Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 06:23

General

  • Target

    8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe

  • Size

    244KB

  • MD5

    8a0c2641e45b3c5b473f69183c57cbf0

  • SHA1

    8553f089e9d0b2eed4b7a1674ae568e4bc803db6

  • SHA256

    14543e3fca12e0f56f2b88905ab0103ba4e049be8e9a12be30de38659ba8113c

  • SHA512

    36dedb28aaae39019de8d45761377ae9156edece9513a4a9015f585132832049977a841ec7fee17764c0f6eda2afd2db65a369bbfa4686bc8ad09b559b5d2ae0

  • SSDEEP

    6144:vkieBa28s1lxE2Xl9Kzh1CAyDDgHpEcHTXRnB8CteHR6+:TO8sbxE219mh1PyDDYWcRBtE

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#Cerber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923" id="url_1" target="_blank">http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://pmenboeqhyrpvomq.wz139z.top/7080-8D56-9DDD-006D-F923" target="_blank">http://pmenboeqhyrpvomq.wz139z.top/7080-8D56-9DDD-006D-F923</a></li> <li><a href="http://pmenboeqhyrpvomq.r21wmw.top/7080-8D56-9DDD-006D-F923" target="_blank">http://pmenboeqhyrpvomq.r21wmw.top/7080-8D56-9DDD-006D-F923</a></li> <li><a href="http://pmenboeqhyrpvomq.pap44w.top/7080-8D56-9DDD-006D-F923" target="_blank">http://pmenboeqhyrpvomq.pap44w.top/7080-8D56-9DDD-006D-F923</a></li> <li><a href="http://pmenboeqhyrpvomq.onion.to/7080-8D56-9DDD-006D-F923" target="_blank">http://pmenboeqhyrpvomq.onion.to/7080-8D56-9DDD-006D-F923</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923" id="url_2" target="_blank">http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923" id="url_3" target="_blank">http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923" id="url_4" target="_blank">http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://pmenboeqhyrpvomq.onion/7080-8D56-9DDD-006D-F923</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923 | | 2. http://pmenboeqhyrpvomq.wz139z.top/7080-8D56-9DDD-006D-F923 | | 3. http://pmenboeqhyrpvomq.r21wmw.top/7080-8D56-9DDD-006D-F923 | | 4. http://pmenboeqhyrpvomq.pap44w.top/7080-8D56-9DDD-006D-F923 | | 5. http://pmenboeqhyrpvomq.onion.to/7080-8D56-9DDD-006D-F923 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://pmenboeqhyrpvomq.onion/7080-8D56-9DDD-006D-F923 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://pmenboeqhyrpvomq.0vgu64.top/7080-8D56-9DDD-006D-F923

http://pmenboeqhyrpvomq.wz139z.top/7080-8D56-9DDD-006D-F923

http://pmenboeqhyrpvomq.r21wmw.top/7080-8D56-9DDD-006D-F923

http://pmenboeqhyrpvomq.pap44w.top/7080-8D56-9DDD-006D-F923

http://pmenboeqhyrpvomq.onion.to/7080-8D56-9DDD-006D-F923

http://pmenboeqhyrpvomq.onion/7080-8D56-9DDD-006D-F923

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Cerber family
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (521) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • NSIS installer 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe
        "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe
          "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2936
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:472065 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2292
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2172
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:1892
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "openfiles.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe" > NUL
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:2136
                • C:\Windows\system32\taskkill.exe
                  taskkill /t /f /im "openfiles.exe"
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1752
                • C:\Windows\system32\PING.EXE
                  ping -n 1 127.0.0.1
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3028
          • C:\Windows\SysWOW64\cmd.exe
            /d /c taskkill /t /f /im "8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe" > NUL
            3⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /t /f /im "8a0c2641e45b3c5b473f69183c57cbf0_JaffaCakes118.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2708
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2340
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {04D80716-8CD6-4FCD-9102-FB25325BEBD0} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe
          C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe
            C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1876
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1852
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:1576
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x1ec
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2116

