Analysis

  • max time kernel
    167s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    05-02-2022 21:41

General

  • Target

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe

  • Size

    99KB

  • MD5

    20abc2fc4ae0ddc631322df67c828c17

  • SHA1

    30fc7b84a438df84624e79d5365d4bd959fb5f72

  • SHA256

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

  • SHA512

    cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

Malware Config

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A

Signatures

  • suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata: ET MALWARE Ransomware/Cerber Checkin 2

  • suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)

    suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
    "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
      "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
        "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat -1 -wait "=a-Akau5uWl9~{s!#h^+DMlH(vSVs"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
      • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
        "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4188
      • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
        "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 94
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1660
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc421846f8,0x7ffc42184708,0x7ffc42184718
            4⤵
              PID:4724
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
              4⤵
                PID:3460
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
                4⤵
                  PID:4808
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:8
                  4⤵
                    PID:1160
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
                    4⤵
                      PID:2500
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
                      4⤵
                        PID:2380
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 /prefetch:8
                        4⤵
                          PID:5056
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
                          4⤵
                            PID:1744
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
                            4⤵
                              PID:4736
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                            3⤵
                              PID:1928
                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                              "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 94 -wait "fJ6yWW{F[G4HP@_<c#)gAVg^{C57M"
                              3⤵
                              • Executes dropped EXE
                              • Checks BIOS information in registry
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1712
                            • C:\Windows\system32\cmd.exe
                              /d /c taskkill /t /f /im "expand.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" > NUL
                              3⤵
                                PID:888
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /t /f /im "expand.exe"
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4824
                                • C:\Windows\system32\PING.EXE
                                  ping -n 1 127.0.0.1
                                  4⤵
                                  • Runs ping.exe
                                  PID:3796
                            • C:\Windows\SysWOW64\cmd.exe
                              /d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4464
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4512
                              • C:\Windows\SysWOW64\PING.EXE
                                ping -n 1 127.0.0.1
                                3⤵
                                • Runs ping.exe
                                PID:1976
                          • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                            C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4908
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x33c 0x3d8
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2164
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            1⤵
                            • Modifies data under HKEY_USERS
                            PID:4192
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4240
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                              1⤵
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:528
                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                              C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:948

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\json[1].json

                              MD5

                              6aae9f9d151f331526525f46fccae36a

                              SHA1

                              1957facf14140ebb1a79409db3754656e11e5653

                              SHA256

                              c699235148818f9fe1d1b247ec6d81c17741c4d7d10708b94e45a1f92ef14f17

                              SHA512

                              6da0e8aa7c0f7d19ad4751c00b2a00916cd00c115d8de76c3a63b85218a474a014d8523220e5950f97ad8ff03ef1908e86b776832c0e7c6d5b64aefa27911221

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\json[1].json

                              MD5

                              6aae9f9d151f331526525f46fccae36a

                              SHA1

                              1957facf14140ebb1a79409db3754656e11e5653

                              SHA256

                              c699235148818f9fe1d1b247ec6d81c17741c4d7d10708b94e45a1f92ef14f17

                              SHA512

                              6da0e8aa7c0f7d19ad4751c00b2a00916cd00c115d8de76c3a63b85218a474a014d8523220e5950f97ad8ff03ef1908e86b776832c0e7c6d5b64aefa27911221

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\json[1].json

                              MD5

                              6aae9f9d151f331526525f46fccae36a

                              SHA1

                              1957facf14140ebb1a79409db3754656e11e5653

                              SHA256

                              c699235148818f9fe1d1b247ec6d81c17741c4d7d10708b94e45a1f92ef14f17

                              SHA512

                              6da0e8aa7c0f7d19ad4751c00b2a00916cd00c115d8de76c3a63b85218a474a014d8523220e5950f97ad8ff03ef1908e86b776832c0e7c6d5b64aefa27911221

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk

                              MD5

                              80a0adcff2b2024a62b6df336d87fc09

                              SHA1

                              969ed6415a4ac15d1bd9b8f8d5dfbe5cf384c581

                              SHA256

                              c189f08ad5805ef400e04e53ebddcd5aae32ac0a631a89b05ca660588badd342

                              SHA512

                              28023d5e6b3916cc9b5e2c9976f8ec869114ae0605653993590ff1bec8fd8037f6b9d771d355308d4eb00c0096922387ed38050ed8ef5b92394808d0eccc134b

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe

                              MD5

                              20abc2fc4ae0ddc631322df67c828c17

                              SHA1

                              30fc7b84a438df84624e79d5365d4bd959fb5f72

                              SHA256

                              022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

                              SHA512

                              cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

                            • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

                              MD5

                              1357438938043a6c3b6e0112f0d41288

                              SHA1

                              1e5ffb3daa9640814773b93eb5fff41bbeb5032f

                              SHA256

                              38fb951ac813f91b4d0d974b8887fb7c42b6f564ec2f9c27c61a7e09317d8553

                              SHA512

                              fac43821cf25c864acc627eff2bff516f4504fee653add5f1bc5ba0df322af8acb320238bd02f480211bad3333c47c0bbf997daa47d802743de5d335d139dea5

                            • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

                              MD5

                              5ea9047a3e6f390a8513c4229e9cf9f4

                              SHA1

                              8bd71446a14c947a8fd443cd68dd4660e699b777

                              SHA256

                              103907eaae027d008eb389842b9e80852cd743245f1bdfc76ced06d4f9ec1976

                              SHA512

                              c717ea2c3349b215741affd78f73a069f90abb4795bb7fc1b530f04be1da710cefec67a768acf6b3297ea49f18e34b7a32252cf81043bae4eb250eaafca7aa98

                            • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

                              MD5

                              e9ffd9f618cbf36ad6c910c161bb8080

                              SHA1

                              a702b4220bbded577b4b699611bb73593b12ae71

                              SHA256

                              020ca4b4574a40418b8aa4c2d74b0488e9d150e8d3f5e56e5c6dcca6f7dfaaac

                              SHA512

                              ee87264e384579df7b74d7ac08e9a490495efa34f1a99e2d4949cb76b839c165fbb281aacae25f4ab7e911401c7bfa3fba4b0e59dd492566985fb8dbd1cf1bef

                            • \??\pipe\LOCAL\crashpad_1156_AQOPOKMRIGVSEUXE

                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            • memory/528-392-0x000001C8F5940000-0x000001C8F5944000-memory.dmp

                              Filesize

                              16KB

                            • memory/3460-226-0x00007FFC5F770000-0x00007FFC5F771000-memory.dmp

                              Filesize

                              4KB

                            • memory/4192-143-0x000002708BB80000-0x000002708BB90000-memory.dmp

                              Filesize

                              64KB