58b38f3873c0ebd32ed6396f26d2400601cb5a4442bf370f2364bfffea1c4ae888624c42de4373517b832718a216cf0471a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2549e2c2c916560be3ed52cf9f728979

SHA1
641961e99416d588c996136bb513d8265f9575fa

SHA256
5d1c6ae695129f22eb04c652e3117f0edc8cc9ce2d74118f2c003a23de68cdad

SHA512
29a948bfc7bc55839b26014d03b9557eca73ed55bd17d95af21f3158bdb38ad981d4ef0017e3f7b76c63454801361b9309bdb347209026f92a5cdab66e39086a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
671314c73a91cf944639ba48dba076c1

SHA1
6fc2ec32fba93110088f64e0979fdc0cf0f7e228

SHA256
c8b12ae99255ef971640ba4e9dc8f2314f0b068d273ced17268ec5c68102b5c6

SHA512
c7b8952a992d42b22b5aa89d02ad20c39a2d6a3018e1b8641d37c4b19ad8edd548581c31bb97f34c9b9efc966b2d9d51e332b74d1ffa7e7d90e9dc099f49d959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42b90b5fc1c8da0fbf41c974e893bf44

SHA1
60ec2ffad2f95d6735dfe86498a4d04374af76ed

SHA256
b2ebd51e017f86f376afa323e7f0aaf6fac195c0ea431d448abd5b983c2450ef

SHA512
3aa528b248cbe358313e84ebeeea31022c61cc2e70b4979c821fa0076c12fd5c864c9d11f3b41fac545fbfc34b03c74491c793efea3983a774245de8fea780b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da12371c8d6120e32ad499766820dbb4

SHA1
5d7db8c1569106875b2b1ab2ef61cd26fcaa75e3

SHA256
eec05bb2576b5f50d43ac48dfd180ae2e6c63b7b7cb27e4849e04fdc9b7eb75c

SHA512
1fd542a82f24cf20fa2576face479d6224eb7f0e82cc0d588e52006f5744242d142b88a1984927ad87b2574272d35b4c23a347e6c0466647ca9d5f9bcd1e2ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23231f76efb5c51a65170f732809e071

SHA1
8f2f26fcac532e065c6704def8a18df89af93b7e

SHA256
ec0e1320c4643ddce0aefbb10197ff501b806ac699e4641e38d6316b2f2641b0

SHA512
64b11d2989c50a5ccdb0d709c6986b3f40fcb0580ee98e38da50194c34ba77492cb76d983ff43820095e9e094a450dc387f3d35dab87a7529c13adbdab872b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0221521a902a94d6defcffe9ddd8b6ef

SHA1
f0a722ab46c77c94f78be863d0a6e3240d152179

SHA256
45b1ddf3773ac842fa86044c3a1bfe48be5dc6a4789f935e9bd9579424fd62f4

SHA512
8ef02a72bb52f200c6117da6c85b9e2981de450edb15138f61b6fdb6a64422900438e94037bb1e6a6b3a34acb5d3e1136e6b38f6fa9cc1a2d22dd80810fc224d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21195e2ebedef68c0278b1063b74d1c5

SHA1
15af3fab46ea9dda163b0bd0137927ff1cb5cba1

SHA256
7c58a2720bf6d7515a71fc0d389095bf4adc9624624710bddb49d8c9b35e0ff7

SHA512
75934095beaa1ecd5c86b7490f52546e41c1bd0f16037d4561c1a9f78ab018a68c86b9e1d9e9095e2242316e09c3da4a0beeb99fb2b86bf774fbd30bfa0959f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7629f3050c2cb138811cfcae32fa3a41

SHA1
4f0cc99f76c8cf9fac04dd6249da4625b2963bdd

SHA256
2d8c3c894db3547bf2c2d6853e40a2f6e535ab43455373ea180ff139e043f0c4

SHA512
e26cce3c9844de9f9f1f1af21251f169ded77c97570180b9eeac28ea6b048600d7d2a382ea943b6d6159459e378bd4962707d3293d4a38185b9a2317d081628d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
223dc5dca7053166c7f86e67cb7aa9f3

SHA1
ee20b20f93818c267c8bc211de24b60a5a7a0283

SHA256
68988f0584db4373e6e6f3454e757f22aa46ac546c6261539aa5697bd266064f

SHA512
fbd20952718115d5a4c882fe9763f52dd06a93b24d326ff9db8f98976b729373b2054aa7954d2f467d041855eeb48011f5d05fe3f5fd0423c6247c95981d6f9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cff54f55c4e4ddf7c568dae8791e7131