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              679041737ce618ad6ee6d601e9d808a5

              SHA1

              8e3e7d729bfb109735e301088f53f67931590db9

              SHA256

              9a3c8f3358fba81e444fc5630ed5bd52e60ef7e8f4839c2198e4380717bc9ba7

              SHA512

              18349d3f88eefc771645643d8c79ba75039eef2f0e3f11b280ed07e98840f9047c751af3d89b6e94c2ed0a937b244e8ce0ded040e65424451ebc8615840f4201

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              b9ed50c2823fd357c9c7344fb0025de0

              SHA1

              31917c51a03fabaa11d18f9fb46e02ba0116ad6f

              SHA256

              c3dda9375f63c5f770e0792e4ffcf63072b8d4ac4560a4cb926100799f17be4f

              SHA512

              b553231d97bbaaca48409f06a8ba2c2e73ddac6519f6ad9e1fb409179f620bde93283751a9414d9f08df5ee6494009d3aced59aa8fd7c98cf25be4433ee7cbea

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              661db164d36d64a2d0bcc1f8a6389ab0

              SHA1

              6ad0777fc2bef3ee0d0b533e5018c2793f40dd0c

              SHA256

              364160ec860b7e1ceea945a2a1d84059cb435a380be6fa0b6815a1b64abb9936

              SHA512

              c168eb5c070dddc1a780549e789b1f9e61227c9e6825cf5d091d814b4be06c3e1265f6135839414b89a1f13a993eab525770235ade18ce816fa12111e9555be1

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              82989a2e84f46cc24cd13187295b103b

              SHA1

              16084a465b86a7528041dc0abdcd7d2bf2d13a15

              SHA256

              8d05095c8b7099e85ab41e32e4200537a71148cca9398365b8db6b28b7f2dd8f

              SHA512

              93e3b9b0289d2e605202a3881a36fd5f01e5246fbffd98873e35f2116f842be1fcb3463d32bf8be53a1a4697f298b02946bc314af679a37289b55f70c328221d

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              4242afcc130458d169f14c483978ae90

              SHA1

              09c419c4015b0d7b6ced6744e413bc782275be7d

              SHA256

              7a102c595a40e6d93285b32e316a3e259e3de1cbacc2eec7ee2b107758cb00fc

              SHA512

              0cab6eb6f97259d070113c977d98d39060867772bbbfee4c71b2ce2bc966d5c6c4c3e1c0a477fbf0b98e0332559efd140531e19fda5cf7fd006ac450aa85c806

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              8a94ef2361a4d9c2622f7bca114b96b0

              SHA1

              967365c546c4066e44638689579a79287ef5bde9

              SHA256

              c8874d1d0ac42fc711529f120a0c1ea9471d6690d71c4f61e4ecdc27500e2b54

              SHA512

              c6beb4a152bc06aff58289e2a6e5f6fb65f7a8b6a79c9b776ea8ea10da5c73c30329e255fbb6e8e261519de6cf57989ff46d0e2ff82b2828a79213531ce2f0eb

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              64b0eeaca0599d5616fb46e4801e4bee

              SHA1

              080450fa6c10fa5e8e6d0e6d9899fdf477c29bf2

              SHA256

              d48f0551a48bdd3f5ad34cdd582925a95f5b55805ac5a39671bb7e83b7832a5c

              SHA512

              79e17dc08235f037cb921a058d554d205644ccc3fd0c3e8dff5d9f9b08409a0c4f425d55f4364c1463ec953bce7bce1bc68954527f6a4184ae7ce3d35b3c14aa

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              e3eb675172a9fa07fd215b543768c5ba

              SHA1

              58d284b06553ddd8c7f15684dd4a6294b837eb06

              SHA256

              c6ba2845c9ea8ff1bacaf437a12cc55743355516c08ab3603ebf8594f0927509

              SHA512

              28fe4137fa480a8f4496a25778cddd14869ac7d530b92763ea1f13824bd76768e68c76d799be565be0328d658d831d63246c3574e49b68ea775891928722f363

