Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 22:47

General

  • Target

    3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe

  • Size

    243KB

  • MD5

    3ce23461e15c48785716ecef4a2f9be8

  • SHA1

    f8cb374c9d216f3859cd0e681ad79fb7e7e8f84d

  • SHA256

    af2c25f184a8542888750b7d150d955c638c3ee1633933b7262dcb6a1b82d0e2

  • SHA512

    eb9da01bba9f172c90b8c330f8b52c6534429c72bac6b65179564fe0e82f738b7233461220163d55a92b62d665cde82e1243cdcb9f3752271707ab6f56ef9a7c

  • SSDEEP

    6144:MkyacpfMzk1+nQFGbjVXgyLB5NaLVtju0r0/fk4Xc/Be1H23:MkyfYk4nXbjVLLBGLVtjuf/fk40Q1H23

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\# HELP DECRYPT #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565 | | 2. http://52uo5k3t73ypjije.f0jlbj.bid/AF5A-0EE6-8876-0046-1565 | | 3. http://52uo5k3t73ypjije.cm5ohx.bid/AF5A-0EE6-8876-0046-1565 | | 4. http://52uo5k3t73ypjije.jal9lk.bid/AF5A-0EE6-8876-0046-1565 | | 5. http://52uo5k3t73ypjije.onion.to/AF5A-0EE6-8876-0046-1565 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/AF5A-0EE6-8876-0046-1565 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565

http://52uo5k3t73ypjije.f0jlbj.bid/AF5A-0EE6-8876-0046-1565

http://52uo5k3t73ypjije.cm5ohx.bid/AF5A-0EE6-8876-0046-1565

http://52uo5k3t73ypjije.jal9lk.bid/AF5A-0EE6-8876-0046-1565

http://52uo5k3t73ypjije.onion.to/AF5A-0EE6-8876-0046-1565

http://52uo5k3t73ypjije.onion/AF5A-0EE6-8876-0046-1565

Extracted

Path

C:\Users\Admin\Downloads\# HELP DECRYPT #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565" id="url_1" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.f0jlbj.bid/AF5A-0EE6-8876-0046-1565" target="_blank">http://52uo5k3t73ypjije.f0jlbj.bid/AF5A-0EE6-8876-0046-1565</a></li> <li><a href="http://52uo5k3t73ypjije.cm5ohx.bid/AF5A-0EE6-8876-0046-1565" target="_blank">http://52uo5k3t73ypjije.cm5ohx.bid/AF5A-0EE6-8876-0046-1565</a></li> <li><a href="http://52uo5k3t73ypjije.jal9lk.bid/AF5A-0EE6-8876-0046-1565" target="_blank">http://52uo5k3t73ypjije.jal9lk.bid/AF5A-0EE6-8876-0046-1565</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/AF5A-0EE6-8876-0046-1565" target="_blank">http://52uo5k3t73ypjije.onion.to/AF5A-0EE6-8876-0046-1565</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565" id="url_2" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565" id="url_3" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565" id="url_4" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/AF5A-0EE6-8876-0046-1565</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/AF5A-0EE6-8876-0046-1565</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Contacts a large (524) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"
      2⤵
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2560
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic.exe shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3012
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1936
        • C:\Windows\system32\bcdedit.exe
          C:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2828
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# HELP DECRYPT #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1660
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:472065 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3044
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt
        3⤵
          PID:2824
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:220
          • C:\Windows\system32\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2688
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3024
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:1728
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2072

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Execution

      Windows Management Instrumentation

      1
      T1047

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      2
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Network Service Discovery

      1
      T1046

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Collection

      Data from Local System

      1
      T1005

      Impact

      Inhibit System Recovery

      3
      T1490

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
        Filesize

        914B

        MD5

        e4a68ac854ac5242460afd72481b2a44

        SHA1

        df3c24f9bfd666761b268073fe06d1cc8d4f82a4

        SHA256

        cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

        SHA512

        5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
        Filesize

        252B

        MD5

        dceb2c97273227955af2973b95a6d96d

        SHA1

        61e57d3a57fd02b7421b2f4036160e814a025ebd

        SHA256

        1af70b94408bfefae4c4e75ce65643ebaf11591d1941ea0886b852b1be45f6fe

        SHA512

        ac2a737bedcdc71d4979d63b1afcf096182560c27f9756e7a06ee68b8d98f6be8b2c672a21c49673b379b4e48741d9b9aa2d3ebb753a8d1473d4a82a8cde9585