SHA1
6ebf819066261f2001510fdacb88cd04b90d5625

SHA256
fd0eb00e806922cdaf0f7718a3a8812ec64b2f92c08908ee8e27e45f0c43a41e

SHA512
af1f519cf8222c145c70c9a3c1244f31c58d1b71ecb14e293b9e00ca3d73dd0ba5bb29625ceb8c17a6741168526b8e4e4787769580eaabeb3afb203a17863bf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
772ad4ebb0167205ee33ed69da1fbd13

SHA1
d058ebd936e49df4c300ffc2ee33ac3ac6cc7b29

SHA256
64f167a39d09277b2d2c49e3e4ddd166f4de496250ae8a4dc42d2c69b6b3135f

SHA512
632b4b59b400ab76569f4c2789735b907bd8ce387f3a0069696a04f6ca5b3889f31c4eefc70e83ddf94efc20f8f738619ef91178d584e383088e962ea47bcf37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11027669f62893e191fcbd78cc4749ae

SHA1
55e964db657859d266661ccf8ef97343d75434d4

SHA256
587b513c64a98b8a51008dc8fba4c6374359d2a8f981ca3e70159a0e26cdfd6d

SHA512
0c8654425b32fdacd3494cc2390cf0323fc28d3d9e1b9b912ec89c76720d2433cc0b9a3a5fbfe7e2f339d9164a41ed65912cd877d24ffc89bd651edc2c4edac7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2d1d9cf2f1c3ce498df8001f4ee0ad

SHA1
d9743a689f9d1dbc3892af8cdca5e109bdac5fdf

SHA256
1bdc5e7eb05372a672d9eaf2667820a20b65ea56b7e159be0f3c65b7590b05f3

SHA512
1c30cf5cf1832a88702edab9d393ba323ce61616e761466ad2ca25a5ec691aa6d5babe280b1b0c1ba068d26cb0f3541f2315d58e7970674579efe284001e02db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f6d77a5e24cfe0fa9fbd408505d9555

SHA1
9405d78c19c0f331a08bf5a4962643d5cf3ecd9a

SHA256
02eb01f35ac3056c307e9a4feda7e2be7f17979a8ee7ea59cf9350eb31b13413

SHA512
09692f48eb0ffd4321a01ace348a241c61e17fcb03b108e04be49183fe2601756b85a36607dfb07179ff340e50c52c5ae11795b7ef83e6da96dbf65d5b6788fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edc5d940191b553ad8c05a5410f83b5c

SHA1
e2d0fb88ed5716208b3b1d233195b4d73671051d

SHA256
dbaf4ad7442da37a8270c09e445cfb5e3957224f1eb6d5c455a113f8d3b167c1

SHA512
a3f33defe41d9926ee900a5cc21c4c8a34cce4dde012520f6340acb31c8477b2fae2032d89ca9dd166ad1f47a1f39990834bbda27ef1f510b3364e1c8aad2894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97263e20bea84757672623b5d20080e9

SHA1
0d812239eb800ac93c84d7fec31f978b32f4041b

SHA256
90071a82e439e2fd5068e80578b94291dc46cb99154c63c9d04b40001edb3fe3

SHA512
a970f7e2da0cc59986fd84d2542bbdcce9dfbcf9fce9f6fdbda5266bb0ac753add531d613be59e11d11b83b9a353c50f4bfc55e19349405bc16e09f74a9abab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5cede4ee0c622483d8d091586cd8a97

SHA1
915cdce1703d4f1f600a5027d3a64ab2a5ea23da

SHA256
07cac803608f768a13e17067b04b5d9156b5c04182726a713443a67d1b8d2094

SHA512
4c84b2342cf5613789ea5f51658f707a9039dd6aacb53b198d3bfcf8a7b6adec0d089e21375d9ce5a23a4aa30af837d22216bd74aa8984e847dd884847d4d790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba519751f7604af5e51d797cdb1e747a

SHA1
527fd51deea4c778a96b49e0a3c86e63ee6645c9

SHA256
4dad6fa3a6d15bc6c2a12e58848d710c945567c61901aff3ce7d632e4384ce34

SHA512
20957299f891396994b270dc0bdee21227454c00a07f086c3898fbee80ccbca15dd582b182ce77cf52d2b49e6d2950ac0b139a6a74e521368a57796223fe4511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b18689dbf8b3445697602fb1512f3ad0

