Analysis

  • max time kernel
    139s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    25-10-2020 19:01

General

  • Target

    75f5c417a7ef4076d5730ce3e847d5bf.exe

  • Size

    261KB

  • MD5

    75f5c417a7ef4076d5730ce3e847d5bf

  • SHA1

    a4931cd472f217de0056877ddd446c9a6627d1cd

  • SHA256

    b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377

  • SHA512

    1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community #Cerber+Rans0mware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2 | | 2. http://cerberhhyed5frqa.onion.cab/2696-1C4D-B3CE-0000-0DB2 | | 3. http://cerberhhyed5frqa.onion.nu/2696-1C4D-B3CE-0000-0DB2 | | 4. http://cerberhhyed5frqa.onion.link/2696-1C4D-B3CE-0000-0DB2 | | 5. http://cerberhhyed5frqa.tor2web.org/2696-1C4D-B3CE-0000-0DB2 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/2696-1C4D-B3CE-0000-0DB2 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.cab/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.nu/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.link/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.tor2web.org/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion/2696-1C4D-B3CE-0000-0DB2

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2 http://cerberhhyed5frqa.onion.cab/2696-1C4D-B3CE-0000-0DB2 http://cerberhhyed5frqa.onion.nu/2696-1C4D-B3CE-0000-0DB2 http://cerberhhyed5frqa.onion.link/2696-1C4D-B3CE-0000-0DB2 http://cerberhhyed5frqa.tor2web.org/2696-1C4D-B3CE-0000-0DB2 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/2696-1C4D-B3CE-0000-0DB2 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.cab/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.nu/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.link/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.tor2web.org/2696-1C4D-B3CE-0000-0DB2

http://cerberhhyed5frqa.onion.to/2696-1C4D-B3CE-0000-0DB2);

http://cerberhhyed5frqa.onion/2696-1C4D-B3CE-0000-0DB2

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 252 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\75f5c417a7ef4076d5730ce3e847d5bf.exe
    "C:\Users\Admin\AppData\Local\Temp\75f5c417a7ef4076d5730ce3e847d5bf.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
      "C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1044 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:796
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1564
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1988
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "w32tm.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1820
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "w32tm.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1416
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2076
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "75f5c417a7ef4076d5730ce3e847d5bf.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\75f5c417a7ef4076d5730ce3e847d5bf.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "75f5c417a7ef4076d5730ce3e847d5bf.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:368
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {C48945C1-B26C-4AF8-812F-4ED3DE324AA0} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:1256
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:740
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1504
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x574
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1552

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EABE50E1-1705-11EB-BD6E-7E84EB346C39}.dat
          MD5

          1ce61f1c1f7fc9557b1fa7bb7c0c6b30

          SHA1

          a5e10e48e7d9d176f32dc56b1e40d480734bcf51

          SHA256

          0b9d92f53208383007626ce604ed720656d45b688204f65c9bea182007b56528

          SHA512

          245e81b0b9b8c4702db511f95c205e321cdb2dc682a33614c47b9de3b6c10ba3de7f126d3c776f3f8d07bd8a4abe57197351a7608844aa952985a587f2ad9ddd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\623NJA7M.txt
          MD5

          a2e38d020e8827df12ec308622f151d4

          SHA1

          45a9152c7f4020707309fe5ee4ef22efde5329e7

          SHA256

          de330c2e4a30e008474a0e39eeae3a8866ffa5a5e0e6cf8f31d6de5e05997113

          SHA512

          b0ebb164410e7e5f03c6c44710e7240c25acae5d66b21f40feb4d58b2adcc44e4c3a75a6bc90c870ee6a8bd2f6120f50435a17a9d44de880773d67d70f9aa596

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\w32tm.lnk
          MD5

          a69813818ae7108964a3a1947bdce9ab

          SHA1

          d192c99bde38f22fa5cfc179fb5c79ca1205bd93

          SHA256

          e95b7ff13b9ab9c92aefdead7ece5dd033a47dc2b263d368d470779bbc39c16a

          SHA512

          d7cdbeae81c706350329d1a02ac64a7689f2bbc42c2665dac581a86db998f7aecce7b180135bd938f8b2192b9e213989895249e3d6bd3ab51dc939d28ab1cbed

        • C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          MD5

          75f5c417a7ef4076d5730ce3e847d5bf

          SHA1

          a4931cd472f217de0056877ddd446c9a6627d1cd

          SHA256

          b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377

          SHA512

          1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25

        • C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          MD5

          75f5c417a7ef4076d5730ce3e847d5bf

          SHA1

          a4931cd472f217de0056877ddd446c9a6627d1cd

          SHA256

          b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377

          SHA512

          1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25

        • C:\Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          MD5

          75f5c417a7ef4076d5730ce3e847d5bf

          SHA1

          a4931cd472f217de0056877ddd446c9a6627d1cd

          SHA256

          b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377

          SHA512

          1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          MD5

          c69df29d2ffb29c07c1614930ef18c78

          SHA1

          c5e98e1edf13f0c296ff2ce53d1f526cb16fcf66

          SHA256

          a4a33b775ec2cc70b539c5650660f1812d90379d71a17def7f2559876b295afc

          SHA512

          6814186bdce44fc1674e4f895df1a8cacbb3ab2683291bf26f6de396651fbe7281b739c19e73ed5becc293c0eb57d01397d95d26ac4bb442a7fc3aed08fdfce0

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
          MD5

          1992b9ace6be9ebfe8fec5113106c031

          SHA1

          b71b0fe10ae88d35d3827f47a723f3fb3d10990e

          SHA256

          936298c21dea872cf3abb18023e6c284a40f833a788b333e7283f70a15463f65

          SHA512

          0cae01f17667ef09782ad6a801a8e77936a602d4ece372f2a9ab389c7dd82b3ab22437753055660f2ba0ec46b7d647dad0d324c7b4fbfa69d89c2b59e0f796de

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
          MD5

          8d21b493471c8275de3e95666da2950b

          SHA1

          605d3dfe858df98a457a72e7ff173d395c96e4e0

          SHA256

          c5761e00131a1fba912dd6dad43dbb5d28db0afebd585c49c041fde05a14a25d

          SHA512

          c86e2b1ca0cec6a41e9e13cad9b46409cc683b6cc24aab486786567292e2b26341b769582c95bb6bda7b5571a906c6ad7168f3156033c93f635ed635ff370e46

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
          MD5

          6f84dbf74ef41dc3d861f5fb3e0f45ff

          SHA1

          3e5f17e9b9589f33ce6add7f2518a666ff2253a4

          SHA256

          df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8

          SHA512

          9f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a

        • \??\PIPE\samr
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • \Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          MD5

          75f5c417a7ef4076d5730ce3e847d5bf

          SHA1

          a4931cd472f217de0056877ddd446c9a6627d1cd

          SHA256

          b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377

          SHA512

          1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25

        • \Users\Admin\AppData\Roaming\{802AADF0-CB9C-FB96-84D3-6C0834BDF578}\w32tm.exe
          MD5

          75f5c417a7ef4076d5730ce3e847d5bf

          SHA1

          a4931cd472f217de0056877ddd446c9a6627d1cd

          SHA256

          b2f644f5e3d2040ef24f9ca3a36de0c8606a00f30a0da4fbad471db7d2b2a377

          SHA512

          1fcf09a65466684ade22a1bcd56ff2c7943c5535dc3fcfcfa8a0188b219011cc0f46abafad26bbe7ea9d72253d0c7b8804072cffa1413235699b9e38240e9e25

        • memory/368-7-0x0000000000000000-mapping.dmp
        • memory/740-16-0x0000000000000000-mapping.dmp
        • memory/796-15-0x0000000000000000-mapping.dmp
        • memory/1044-12-0x0000000000000000-mapping.dmp
        • memory/1256-9-0x0000000000000000-mapping.dmp
        • memory/1416-27-0x0000000000000000-mapping.dmp
        • memory/1540-1-0x0000000000000000-mapping.dmp
        • memory/1564-13-0x0000000000000000-mapping.dmp
        • memory/1820-26-0x0000000000000000-mapping.dmp
        • memory/1856-4-0x0000000000000000-mapping.dmp
        • memory/1884-6-0x000007FEF6940000-0x000007FEF6BBA000-memory.dmp
          Filesize

          2.5MB

        • memory/1904-5-0x0000000000000000-mapping.dmp
        • memory/1988-20-0x0000000000000000-mapping.dmp
        • memory/2076-28-0x0000000000000000-mapping.dmp