Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 02:58

General

  • Target

    52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe

  • Size

    234KB

  • MD5

    52c00107ca21cc4b75039a98ad4cae18

  • SHA1

    ab35e8bc718fd02cec888afb22dc520d05234dce

  • SHA256

    210dab383dabe37ce47658719ec8866cca4fe1ba0eac2d308c96c36293f1da4c

  • SHA512

    bc2ae0ca6fd52d1190bcd0c006b4eacb1db7243b9b434cd59a4e095bfc854e5e7c4cc56cfda989d3285d8f6c2fec4e2e00ba5cc383304efcb5cfbd1c248f1703

  • SSDEEP

    6144:20B2T/Lr8CETTCiIjvTWUyRsae7bI7P+B:m/X8lGbWhty

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD | | 2. http://52uo5k3t73ypjije.ssd5gt.top/9636-A23A-4EE4-006D-F2BD | | 3. http://52uo5k3t73ypjije.dd4xo3.top/9636-A23A-4EE4-006D-F2BD | | 4. http://52uo5k3t73ypjije.78dmme.top/9636-A23A-4EE4-006D-F2BD | | 5. http://52uo5k3t73ypjije.onion.to/9636-A23A-4EE4-006D-F2BD |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/9636-A23A-4EE4-006D-F2BD | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD

http://52uo5k3t73ypjije.ssd5gt.top/9636-A23A-4EE4-006D-F2BD

http://52uo5k3t73ypjije.dd4xo3.top/9636-A23A-4EE4-006D-F2BD

http://52uo5k3t73ypjije.78dmme.top/9636-A23A-4EE4-006D-F2BD

http://52uo5k3t73ypjije.onion.to/9636-A23A-4EE4-006D-F2BD

http://52uo5k3t73ypjije.onion/9636-A23A-4EE4-006D-F2BD

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#Cerber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD" id="url_1" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.ssd5gt.top/9636-A23A-4EE4-006D-F2BD" target="_blank">http://52uo5k3t73ypjije.ssd5gt.top/9636-A23A-4EE4-006D-F2BD</a></li> <li><a href="http://52uo5k3t73ypjije.dd4xo3.top/9636-A23A-4EE4-006D-F2BD" target="_blank">http://52uo5k3t73ypjije.dd4xo3.top/9636-A23A-4EE4-006D-F2BD</a></li> <li><a href="http://52uo5k3t73ypjije.78dmme.top/9636-A23A-4EE4-006D-F2BD" target="_blank">http://52uo5k3t73ypjije.78dmme.top/9636-A23A-4EE4-006D-F2BD</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/9636-A23A-4EE4-006D-F2BD" target="_blank">http://52uo5k3t73ypjije.onion.to/9636-A23A-4EE4-006D-F2BD</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD" id="url_2" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD" id="url_3" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD" id="url_4" target="_blank">http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/9636-A23A-4EE4-006D-F2BD</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (529) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
        "C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
          "C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe"
          4⤵
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8420446f8,0x7ff842044708,0x7ff842044718
              6⤵
                PID:2736
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
                6⤵
                  PID:1268
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
                  6⤵
                    PID:4424
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
                    6⤵
                      PID:872
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                      6⤵
                        PID:4268
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                        6⤵
                          PID:4472
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
                          6⤵
                            PID:5760
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                            6⤵
                              PID:5052
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                              6⤵
                                PID:6056
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
                                6⤵
                                  PID:5748
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
                                  6⤵
                                    PID:4984
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
                                    6⤵
                                      PID:3096
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
                                      6⤵
                                        PID:1916
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1
                                        6⤵
                                          PID:5872
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16849744559732772097,16181985642989583006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
                                          6⤵
                                            PID:3604
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                          5⤵
                                            PID:4548
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.3odvfb.top/9636-A23A-4EE4-006D-F2BD?auto
                                            5⤵
                                              PID:316
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff8420446f8,0x7ff842044708,0x7ff842044718
                                                6⤵
                                                  PID:4624
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                                5⤵
                                                  PID:5964
                                                • C:\Windows\system32\cmd.exe
                                                  /d /c taskkill /t /f /im "poqexec.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe" > NUL
                                                  5⤵
                                                    PID:5876
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /t /f /im "poqexec.exe"
                                                      6⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:6112
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 1 127.0.0.1
                                                      6⤵
                                                      • Runs ping.exe
                                                      PID:3384
                                              • C:\Windows\SysWOW64\cmd.exe
                                                /d /c taskkill /t /f /im "52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe" > NUL
                                                3⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:4748
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /t /f /im "52c00107ca21cc4b75039a98ad4cae18_JaffaCakes118.exe"
                                                  4⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4464
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping -n 1 127.0.0.1
                                                  4⤵
                                                  • Runs ping.exe
                                                  PID:2280
                                          • C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
                                            C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            • Drops file in Windows directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:4340
                                            • C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
                                              C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
                                              2⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2832
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:5604
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:2156
                                              • C:\Windows\system32\AUDIODG.EXE
                                                C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4a0
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5308