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        f976696603c1ebbd8c48ba36e2b72575

        SHA1

        600d8db35a278828bf118a9b3a8cd1c585524304

        SHA256

        e7ba849cc1d012fec76bece81d0bc94ed69baade1a75ef5dbfa66d0af7424eca

        SHA512

        4d3c4c21860cffcab5cbc8155393d9116ebb9eaf3916df7f2c94beb9d5328d5be74dd6ce09fc68961b98bac9553c722a180f2f26ef81b104c1efd404a8f28783

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        9d6e9b53bd652b5764843b696e30288e

        SHA1

        0c83165118fc1c7467165527b35deabb7a5c749c

        SHA256

        a38740184be4d5b75ee7b74b753922e6d30a9c12cc9f91b6e335dc0071adcf6e

        SHA512

        d0c46e1a0a7044a12e67345bf16aad0b1d065a7c2026df54a0af975e59cccea0f4241cce033e34a3c8fb6085e9581ecb03968f9ca242705cc64829bb9ffef57c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        ffc853ab10b5c15b06f037608a82afa9

        SHA1

        cf204ef17fac246a54a0a7b200460ed84c39a5f3

        SHA256

        424b3c24e6f739722c28accedf26c15af143251b49901c95a641787da521e5c7

        SHA512

        46850728b45c3d58bbc052a185ea8ee210ed4fecf8b3a521982b1b67cfa088a8f1891a8b37734fa120dc830d9b59b6f6aca0903782d6eaaa4c666bb8224f65b7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c45d568c84ab2f1770cd11e03e1d30a3

        SHA1

        249b6ffe4d33ca02f393816e738cb091fe751dde

        SHA256

        dfdfb366fead6d1cc07d01f37f7ff8c1786f155188da2e8b0516aa37a773f4cd

        SHA512

        e19603246af655ea5068e7dc25b25960fe907db4cd0d8c6e465424312713bdcdf597f1710a35d87c6675779b66f85c3d74586bfad0e18168b6e4c0aad126d2da

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        0f9c6960fef9a94f3ea9c44c2b72e970

        SHA1

        688ebd61c16dc5486f6e711c95a172540ac98704

        SHA256

        fa64094eccc7dce850ab9d9aeaaf7145f147cf3759c6701cd1497a92c7efdf43

        SHA512

        46f346bc8f9aae002129c6f4b4fda9b0aa3dc0cd0ae527c8548ee3425b7f1f7cceb6e290a62d336431b50823f22569e0a5d8ef66d533ed938152bc6097e1d554

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        d8e8242a0ea0cf2ec0744d22524c0ba9

        SHA1

        a5b36b73d3c7a80386b683862ae469976b6b07be

        SHA256

        ea6ce047c258639493cb31cc650542c4907745a09b33f4b341d018ae9b0a96dc

        SHA512

        60e5d2390980d404676838ac4ac6dbccdd9c3b02006d1766a70143b0085fec0677bef0a7017ba72eec55de40cc0e9ea1e6b7e91d74a4a125ded79006c3c7a10b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1a2d656a9d6545d1fa1eab1631e7c39d

        SHA1

        cb5bf9959c9ebf097db27d8bd86634a248a4f430

        SHA256

        20372219a7ebb0562c3b2169dfa13ef79e4077539f2de109572795c7ca6c9979

        SHA512

        7b1fd85c7f6b64dbbe9cd75d5bbd08dc6f01a5bdd06d9c345f05b0155c06ff4fae51e9d475de76b421e3d12e08b9985d1d6cce7915bec6b3f89a8ab5e812f62a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        fec40a1fe969798c765a82a2930bf781

        SHA1

        8f344250f87f852003e460c69544c437f01936cd

        SHA256

        6ec6b56982ebc8664d18c362756b4c8ea21dc385370cecedbd5e1ddec26cfe8d

        SHA512

        cde889ba3b15ff355f257e03bc4784b0701687a8066d14250d741c55f1e04a7c1f51b26a5bf2fb93513af811aa70c279da7aaba5428431bf33c6883f267762c7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        784d782a46a82a4d88e52e05696930ff