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              8eae8499f5545d02f310b5b6b471be67

              SHA1

              4181c9365f6b5dfc622ef423d0eddca06544d4a2

              SHA256

              905f5000ba997161724fcaffa44708d3bf43d151f175b0f489fa6ec2025ab7fe

              SHA512

              73d3e8c950427733221b89241c3a7f9f3c45fb6682dd4c5044539cb72bef39c57c28504d1205fe666b0711e0a097d1e14255720dd65741f9ef05d7e76b393ee4

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              b58914f312a2a501a9e96a6dc936216d

              SHA1

              42406a67afcd2bb9d6f075552388742aeb5c1568

              SHA256

              b417281ed586c9b964bc4fd7360853909d24b9a3991a9875c60c16b058330c70

              SHA512

              7a3748bb6cf5f74527bdf46218ae75acf813aec78a3412a75928f8c33942a8da93011e4138a368cf56afe8792e64c17e9cb3cce62fd51ccfb7ed9843d384bd57

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{767582A1-99AC-11EF-95F7-72BC2935A1B8}.dat

              Filesize

              6KB

              MD5

              79703bb1a4c00c8ed2f7b20994dc2248

              SHA1

              6a8ab532a28267ea3f6ec40d6350628964cb1885

              SHA256

              cea14b74e8292ef61ef74cdcb2eaf14305e59d2c587fcc7c2dfe4e7498861acf

              SHA512

              7f04514b56af367da143322072c73fd1d81daa6a57730475196a786392ae5d6ed7e6a11459bf78852d27c8fa9c6bc8114f312775f87b6b64abc3d68123880d71

            • C:\Users\Admin\AppData\Local\Temp\3BSYBS1-DCSA_Alerts_05242015040017.xml

              Filesize

              922B

              MD5

              b327f714f4ca746733f335129136f01e

              SHA1

              9e73ebaf229d43dba61da0fba7392039d99cde0b

              SHA256

              e1fa52366cfb7518c1269a6d52de74b567a0c352a141725a7f35abca022dee1b

              SHA512

              86cd7acd2e692ddd4f07073b973b4ff18cc4d31faff54d320a8421eeb265059279f7c28a22112e23cee03e1d2cb37b9a1a329a2b21df7d89acfe9a842c320d69

            • C:\Users\Admin\AppData\Local\Temp\AgendumSpontoon.B

              Filesize

              4KB

              MD5

              3a55f29d68c69ba9d51ba990c1826c00

              SHA1

              2ef1871466f55111c8c3e2d65e5f684b48ea30fa

              SHA256

              dd2792ec4cebb647c5b4b7775c78862cecc42d87d72492642183a5f4b26ece19

              SHA512

              6904e53751209bf12d19a04859be41fe19a7e58a88d41e24edd083a661884ff303956be9c22af94d422c8786e2dc1a624a4eace3d93c6d0ae838d2194c37c84c

            • C:\Users\Admin\AppData\Local\Temp\Bissau

              Filesize

              77B

              MD5

              4ab96999f28ba4b075188be03072b6dd

              SHA1

              2a1293003921b5bd6f4751f02d27090293d12245

              SHA256

              c9d43500b918ad58d7cc10cc98f73b0fd8de3743074b9c9b38f3f8657ab3cd3d

              SHA512

              1ee024ceadae616900cc460b9210bde8c799e9e10229312fccd039fbc0f9c114d3ad148e3f120d25356e9ca7c07be69cea4aad7e28fe892f69809b8bc7390f38

            • C:\Users\Admin\AppData\Local\Temp\Cab4656.tmp

              Filesize

              70KB

              MD5

              49aebf8cbd62d92ac215b2923fb1b9f5

              SHA1

              1723be06719828dda65ad804298d0431f6aff976

              SHA256

              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

              SHA512

              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            • C:\Users\Admin\AppData\Local\Temp\GMT+1