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              2
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              2
                                              T1547.001

                                              Defense Evasion

                                              Modify Registry

                                              3
                                              T1112

                                              Credential Access

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Network Service Discovery

                                              1
                                              T1046

                                              Query Registry

                                              2
                                              T1012

                                              System Information Discovery

                                              3
                                              T1082

                                              Remote System Discovery

                                              1
                                              T1018

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Impact

                                              Defacement

                                              1
                                              T1491

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                4158365912175436289496136e7912c2

                                                SHA1

                                                813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                                SHA256

                                                354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                                SHA512

                                                74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                ce4c898f8fc7601e2fbc252fdadb5115

                                                SHA1

                                                01bf06badc5da353e539c7c07527d30dccc55a91

                                                SHA256

                                                bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                                SHA512

                                                80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                307952165506091a091012ff98437c8d

                                                SHA1

                                                296c5c1f4383b291ebc55599dce66be20783e14b

                                                SHA256

                                                594b98ffeedaac4e501dfc409cfb9190ab1bfd0d46927bdedb41150ff65c1da7

                                                SHA512

                                                a3c13f3332979b0c93bae78669d986a4e63d30e4785c81b8d49db9a0e71a0740dbd3a109f6fbf5f12720f64d5ed8f1cefb4e1e4fc8516653b89ed43d903873f3

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                e9b02afa624e62923707161409e355e2

                                                SHA1

                                                9aa32ac1975b273fedd74550acad5b123f679570

                                                SHA256

                                                68d882ded3ff30c1bc019d19010b4e55054873c6b6727d9032fa58f1a74de41a

                                                SHA512

                                                65a857f1b5326c85a579055e29d83ffee3642cc51ad2a3ba812dbeeb381a55a2825de6a3eca8818d67318d1553fd21f9a4b7624676b6a67f4d687448ef9a5c88

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                803463799894165c63f5086a39491b00

                                                SHA1

                                                58b9def2394d0d57de93639aabd0e105364c1b5b

                                                SHA256

                                                eb4f123d6eb43bf4dcf9d0512e616355a4b3bb29411ec26f9cbc3c1ce86e167d

                                                SHA512

                                                416c840d344dc38a5c22acab0984801ebf326ddc332ec4ad6b590c267d545b97b60bbd665ec1c57938f720172bee47a62ba30c30a3e3316ba6c4651f1ac18315

                                              • C:\Users\Admin\AppData\Local\Temp\30-urw-aliases.conf
                                                Filesize

                                                1KB

                                                MD5

                                                c6c33cfde9f637e1d2b8cad9353df6dc

                                                SHA1

                                                75cfd127ec1fe9a140c78bc84164bd35214ced1f

                                                SHA256

                                                c28770c5d1ec815ce63a33cfec8aabadd21aed84d60f000ebaa2d13e2bcbb0ac

                                                SHA512

                                                66bf5248914ce0e6371a8e0cb12f9a3cc573928488f67dc714d5a6605ad61d01aa5b308f13ab7f3ecaec0ae502a4c279e1bbf1280d4dd41874ad2614e132080c

                                              • C:\Users\Admin\AppData\Local\Temp\Adobe-Japan1-4
                                                Filesize

                                                3KB

                                                MD5

                                                5a23e712d699f48cff3190caee581f79

                                                SHA1

                                                5caac471f05c5934c4c07af3d690f0ce3402f081

                                                SHA256

                                                7cd11d1b862b16aebbe2042d45b4d7a331994acd5c8457f6f4fbc1c8956a5355

                                                SHA512

                                                ff5c2ad7959984d903023a58a4b81f160c0dc020fa33ce3f7e582c91613f1d9b5e39ff4660a02ac28e369524d42f1adc2eebfba5dc448c97389b973d7894cefa