        SHA1

        fa6f060cf2f440c6f7625350e256c5f4bbba0405

        SHA256

        dc5395eca43289962e03377b0ad7b10232a4726bebf7eac11a657ac0df4c8f09

        SHA512

        bf91710bbf08aa92e81f87c423132b0a957b58b4375f15013356f48ed79860ce83889e2bde3c30712e58fdbd48f6dc5c20e598f69f5ae8487353a1a09fc6e48b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        653f66779a0f886c71ab5e2cfde62c00

        SHA1

        9e58f5ac8ad48fd9208366d435e127dc25e9d86b

        SHA256

        38eb7d696e8808aad13ca0e924011a225d1407d4b96966b702c096807405450d

        SHA512

        88173e1fcbb3ae4823edf458497d15d52eaad991dbc991923610b4f168d97633a3a8890e4a8e9c8fc7bb61a044430ac67026b725d609af04e1ae1f43144202b7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        6be07a282472f16ccaf155577630c88f

        SHA1

        2571f4952b42a516d60f7eb1875024c95663e8a6

        SHA256

        dd662a0d62300b798b75c4c64e1046c008c66da8557568033095184aabe3fbfd

        SHA512

        1ce58960ecd0258518633404fe97b60e380576d8e7b13d88b2bdb911371bf5590d278cbdd13c763b64dea20abcff33e47416e9e1de0e7553e5c673e764ced9d8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c7962cc3ce7b345560a7e9dd6e681710

        SHA1

        805b9da8edfc56d9998d6665d190f123c7ff5a55

        SHA256

        b96056cb5dcdf435c9d066e2d2f0b25e4513634a2c43e772b6d4ae52977a7e6c

        SHA512

        60199f1d22217f21239f8f7720d0f849e85cd04bffae1f3ff4c0ad99b82376e40f0d5305941c16f8fd41310de302985993a06ff7a38f52be7803299d5673c231

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        0bf6d7c4fcfc6642353e99e0fda5a6c6

        SHA1

        5945e4247577d45295a92cad08458ab215440da2

        SHA256

        575b775b0e19402433528e785d1eb865d03f6cd6a99f3cc59aa3c0830dbda696

        SHA512

        fcc962dbcbe2cdf192c94b4d63738a2997eacec54ce45df636679f260b546411252262f4f1da90cf5225081ce4164cc57324ab7c993995327bf1da2f30d9f26d

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        955399e6c254c0c1cf5b5937c5ddec54

        SHA1

        12434530e5ce2abc85d548b92883d8cb6ddcc8f3

        SHA256

        da306f3394a3b8de3af8fcf623bd208b65328f5fbfbf63edc309d8c7c71af8f0

        SHA512

        05c3388c022cf84f756e0f1f7ba478f8c48376f04b689c800a183582725d445fe74b65435eda88fc65836300a13fc330748df95fd6de32daf200d7ff359fbf24

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1aaf6413f13f07849bca3bc4dca06792

        SHA1

        2ddc2787c0a155cdb5bf1933e0a27b9315892b6d

        SHA256

        b300e3ad0fecae0d054b0c06d3091ac0ceacaa0a394d4047b1f601a76f50e33c

        SHA512

        7a5804ea5ee8c2e696197e5c40e734861988b4aff3811c072ce69771b141f074787751918d0e6f896045c96361624e24ead3d49df739f7672a21c12cd63490ec

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        bb8dedda8bbf5cbe826a5f7de0f5b83a

        SHA1

        47b40aec5923996f311db03c32194c7d838bf1e4

        SHA256

        ac1ea678bacfd3a60a0f0e78df61ce49ccee41eeeb043bf23d4d1bc45127b78f

        SHA512

        7f3526f98c828aea8b7bdca98096c5ef2e86c2d5626314b3402bc78f65d1621b56a6564f5145f9b32f00daaac4d89319a114204b68062e23c10f6718c052fed7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        8f1f7a3a38afd1a691b1eef8b610f240

        SHA1

        399dced50e1fb814bc9bab95cc2c0a9d5a1f3290

        SHA256

        060d94a4e86d0087f63becae334271d50431ca2f487cece3e05695f033a3eb59

        SHA512

        ba30b426bf3ca05f19a6fb61697ba3d84d72f556e6f84f11d066be6eb5e51d6a256b79b9bbb0c3a8813a18205dfa34038c41c118019fe6f7c9710c4eb84a4e9a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c74034a7e8ed7e4fe9d6ab79fa1aa1e3