SHA1
1752285d0f384a86b9979125006af59d387b43ee

SHA256
4bd24615deb6ada924c0e671f4b518e94e88e7dfd2d780a18586b713bc09aa62

SHA512
38f15227e06b2ceb57e574b5c037bda398ab9663e77f8042c933fc6905bc24d1b4e80b3ad5aaf06d45124e57a8f596bb69547392aa5541a750bdab0de27bb9c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1d426fb9da0e2ad7c57aed30bd53cf2c

SHA1
db29d893bd0509c2adb8ee69da30b760aa7bbca6

SHA256
8c0f8ea26809627ba37e38d8a77fb9439fee07e0d58314acec0bf1e20dc2f64f

SHA512
5d3f540b033ead155fe0724e9dd4f728c93a152bd1a946b41139da010f5f101420525146b8f9df7d9f5ad53d4b3927899ecf3dd69eb5905f5a1b702af5edd8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6990FF21-9A64-11EF-9A84-E699F793024F}.dat

Filesize
5KB

MD5
1bf49b02fcda08a4457965755741f938

SHA1
f721b2a9319aa6723c2bf2257cc6dd82610a5f40

SHA256
e962d76303a4b625858a87237b0d8a025dfa49cf9c433e6a256551d0493b9947

SHA512
6fd5d978739a65441d1aeee32655b38451f0e110875966ed3ad8b6dbca1ef7a88557d3929c2ab9622ed2f368de5d437c1c76b834f88874b3afff36358724eb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FFE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40CE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk

Filesize
1KB

MD5
612ee3c068de64c2c3a5e1bf56e9b066

SHA1
e64c8346eac40b08bcef2078b542220cf3ee9160

SHA256
1ba18483b109e0c03b5e66ef7fd92e3ae2566576e1574e638ba0a5763448e18a

SHA512
04fa2a78083711a61a386917abae8f8cb1fb10175f2c219beac8d0a8ced6b92a34e980072a663dbdceb45cb6f453494dffd1ff1859c6eac4faea028620911ba9

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
126c931b1ed1ae13a4ea06b708bdf4ca

SHA1
571e4490155645f5780ee01ca6a83bd32405b1cf

SHA256
9a2b5a8b293c2bb08903863f0fb9164d3deb9230f0a2d655f91212d0ecfcd03a

SHA512
e323bcbe1d79a77895123715f2a9a02728db482bed2e876a7e32e382c3b5a58fbcd0dc25e7bbce691166d6f30c684e29f893e358de8df5a694c0ccd24d77f6c1

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.url

Filesize
90B

MD5
3282b85cd43c83bb7dabb8130a25471b

SHA1
f7979483df73a00074a876f6d5edbb71e0b29e7a

SHA256
8efceabcaba442d67630fafdb3dc3d41ce3b9e5ebe5f82050202ee486b3b0043

SHA512
039e7ce55228efed915d293479b396facde218a7388c0909ec1a5c7a5476be7736e27abb236d4c6a8beaa7399aa34a080e46a71385de4ab14ed150f95a3f5b11

Download Submit
C:\Users\Admin\Music\# DECRYPT MY FILES #.vbs

Filesize
213B

MD5
1c2a24505278e661eca32666d4311ce5

SHA1
d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

SHA256
3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

SHA512
ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

Download Submit
\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\rdrleakdiag.exe

Filesize
264KB

MD5
8e8f6906971c9e1ab1f2501fc964ed7b

SHA1
49c3ce2c107bbd56ae100d2791431ecac5a911a2

SHA256
ae92a50a665ad98b9be56a48026f45f479b9058541687d94ed390be55c1eb4a5

SHA512
4e1275226c49c5b1f299c579084393e5cf5e0b9028a0419873cb0d397a30620d7387a79b7c9b772a6f21d0ba03323f132885f6133a56f19987218d3456fcd455

Download Submit
memory/2184-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2392-0-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/2392-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2392-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2392-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-485-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-437-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-439-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-449-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-441-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-443-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-445-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-447-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-421-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-417-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-460-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-484-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-454-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-472-0x00000000035A0000-0x00000000035A2000-memory.dmp

Filesize
8KB

Download
memory/3064-462-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-21-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3064-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3064-435-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-452-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-456-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-459-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download