              Filesize

              27B

              MD5

              17534ee83a92a2d70abce2aa260abe12

              SHA1

              aab0ac99816678115277832badc6ee7ffa690b43

              SHA256

              53141538145b0c46ed3eb1f8dbdc1d8badb1061cfe6865232fee384bcb4d0b91

              SHA512

              ddbb134b0d53df5c1872930cd8108a5fbaf6d1dd850987303d1a6a7faf7653a71ac0008798f0e30e360d3d82d475b24ddfd5d8e0e088528fa9580dc8ab6c032f

            • C:\Users\Admin\AppData\Local\Temp\GMT-12

              Filesize

              27B

              MD5

              aea56e4cc048a9d3ff31445372d346a1

              SHA1

              29ac5ffe91a926df97e1a3e04a0c76a22a6f5c8b

              SHA256

              500ebdba5c37298efc86410f21dda65d2c0e59771605cd647694879de03533fa

              SHA512

              15d93c0e845eeaa4d010077a0032c4dc765f71895089b3c04a2bd6315373e43ca473e65caefa8927a973a664093d585c58295ed7ad708cb20f9b8452de317920

            • C:\Users\Admin\AppData\Local\Temp\Intelligentsia.H

              Filesize

              148KB

              MD5

              705eb958cf1355f374f8f081ef0d63e0

              SHA1

              c1668f3b82647b3193c144c97b51b651a9265979

              SHA256

              f7279b4d4e75835d0e72a32363135f1cd5d9234eb72d15f930523b61c4bb738d

              SHA512

              0ea24b3bf10035dac53f7d558ce8ab8f89ce7e72fc1b078cf687734d9bc66d4b4e01718727812068e59e562fc175be50d49b9ae98266e91bc5324a9c66e09f3d

            • C:\Users\Admin\AppData\Local\Temp\Tar4714.tmp

              Filesize

              181KB

              MD5

              4ea6026cf93ec6338144661bf1202cd1

              SHA1

              a1dec9044f750ad887935a01430bf49322fbdcb7

              SHA256

              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

              SHA512

              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            • C:\Users\Admin\AppData\Local\Temp\_.js

              Filesize

              1KB

              MD5

              70a12429f0b20c26d121a2538099aca4

              SHA1

              e6796ed228fa4691314bc99c2754a8d76512d1a8

              SHA256

              0e86911736d8eec310a61888c9a2e954d4c95814514b4256af2802a55a1df779

              SHA512

              f225b2cb7fd132a8437dd758f79bf8a2b5d2575798412337be9f8a9afca1cea807a769aa1a07d30fc44ba0d3208ae666ca4debfbac56328a491d50e24c866f26

            • C:\Users\Admin\AppData\Local\Temp\api-doc.xml

              Filesize

              3KB

              MD5

              122a8a2fa7fcb0dd3fc16f837feac89c

              SHA1

              81abf451ed1adb6951d8c0b067bf53047cf59480

              SHA256

              ca3cc76ac417d68ac6fc56022e5c0225a54e04ed05ee66acb01be6eaacc8de57

              SHA512

              aa5c44fd4f596c5233b96eb7874b3cd7a395af61479ecb5c7bd5d4a84c3a104c06754dd718d4fe3b31efa0f506789523f7278ad77e355de7001583b50f4bc0a6

            • C:\Users\Admin\AppData\Local\Temp\blocks2dbk.dtd

              Filesize

              2KB

              MD5

              411d77c4da856563aba36bcbacc83879

              SHA1

              868e7e0ff63120a2dafb22e036d066dc6ade0ed3

              SHA256

              1e2333b01209da29895e2f51fc836996bd61f42a61c00a613d663c628e173e19

              SHA512

              0d10206144f681be4b5b9de9973b69752e04d8ec61c82bf19461e8076ed42e25a89c5915c92a8e6bd534fc97ac51d4382dc5327764b45e7119229afa58b438b5