        SHA1

        bb3bd1610fd05d25b695cfebed2a6bf7a78e3989

        SHA256

        554de83c24c21c4771e703b33c7a9de8f501283e883e9f1e5f63f2e523f3238c

        SHA512

        4d36204cff6e4ca1bda3b6f08e5d6bb25cb6c1dd28a7214bbb3d73b65ba493a77cefbc7a4463fac62d41d0f54d85c4b30e7a06a952452dda8b2085727d1cc939

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        8ddcd31b09fcda836b184d4ca3ea4849

        SHA1

        217316d2d196fd666c070e004ebba53292e34bdd

        SHA256

        4ae48f3ca9854d76d04aa170732298298672f7f014f1bc30c48dbe5f30de7905

        SHA512

        cae9261e0c76aa53e703785965926f8c3c97bf7b1c52c471f8ca15194ebdb1e282160acc0ee25ff8105f8027e2d835607a7218e0b868b4e7d4af64e260fb0715

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        6a8d5880bb5e8b610f6fbe3faa24cfef

        SHA1

        4192d89cca5dc8e2266859a92fb93a5b663b18e7

        SHA256

        a482a6bdf99eb9756f3cb9fe8522108ce6597fbe2bf2fade01496f5472ac3924

        SHA512

        1e6fbd936c2a82681cbf8e29b46f08f253bf137528c9a9ee22d0928d42de0a2b1da91820c46b18f8df8d7a298e7b900feecf110f35813a1f8102ef66b5d975be

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        867552a453ea2d4f028e8f7916a11c17

        SHA1

        e3fff1b75d529292cf89591491bc34cf0d033429

        SHA256

        f9d285d374fb9bab678d2873dadd1342745abc3da1e09ca99b7d9d638a4050a3

        SHA512

        91c8df8f2d24064f3339e688a5b26739188949a5b297410527b6a974222650b40701cbd2756b0c24923953c72b98dbb3437b36bcdc7422f6bc0e8439e0b684b9

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        3cc75fd905a1326e899aaec2e500a069

        SHA1

        070b490604ee752b9ad058a321dd1333f436ad2f

        SHA256

        8becabfa1c618c486ba726fbadfb57971c6a5d03ed8f2769bcf3a4c68afdd8eb

        SHA512

        0cf2cb52bc6dc46792a40169c1af542751124cad5b3419706d464be7a8ae550bc1b64daa267c2c7a2423956aa9d1f20a70ab1121335267480c95f42b116d4523

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        23b65c7827f8d9ef80aabd54895756ee

        SHA1

        7408ae72053bdeeff067080db3e5d749e7792b44

        SHA256

        733b574047673e70a08aadd06c4943596bf308d2fa42031823bbad450f79932b

        SHA512

        139904d6c7899b03707d362e33d33a723152767fbef61db4bd98d5333cd5f8447a99f2d5ab145ab513bdb923f306d027c0c41917eeb704bb8b2a2486b9c62858

      • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
        Filesize

        4KB

        MD5

        da597791be3b6e732f0bc8b20e38ee62

        SHA1

        1125c45d285c360542027d7554a5c442288974de

        SHA256

        5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

        SHA512

        d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E905ABC1-117A-11EF-B69B-6AA5205CD920}.dat
        Filesize

        6KB

        MD5

        df3a8e1ca329d12028896648c3c7a5ab

        SHA1

        097b1d908339515ec95bac9a7c22ec9161427f75

        SHA256

        e1d81a8a560d7945c465050a4806d4ec44a3f9f2c97e7b001056a9edf43a0fd9

        SHA512

        59f11a89c8aa9751e71c5059d3046b172c03f8349d727c297b3c7e83b3aa25bc746a1390eaa1466666add3134603a2a8a3d5a334f115c3372fb629f140f66497

      • C:\Users\Admin\AppData\Local\Temp\Tar684B.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Roaming\Chanson.c
        Filesize