                                              • C:\Users\Admin\AppData\Local\Temp\AnimGif.dll
                                                Filesize

                                                48KB

                                                MD5

                                                db143770b3cabb64c32477bc5890ea30

                                                SHA1

                                                b9d580ff68c53ba0b7298d09c4b0472958876319

                                                SHA256

                                                4d5f0c40375b84835bc93494bbf4f73a94d7843a319125a840c34e0c9bdf6c8d

                                                SHA512

                                                56842d9e000d1fd13d24044351ebf01ca8a8ced5a08c7ee314244697e69c7a563e26c53c78f473bed121ede6186bcae14da69a66f8be915a2c59891fbdb49cc4

                                              • C:\Users\Admin\AppData\Local\Temp\BadBits.mm
                                                Filesize

                                                1KB

                                                MD5

                                                45ed0fb06f0ce6c9ba9613926d1cb1e6

                                                SHA1

                                                a19206ff3bb1f5f2109e3c2233aefd2a6285d05f

                                                SHA256

                                                aee530dc1e94d53130035d2ace33d0147b96aa970c764eb4e86fb6b5d07200f4

                                                SHA512

                                                d989bee283acef837ecb3b2995be8098e6d4f886456972a42ab5ef5a98ae48ba3a88a71193a7aa4dba179d57ed0912a0203e0a1aa46e9873f97399f0238c9128

                                              • C:\Users\Admin\AppData\Local\Temp\Budapest
                                                Filesize

                                                1KB

                                                MD5

                                                c275950acffcd3a57996966067c5a21c

                                                SHA1

                                                fa08f0e03f74f5d0e9fc90df73fe5b00c797367b

                                                SHA256

                                                427bb97ce4f246e7f809bb14a5b9191aecd8a2d8854d0493ff718e7830086ea5

                                                SHA512

                                                4512adb2ea30202de146c1252ab7f52a467611b0b33999b8b9b875dbe78d18f1adde8e1ade1b7787245708c12f343fc649aa8f75a71bebb73178fe0039e89412

                                              • C:\Users\Admin\AppData\Local\Temp\Cape_Verde
                                                Filesize

                                                97B

                                                MD5

                                                739bc3be601fc4c312fca262597514eb

                                                SHA1

                                                c14ae4cd4e2ce75b7ea4ed39a835bc8d207f2486

                                                SHA256

                                                b645b5d403881ac66ce4171af4aced39c0a17237fb78443fae623b1f4367345f

                                                SHA512

                                                c0092979146f54dd885d4b12b0f7e37285b4116aecf4a793eb524d0b33c8ed2e7a336f97ec6d2504203d51207205f192895c1850fd6dd5f30f9848d86ef4c5fd

                                              • C:\Users\Admin\AppData\Local\Temp\CoreTemp.ini
                                                Filesize

                                                1KB

                                                MD5

                                                4318900d48f4b420b3f14cf9d3efc812

                                                SHA1

                                                399f9bd94316658d2da143367e8ae2e200f67a78

                                                SHA256

                                                d95c522b113e468fe3e0cc92579148c53d8c1eaed13bb89e07130ca4c2fd0c6c

                                                SHA512

                                                5f7c4ff8375fa9c995ac0d4cddd8974c7f5bc893759ae2c17de5f29cb9fe8f2d888a44b3b1d23d6a5106304a523719fe87cb1dafe0922eae80de05289e96c526

                                              • C:\Users\Admin\AppData\Local\Temp\EnteronFrotteur.y
                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              • C:\Users\Admin\AppData\Local\Temp\Fiji
                                                Filesize

                                                588B

                                                MD5

                                                03eeedd6926392057b761444ea01871a

                                                SHA1

                                                e3cc8ce79e0625854e1f922ebbe4ba2f44d0248c

                                                SHA256

                                                ba6662dd53b64810a0449f9ff4a9ca3a46f2d5ad63ba66507d00988b64bc043e

                                                SHA512

                                                c8516e29e3b8a2b9d9f8e43d472cd4d4af6393f5be2cbe59ee6422f7238a3bfb7523c821d9ed1de25136f58905af54b724528e80562f20e2f250927851b17968

                                              • C:\Users\Admin\AppData\Local\Temp\GMT+3
                                                Filesize

                                                27B

                                                MD5

                                                834630bcae89f566789c6e3abb9cde0a

                                                SHA1

                                                1937e7784e79fd9a6adbc2b4a227a6bf9455dc86

                                                SHA256

                                                5d9e7b18a4cf92f1d47164f438ed6515657d4ff8f3d2c8bb5a1f7b605d79cd61

                                                SHA512

                                                835b29bd2acb63abd813ded66df8f9d895c83cce8e38cec1f21c266a6d6992965efb6fbec8e87bb74f24e3321588ac94d16be5fe0eacdf9dc80e6ca26dbf0061

                                              • C:\Users\Admin\AppData\Local\Temp\LodeEucaryote.zaw
                                                Filesize

                                                148KB

                                                MD5

                                                7ee7c1a5386b3898b787f52a7863e46e

                                                SHA1

                                                cf692dad8b81b61c9db39b45fd443ae8a73cef13

                                                SHA256

                                                f926c082b5eb24f9cb597e2be152e7a7fde4a96351a3fdec9d1ab0fdba67215f

                                                SHA512

                                                2e79e6db4b5ec4a53fe2422b576c7b4a0362ad0312bae98c50806d8a56889b643e982c6ed546ac58ffdad806b4c02f44403135e3e2f9687d631f67068de607c3

                                              • C:\Users\Admin\AppData\Local\Temp\callout.graphics.xml
                                                Filesize

                                                993B

                                                MD5

                                                7c17ee2b7f023668d51e6199325c8d63

                                                SHA1

                                                ffacfc13b232f2187499d7c02a76ae86248a9e73

                                                SHA256

                                                000e761b0bdaf092ef845bb91a352cd432ee257163851d4c251db448c7e6748a

                                                SHA512

                                                e78dae20fc2966fdc54a40b9fa7f4f06e594eb972929d701d79738a2e01e523e3a560190e112278b80cfff75eea6026260ad56d96d6dd5062abbda0373a57625

                                              • C:\Users\Admin\AppData\Local\Temp\circle_glass_Thumbnail.bmp
                                                Filesize

                                                4KB

                                                MD5

                                                7d005a7a687c9f4d56272fe7522e7dce

                                                SHA1

                                                d66cbd3ebc892a2c7b305181b465cf592c2c4990

                                                SHA256

                                                c3bca0815951a454ec15dc23b1d135d42537d9fecba6577e03f46bd6807da135

                                                SHA512

                                                3cef4c6a8c0507556a0983b72913233fda3b2a9311a0fa5e652bb46955ebf3113fece823721048c3188174daddec1e17c608044000bcc90c7ad02fab49237f05

                                              • C:\Users\Admin\AppData\Local\Temp\component.xml
                                                Filesize

                                                691B

                                                MD5

                                                137d64c837e42916568685e05be6ca27

                                                SHA1

                                                3cc124359aa623bc4ca2511805e8f8e1f9fe5ff5

                                                SHA256

                                                f9aa7c2759c4fc6b67add7710d6fa40750c2cf131fb576bad7c8f7fb008fa78a

                                                SHA512

                                                8a8144c82b27163e3aba9fa5400f7eb7a4088c3822aa010bc6a8869ab1daf9a98d2ad483ff0f32727d8251ee23bd062a56f616b1f7cac98f79c0190b6abfdfa6

                                              • C:\Users\Admin\AppData\Local\Temp\currency.data
                                                Filesize

                                                3KB

                                                MD5

                                                34825d08fddf008a6c670ed506dcb880

                                                SHA1

                                                6705d775600261d9ed3d5bc05705746e96311e46

                                                SHA256

                                                29071f93c8af7ed0a5ee3966c531c8182e86eeb2237793e6a680a926005d1742

                                                SHA512

                                                bf18d6566609c503efbac1d8ab615b87ec6f6e75f18a0e0faa58d38a755dd84a6b40de5e07d3c579272d158c06dd7727f630138694d96e55f9a13f45a6b06784

                                              • C:\Users\Admin\AppData\Local\Temp\defaultProfilerFilter_restorepoints.xml
                                                Filesize

                                                592B

                                                MD5

                                                b14872001828a70ca9f8cb55f37d8e7f

                                                SHA1

                                                ceec1f59f82ef6991eeb3f931707716f76ae4c38

                                                SHA256

                                                9ca7847addfc688efad2575b3c949fd296890731b3865cd7aeef3166a3a9b900

                                                SHA512

                                                21a5d902d045ce1eb73c8f8e5183152445bb95eaf2b24b76a21f32e39be801f2ab19e7b90743de2926afc12334fe168230effe24d622ca2816ed039f30080f79

                                              • C:\Users\Admin\AppData\Local\Temp\embedding.xml
                                                Filesize

                                                4KB

                                                MD5

                                                7246ded2719a2ed3a5d325dbe15e4226

                                                SHA1

                                                d6f781dd2f3d9e3c4388ec7a07b20c9c490f9cef

                                                SHA256

                                                44db2977e5bb2422e73c63d4bd1a727779313c1acfe124b205325db391076f3c

                                                SHA512

                                                76855b922d4ecfd2caf708dd94a424853f03470f1d13a4ebccb3e56e8068dd36855ae529381f80817be576bd6d43f55e64ce8c1bec12e525a2ea16c090fe97ec

                                              • C:\Users\Admin\AppData\Local\Temp\errorReport.png
                                                Filesize

                                                1KB

                                                MD5

                                                599fb9441ade1302ec22d4420ad6dbfa

                                                SHA1

                                                376de11c0fd54d2828ca06d861393f0ab1d57b31

                                                SHA256

                                                594a955ba1060a795d8760e5df316b091149f10b72ff5032d2dd588f79547535

                                                SHA512

                                                7fc1811abd69f26c77b901b17ceed11c46e345da75f3a26b495d1aadd4601a4aa20c4154d93cb6c688165dbbe9a439813097186d194945c094af6235be5c6936

                                              • C:\Users\Admin\AppData\Local\Temp\f24.png
                                                Filesize

                                                1KB

                                                MD5

                                                a16e322bba363c21afc35515bbd59138

                                                SHA1

                                                b93bf5fa9c44a2d2ee8d69cd6357c2ebe12162c9

                                                SHA256

                                                021ea003666ec9a2279a3069f3fdd8b5c71b106851bc8051d88747eb7a142dfc

                                                SHA512

                                                f39f845f1950849e753873fe2f0252201e929ca389960afe9bf055d910d19bcc2ff57f9df5c8d905522f0ca424ac4403638d5f6daa52bfac259974020701d3ea

                                              • C:\Users\Admin\AppData\Local\Temp\honks.rjw
                                                Filesize

                                                74KB

                                                MD5

                                                9db5213cc2837c33400e32cf1fede797

                                                SHA1

                                                661b7156351c07d7597e1583786e7016a6dcbd0b

                                                SHA256

                                                29aed442d93386108d48f758c26f074f86161acc513892ea366a8df433ad2aff

                                                SHA512

                                                20b28dbcecd11f74089ba2bd8f0cd35602c8c30448a1af77fbbb35c4a3d1cdca32bb992c352b47b095d2a019c647db60bbd953ec57745de1e92a16dd422053a6

                                              • C:\Users\Admin\AppData\Local\Temp\nsc662E.tmp\System.dll
                                                Filesize

                                                11KB

                                                MD5

                                                6f5257c0b8c0ef4d440f4f4fce85fb1b

                                                SHA1

                                                b6ac111dfb0d1fc75ad09c56bde7830232395785

                                                SHA256

                                                b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                                SHA512

                                                a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                              • C:\Users\Admin\AppData\Local\Temp\telophase.ttm
                                                Filesize

                                                74KB

                                                MD5

                                                2bb7db4cf25f693a1e26119e8fc1afda

                                                SHA1

                                                7fa83832984e582a06ec31111a3685d7b90e6a54

                                                SHA256

                                                a17c3b5a3833649b93059bbdee15af3a35db602a21fe5151769d1d2d6c34cf81

                                                SHA512

                                                d57723cfff15d0cc60249749cf9b8d800a53cb8333ad6316a04e0eea7ee46ad4597c41a389376566884356a0e9716476bb8ac8758365533fb15ac8da7cf51f3f

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\poqexec.lnk
                                                Filesize

                                                1KB

                                                MD5

                                                06cd72256e0031991dc5129a37940446

                                                SHA1

                                                741a03a00fc632fb3f2a30b7b71323713538a355

                                                SHA256

                                                1180252e41aa6b3e743c37b8d3c348f183630ff68fa4f350848ccdbab8982096

                                                SHA512

                                                95a05be932e3c385bfb14119c50344e8b996f425b90d9b61adc145e5f8bc5f2fe48cc46dbf9cdc04f54371fb3d3f2ad1b682995a105a3c3f4f9b5fc447e53f12

                                              • C:\Users\Admin\AppData\Roaming\{2A62359E-001A-DB50-37C5-75EE5DF583A7}\poqexec.exe
                                                Filesize

                                                234KB

                                                MD5

                                                52c00107ca21cc4b75039a98ad4cae18

                                                SHA1

                                                ab35e8bc718fd02cec888afb22dc520d05234dce

                                                SHA256

                                                210dab383dabe37ce47658719ec8866cca4fe1ba0eac2d308c96c36293f1da4c

                                                SHA512

                                                bc2ae0ca6fd52d1190bcd0c006b4eacb1db7243b9b434cd59a4e095bfc854e5e7c4cc56cfda989d3285d8f6c2fec4e2e00ba5cc383304efcb5cfbd1c248f1703

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.txt
                                                Filesize

                                                10KB

                                                MD5

                                                425a5d1dc02e88f5a93ca1e007afa114

                                                SHA1

                                                7c290a1e4ce00a542aa1b70246f54c1c32db384b

                                                SHA256

                                                53920d3455413247e313d856887dfdce1172c1a50016325c374b2d8c6bfb437a

                                                SHA512

                                                29024957bec738954b81c97737de0adfa78fdfc67f324ff8dad11dc6e686e2876b501460fe1744894d8d33b98f6ba447013a45b5ae932ef6c3e30095221fdf6a

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.url
                                                Filesize

                                                90B

                                                MD5

                                                16ea266209db7916eec7cdfa9cd12fe6

                                                SHA1

                                                df1b67130fc15eac2d3e6aa8be1a868dac39072c

                                                SHA256

                                                51bede437330f06c0bd7849700b4a11550c689d895d35ad32ccd745cd09b0265

                                                SHA512

                                                7a13550dd48938d6ac1603605a006f86452d280c57dc50a758799b6634c1e97aab0c86c9d06c1d0b1cd9c5b3da7e7f47a4352f1ff788111368b87bade6c13a8e

                                              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# DECRYPT MY FILES #.vbs
                                                Filesize

                                                213B

                                                MD5

                                                1c2a24505278e661eca32666d4311ce5

                                                SHA1

                                                d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

                                                SHA256

                                                3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

                                                SHA512

                                                ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

                                              • C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
                                                Filesize

                                                19KB

                                                MD5

                                                1d0320ea8d2a4d4f30dbc6647675c9e4

                                                SHA1

                                                49aa9f19ac1546a0e48138846264f7ca12d0774e

                                                SHA256

                                                a21916423880d5a8445156569ad65a140d14b399ee65cd3bf24872649b1b90e8

                                                SHA512

                                                eb5d6950831d2e17c1cfaa9b5da7d87db2a9300b623e77869b477b9f5b2ac23619329879dc8c9132a9af2346f2bb12269f5e02cce8ae6659988eb78b0bb91ba5

                                              • memory/1600-47-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/1600-39-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/1600-38-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/1600-37-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/1600-35-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-114-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1005-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-183-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1102-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1101-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-174-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-994-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1002-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1014-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1026-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1029-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1032-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1020-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1008-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1017-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-182-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-999-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-996-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1011-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-992-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-990-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-109-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-115-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-113-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-1074-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2252-108-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2832-177-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2832-178-0x0000000000400000-0x000000000042B000-memory.dmp
                                                Filesize

                                                172KB

                                              • memory/2832-103-0x0000000000800000-0x0000000000810000-memory.dmp
                                                Filesize

                                                64KB

                                              • memory/4340-171-0x0000000002270000-0x0000000002280000-memory.dmp
                                                Filesize

                                                64KB

                                              • memory/4480-32-0x00000000006A0000-0x00000000006B0000-memory.dmp
                                                Filesize

                                                64KB