            • C:\Users\Admin\AppData\Local\Temp\bn_IN.aff

              Filesize

              197B

              MD5

              6c0fb6fd9810560e7b438cdf662c2734

              SHA1

              26304263ffc6724e5bd5a0dc440d74f233bc2fa2

              SHA256

              bff0a0f00c9adb0ac7bcc8421882b4bcd0fb5b47d278ed64cd661ec7dce51cde

              SHA512

              d85b9b780ef0ecac44e9af6ca0c766c04dcbc22cf3bf65efd23395806042d8cdadebbe088d21a0be75b37b2c6ddeb7aa726483c9b139d4284ef6b51101ca8c8b

            • C:\Users\Admin\AppData\Local\Temp\clock.png

              Filesize

              2KB

              MD5

              4cb40bdad1a43c4fb89f7b4400076efc

              SHA1

              ab2a3689957a412dbd3cd7f83e5aa35d44055941

              SHA256

              1bb2e1d63f0787ad9a0e0ad8b3987c42f74d873211f440e6338f78bfa62d4ee0

              SHA512

              0e444c130721fa155e28af88b21c0badced98ea2f1fd0df915cf07e4cf4b6d364e24a5babff81ad3246c5839595df520dc3e4d9a13635903f0e5ab4dc795a840

            • C:\Users\Admin\AppData\Local\Temp\close_focus.png

              Filesize

              2KB

              MD5

              440ff2d813de32dce6a8eac522c6e69b

              SHA1

              0fc65a6d0eb99abecc95579307d0d9b35c8267a1

              SHA256

              4af8f0f40f8d0470bca784bf1f5401acc268f06d9c8b25650cc92f65c78826e5

              SHA512

              66ac4515c6a12bd8707e019da569b6edbb76b82cd48b2a4dcfbe21dcc1f9b36a7d961c6faf3c7c4737ae165fcab3fee2b947d751ff98683613c5236f1d14f502

            • C:\Users\Admin\AppData\Local\Temp\close_normal.png

              Filesize

              2KB

              MD5

              e61986880dbf11a3f9c9e73ba1a5f821

              SHA1

              7ba2b4bc224e0f135b165ee164783513d791ebc4

              SHA256

              15abed0f08ce04c57be1b84c3b76eeaa86cd4a7079896f20c652035246a23e06

              SHA512

              eb707225978681ab2a2c70a7ce4f47a88c743e15bad91103dc96afb8951e8355b8cffdff7b2de1c26b661a35735740891cc64ecdb98de0c9ebd797de2b102a7a

            • C:\Users\Admin\AppData\Local\Temp\dut.fca

              Filesize

              1KB

              MD5

              61bb87909569420e9d889bd076a11aef

              SHA1

              668909823ee96cd46b76ffb4aba97e2335dd65da

              SHA256

              386b26bffa39406bea409f57f8d332a590856554373b073b7b5b340d5e68eaca

              SHA512

              fc873eb58c1a25f830ff3571b863c0da371f751d75052d3e77d1b94bb5ccead606ca19aaa73621467bbbc86aef817cfb9c9150f04af18f1c87846fc31f81f03d

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.txt

              Filesize

              10KB

              MD5

              85a2537961eba0230243fa9464449938

              SHA1

              3562ad28daabe3d01999a1967ec28c4e061d297e

              SHA256

              d7ea0cad3a0fd6368761b3884b45c5d72c856d3e2ec773aae79de10c69fe6346

              SHA512

              9c0b86018f7aff7cd2e4365882943e734e5a7c332b3f638cf3956e82bdd8702739dd0e38e8ce2de847873d860c97a4dca43f035b1b7a7f5c3e946a288c2ed9e3