        178KB

        MD5

        3b8e66245821e3007742619b50887970

        SHA1

        35b9266e8bf19cabf46c8a7a33afa11ab8a8b8b1

        SHA256

        1f1cd64d89bd0f2a87250bdba64f4d3cb4b2b040a625dbfdc2ec62f90d4df40f

        SHA512

        80c35734cb08d0abd0c8f5919eb7d2df348103dd1740fdc3591fed68462be9cf09c02d13bf9dc9d6c0980b43cf83f989333f7206d10da5b7d77defb1bb7f5323

      • C:\Users\Admin\AppData\Roaming\forward_disabled.png
        Filesize

        2KB

        MD5

        597557e628d4e1275b31818d45dc1dcf

        SHA1

        7b0b4d8da0d7f846fb5edaaf9e4512873223511d

        SHA256

        952b933c0a7ba2af85f216fc66b6d9944000bdc4d11e5c19e9649bedeb64feea

        SHA512

        b1ba60e4290ae77a29a895a234b120d9425d434d47bf4a77ae98a15e201a24a7b9ea4a91ba66dcc772ee380f2694e269f8a79e8a03e9b200b8669e3a1cdfaff5

      • C:\Users\Admin\Downloads\# HELP DECRYPT #.html
        Filesize

        19KB

        MD5

        d4cc379f238b22764c034198a145e0ea

        SHA1

        4045a8335d324f6062a44ed6c9237c3d8cb7e8cb

        SHA256

        5d565be91ebbdab90f8b09361acea06de12be3378078b4302c0cb399c8a12521

        SHA512

        509a243c381aca2dcbdb8e194449a10b9aed95c78adef9b407e9e81d0f2596249d7332832aeee92480093179f4538310aebb4d0a4ae4be96b56fc9e83f600e4d

      • C:\Users\Admin\Downloads\# HELP DECRYPT #.txt
        Filesize

        10KB

        MD5

        81acccfd51298b4b456f5f59f22befcc

        SHA1

        e2bf74e253350376fde001fb047d79af9a7894da

        SHA256

        1898d508a517dc87b7d213e2e0dbfa2f3cfa8ea4919bb0f7ec8ef940060e822c

        SHA512

        2c246cfe01dcdefa878fece0d4b8ea7318dd2c8a9ec33ed9dfba1fc0dafbef2862e5a47c803f25a61c44178f02494b8fc57643b92cb0b0933b23cb592f364835

      • C:\Users\Admin\Downloads\# HELP DECRYPT #.url
        Filesize

        90B

        MD5

        041bf5b3fa8d9781410c306bdcf09a68

        SHA1

        945be77268aaf8eb1ccf577df204d076fef5ffa7

        SHA256

        b375104052f0cdd058f7de47ba2b7a35eda0e94262940e67df7d5b13b5844601

        SHA512

        e01dd965b742779364c59ee53612f2e1b8535368f25de9e70e8a540bf2965a0d7af7fec5384d454a60241cfbf3825046ff361cdcc2eacb9bf586559c973ceee7

      • \Users\Admin\AppData\Local\Temp\nsi200F.tmp\System.dll
        Filesize

        11KB

        MD5

        ca332bb753b0775d5e806e236ddcec55

        SHA1

        f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

        SHA256

        df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

        SHA512

        2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

      • \Users\Admin\AppData\Roaming\NsResize.dll
        Filesize

        116KB

        MD5

        75376d6bbd017ec8711f820aba8ed53b

        SHA1

        74c776e288b1f8eb193264333098f44defa871c2

        SHA256

        523e5bca53ee608535aa63662168cae8cebe7f83a0416c9c3f612599a892e930

        SHA512

        9ff3f135275ec20c366411d95979197aec8eb96d7d7274feaf441d835cf2123312f6a81fa00c2ef59591a545212d9a7833ebd1e633eb43880f551b76e91c8ed6

      • memory/1908-10-0x0000000002830000-0x000000000284E000-memory.dmp
        Filesize

        120KB

      • memory/2712-383-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-443-0x0000000003D00000-0x0000000003D02000-memory.dmp
        Filesize

        8KB

      • memory/2712-413-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-425-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-445-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-49-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-410-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-407-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-404-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-401-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-398-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-395-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-392-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-389-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-386-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-416-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-26-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-431-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-448-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-46-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-34-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-32-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-31-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-30-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-28-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-422-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-419-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-17-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-20-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-12-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-18-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-22-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2712-380-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

      • memory/2712-14-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB