Analysis

  • max time kernel
    151s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 21:34

General

  • Target

    47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe

  • Size

    265KB

  • MD5

    478e706e3f0e7b95cc63ebe380d4377a

  • SHA1

    e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

  • SHA256

    47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

  • SHA512

    8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

Malware Config

Extracted

Path

C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227 | | 2. http://bqyjebfh25oellur.onion.cab/B173-8CFE-013F-0000-0227 | | 3. http://bqyjebfh25oellur.onion.nu/B173-8CFE-013F-0000-0227 | | 4. http://bqyjebfh25oellur.onion.link/B173-8CFE-013F-0000-0227 | | 5. http://bqyjebfh25oellur.tor2web.org/B173-8CFE-013F-0000-0227 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/B173-8CFE-013F-0000-0227 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion.cab/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion.nu/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion.link/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.tor2web.org/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion/B173-8CFE-013F-0000-0227

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". If you are reading this message it means the software "Cerber" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: Please wait... http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227(Get a NEW address!) http://bqyjebfh25oellur.onion.cab/B173-8CFE-013F-0000-0227 http://bqyjebfh25oellur.onion.nu/B173-8CFE-013F-0000-0227 http://bqyjebfh25oellur.onion.link/B173-8CFE-013F-0000-0227 http://bqyjebfh25oellur.tor2web.org/B173-8CFE-013F-0000-0227 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address Please wait... http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://bqyjebfh25oellur.onion/B173-8CFE-013F-0000-0227 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227(Get

http://bqyjebfh25oellur.onion.cab/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion.nu/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion.link/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.tor2web.org/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227);

http://bqyjebfh25oellur.onion.to/B173-8CFE-013F-0000-0227

http://bqyjebfh25oellur.onion/B173-8CFE-013F-0000-0227

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 8 IoCs
  • JavaScript code in executable 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 217 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 360 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe
    "C:\Users\Admin\AppData\Local\Temp\47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe
      "C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:492
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:3576
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:3956
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "Fondue.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "Fondue.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4404
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:4492
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe" > NUL
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3128
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:752
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2648
      • C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe
        C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3672
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
        1⤵
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:356
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:1504
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1084
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4124
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x404
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4300
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:4744

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Collection

      Data from Local System

      1
      T1005

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Fondue.lnk
        MD5

        2c7e2acc04545510638b7bc17582af9a

        SHA1

        486667d0f6dafaa007259d65285dedb5745f7ac5

        SHA256

        cb37df4c67134867982105ae97dd57ac31c70f80f4317bd85399875de58f45ec

        SHA512

        33488efed8ab6c6344cf6d12d6948824eb90ebbbd19e6b5587f830115388e21a515a0049eb9ea82ed047af5efa3f134289a19e6cbcdfec6cf2c5daba7827cd56

      • C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe
        MD5

        478e706e3f0e7b95cc63ebe380d4377a

        SHA1

        e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

        SHA256

        47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

        SHA512

        8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

      • C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe
        MD5

        478e706e3f0e7b95cc63ebe380d4377a

        SHA1

        e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

        SHA256

        47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

        SHA512

        8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

      • C:\Users\Admin\AppData\Roaming\{B41C886F-C036-B863-F7F7-D2EFEF05198C}\Fondue.exe
        MD5

        478e706e3f0e7b95cc63ebe380d4377a

        SHA1

        e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

        SHA256

        47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

        SHA512

        8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        MD5

        71dc007fe05156908037b9736c255610

        SHA1

        ecfab206acf0529d7f032217826ae947c5c36efb

        SHA256

        719df0310691c45b039b859fad7b5feb30d296ef1c996d71ad20be38dc6e73fb

        SHA512

        8302c63ad321730cf1754ea2f6f7a7e71bff958a7cdf87022167cf9bdad76d791d06d8836b2ed73db5979bd794c2acea1761db2c45451677c3ec9564fda6c0dd

      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        MD5

        6d06e83ad9e3c2fa90792cacbc439945

        SHA1

        d74e41cabc37cdd6b834a0613465c1116c7d8bc4

        SHA256

        bab117040f9949d7d1187d79258335d94c8d494f79adc740f9beee0672445e28

        SHA512

        fdcccaecbf35c446606d8dfaa7b2d9f62cfc6c5be3ec2d68784647db9f4c23e2a4b19d0973c7d2c9ed367bc12ae5cc0d7d8f025dea78d98b9079248f794401f6

      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
        MD5

        1c2a24505278e661eca32666d4311ce5

        SHA1

        d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

        SHA256

        3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

        SHA512

        ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

      • memory/492-0-0x0000000000000000-mapping.dmp
      • memory/492-11-0x00000000083D0000-0x0000000008AE1000-memory.dmp
        Filesize

        7.1MB

      • memory/752-4-0x0000000000000000-mapping.dmp
      • memory/2648-5-0x0000000000000000-mapping.dmp
      • memory/3128-3-0x0000000000000000-mapping.dmp
      • memory/3576-9-0x0000000000000000-mapping.dmp
      • memory/3956-13-0x0000000000000000-mapping.dmp
      • memory/4356-15-0x0000000000000000-mapping.dmp
      • memory/4404-16-0x0000000000000000-mapping.dmp
      • memory/4492-17-0x0000000000000000-mapping.dmp