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.url

              Filesize

              90B

              MD5

              b3ee31e8cc2b6e0b945675031bc0caf2

              SHA1

              0c504d784d854cd497d7f841febc360e456d7a0b

              SHA256

              5211d823ae2b6870d08b45a40c97f0636e6ed0e43a0fbfe257bea2d50dc41ae7

              SHA512

              feeb059ed8a62d9d600d7e833c4f3bb216ba15cfc79548896ac4c179c5b4bac4bff058b7ec2c0f2d71fb21e999b8e4ace6cf0ccd8cbd28e5a1e07e01478a4837

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\# DECRYPT MY FILES #.vbs

              Filesize

              213B

              MD5

              1c2a24505278e661eca32666d4311ce5

              SHA1

              d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

              SHA256

              3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

              SHA512

              ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\openfiles.lnk

              Filesize

              1KB

              MD5

              365b2ba7e36680f9d288a7b374204360

              SHA1

              1e1005746bfa7c69c68f997f07b8fe4934aefb13

              SHA256

              440778e897399deef7f9a1f0de80f80ce8a4e37ab1fee9347418e44ec48d26a9

              SHA512

              ff5690dfbca1d43f2a930a7fd2a52f65df9477e5a0c28362b25e7bde6292263b88f03167dd4a876fb16e5ecc79f8f66fe6d3624c3a7f92880eb4b6627eb6e857

            • C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html

              Filesize

              19KB

              MD5

              7cc26d81e2b54007df0997d4a42f7329

              SHA1

              d806891a6e39899457ac688bd3fe1d6ed9c05442

              SHA256

              54d952cf7ba33fa2cab20c607c4dd255a3b3ae75a56d846869d9169602cdbecd

              SHA512

              cbfd4af940c9c3edf295235530e296ad95fc2f4a1b008bd1d246f8edfd15f801720ea0d8213788ba3d9d57355fbda7749a8d2e6cf14f54a1e8efea9a13897ec8

            • \Users\Admin\AppData\Local\Temp\Pwgen.dll

              Filesize

              34KB

              MD5

              eab0c0a99549fe4fc568b20331d1db27

              SHA1

              4cc1a151bf4ef04be4c41278e42f11dd44f937c6

              SHA256

              246696d31993da811c210de7455d9158d0f4e0e3f75ef4367a1fb43c7fe27764

              SHA512

              094d6a63af23ae2ca54dfaf4ce59ae9c266c7de34e60828e4c5f636ab256be17da99061ce2965b99c4cce7a58f4f0c05ab09d38dcd0c2aba31d8b26d70ae7d55

            • \Users\Admin\AppData\Local\Temp\nsyC016.tmp\System.dll

              Filesize

              11KB

              MD5

              6f5257c0b8c0ef4d440f4f4fce85fb1b

              SHA1

              b6ac111dfb0d1fc75ad09c56bde7830232395785

              SHA256

              b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

              SHA512

              a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

            • \Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\openfiles.exe

              Filesize

              244KB

              MD5

              8a0c2641e45b3c5b473f69183c57cbf0

              SHA1

              8553f089e9d0b2eed4b7a1674ae568e4bc803db6

              SHA256

              14543e3fca12e0f56f2b88905ab0103ba4e049be8e9a12be30de38659ba8113c

              SHA512

              36dedb28aaae39019de8d45761377ae9156edece9513a4a9015f585132832049977a841ec7fee17764c0f6eda2afd2db65a369bbfa4686bc8ad09b559b5d2ae0

            • memory/1004-183-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/1004-182-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/1600-162-0x0000000000340000-0x000000000034C000-memory.dmp

              Filesize

              48KB

            • memory/1712-23-0x0000000001D20000-0x0000000001D2C000-memory.dmp

              Filesize

              48KB

            • memory/1784-117-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/1784-121-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/1784-116-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/1784-115-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2260-97-0x00000000004A0000-0x00000000004AC000-memory.dmp

              Filesize

              48KB

            • memory/2792-58-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-43-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-42-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-26-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-28-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-30-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-34-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-36-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-40-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2792-32-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-44-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/2792-45-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB