Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2025, 02:34

General

  • Target

    fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe

  • Size

    395KB

  • MD5

    9b55e3dbb34b1d422fe46487f42019a6

  • SHA1

    ecc8ee4fe83f00d2b307a17ce4a323646aece2e0

  • SHA256

    fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6

  • SHA512

    8a0fca1dc36bf9053eab2a2c4e549e83e192b2b34e8ef814e031274d37157d13b2d02befb795195acb28af1a201a39dcb9356f2dad2187aaf4f5e86de051ae45

  • SSDEEP

    6144:j/44D6oSKZyjhi7+jxF07ETxj85zdBdy+66lmppOLZB5wr:rp67KUA+jxG7eIHB6QLF+

Malware Config

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F" id="url_1" target="_blank">http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://bqyjebfh25oellur.onion.cab/6AFA-25C8-0047-0072-BA2F" target="_blank">http://bqyjebfh25oellur.onion.cab/6AFA-25C8-0047-0072-BA2F</a></li> <li><a href="http://bqyjebfh25oellur.onion.nu/6AFA-25C8-0047-0072-BA2F" target="_blank">http://bqyjebfh25oellur.onion.nu/6AFA-25C8-0047-0072-BA2F</a></li> <li><a href="http://bqyjebfh25oellur.onion.link/6AFA-25C8-0047-0072-BA2F" target="_blank">http://bqyjebfh25oellur.onion.link/6AFA-25C8-0047-0072-BA2F</a></li> <li><a href="http://bqyjebfh25oellur.tor2web.org/6AFA-25C8-0047-0072-BA2F" target="_blank">http://bqyjebfh25oellur.tor2web.org/6AFA-25C8-0047-0072-BA2F</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F" id="url_2" target="_blank">http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F" id="url_3" target="_blank">http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F" id="url_4" target="_blank">http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://bqyjebfh25oellur.onion/6AFA-25C8-0047-0072-BA2F</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); }

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#C3rber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F | | 2. http://bqyjebfh25oellur.onion.cab/6AFA-25C8-0047-0072-BA2F | | 3. http://bqyjebfh25oellur.onion.nu/6AFA-25C8-0047-0072-BA2F | | 4. http://bqyjebfh25oellur.onion.link/6AFA-25C8-0047-0072-BA2F | | 5. http://bqyjebfh25oellur.tor2web.org/6AFA-25C8-0047-0072-BA2F |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/6AFA-25C8-0047-0072-BA2F | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/6AFA-25C8-0047-0072-BA2F

http://bqyjebfh25oellur.onion.cab/6AFA-25C8-0047-0072-BA2F

http://bqyjebfh25oellur.onion.nu/6AFA-25C8-0047-0072-BA2F

http://bqyjebfh25oellur.onion.link/6AFA-25C8-0047-0072-BA2F

http://bqyjebfh25oellur.tor2web.org/6AFA-25C8-0047-0072-BA2F

http://bqyjebfh25oellur.onion/6AFA-25C8-0047-0072-BA2F

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Cerber family
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (525) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe
    "C:\Users\Admin\AppData\Local\Temp\fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\dccw.exe
      "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\dccw.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2024
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:472065 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:812
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1640
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:2244
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "dccw.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\dccw.exe" > NUL
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "dccw.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2760
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe" > NUL
          2⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2700
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1048
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2392
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {6AA5AFCA-77E3-41A5-9935-F10F574C2E05} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\dccw.exe
          C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\dccw.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:288

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

        Filesize

        914B

        MD5

        e4a68ac854ac5242460afd72481b2a44

        SHA1

        df3c24f9bfd666761b268073fe06d1cc8d4f82a4

        SHA256

        cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

        SHA512

        5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

        Filesize

        252B

        MD5

        a4322612082350e260870e2ed94a904d

        SHA1

        287329ecc33727f2b24b9c6c025520056da47f31

        SHA256

        5ea44a079a475f3380c3877c213341bebe3d0874e0a672436c68a2561004e69d

        SHA512

        50a1c3320117a54a00c077a30152d8df432aaaee229f7cc72b8c0c64bb0647df584600679491965914bd9947ea3d09e0bc9ba7b10b6a59949e3846db755357f8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        e9eb0d8829754ae5d626bd70c7104f22

        SHA1

        379600bcf34ad39c9d4d5e6ab2b9fa0228025191

        SHA256

        af9319b1680b6c47017d7e021a8694a73706431901dc30df09666ff024a08210

        SHA512

        0d964c955f9e9b49bff4b8ec2c755d8419b18e1e4ecbdc63748461b15835defc67c40abeba2e822af291bc5044db5d06607db59f25a80f2bda66080dcd4f1526

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        23b4b3735b63f043e58823a6ada872b0

        SHA1

        79b3308df24445d845aa191da91cfd9fcd3b92a9

        SHA256

        767876bfb9fb0cca115752b64ababc7f0feaff50a38cc5099a556181db68d5f4

        SHA512

        c98ff27a19de54587ef297e25561229cab6c2b77a5bd685b2dd67fdbc65249fae59abab0e782e26ada447c3887370d430a3e89242246a69f10b4b2270f90ca82

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        2d0ed411ab64c0ca1ddb7c02365ef162

        SHA1

        74de741d2f34fc8abbf917ccc6a28d930f4065aa

        SHA256

        8e83e9b1efb8b7f7cd112e84d5ec9805134aa72675d235e7f2b56d4de51944ba

        SHA512

        4d655300232b58afe5998f540994116e6e89e06e5b8af8f032fdc5c45456f931737d8a477ecb5a70ea8956bcd6429395bea4b44084c1cbc172d447dab39ec00e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        c6bcdd9ea7538cee0489448a62d634fc

        SHA1

        7c940102f509546955058099a3fe4ab6a1d7d9eb

        SHA256

        86650de0b1c880c2334af8089744864c622688149c1882587a4d3884362bb4b4

        SHA512

        4c646ab127edf7abd4e1edb8b36fbe8af266acf71fcea12c62debcf5468dbf9f7b6e32b384e605964b7463f9ca9a533c31e97c5721e5e613119b40146aa2894e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        bda0efec4843e66e2f6ec7e5ea628839

        SHA1

        d97833f07ec815141664e6ab0b8494a00c241721

        SHA256

        bb6abfbfec140161703821508f25fae5e03ab0526bfe5e77bfa1b43c4bdd3a36

        SHA512

        8ccbe2af06f220377fd4db3f64e5201951a6779ddab71aa0d211186cc287625840c8279fe865b5b87a7ae19f253d524af8a74373f8a6788e3c714e7915819801

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        0737623473bfa54a020970c809c543e3

        SHA1

        bade8f6a08ac00007f4f73ac33f3c9e489812e65

        SHA256

        cec9f7eb69c7731864fb5dc59524d9be78e1ba0c4dab9c7e88fd17238f8c471d

        SHA512

        02b550b084dcc4a654623bc40416b98a9d6ef0d8ed36681f5f5b2daed49a31698a817d4cb2bccdcb6f79c23f69649efea5fc70b681259049b2e34df2dfed6e7f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        c62111475c9b67cdac5e4b91b36de27f

        SHA1

        352c04a6a173d77e0fdc858a47c5aeb708599071

        SHA256

        1d97985ee23a3529e90ba1e6ab4ac82c271e5254b211f04c6b326931091b034e

        SHA512

        6235baa2e8e829017533215aa44f79a0e74160e61c45691adeebd3320e198aa8f7131d460c9a7a5e0b092255bcc118e75524bdb61ec49c1f356d38865911d19b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        a3a0b8fe355040810314c8f8b97ee920

        SHA1

        a0e297a53de88e6700f3e40cb3115d908cf0d57f

        SHA256

        148248f4f4b257d8b21c3e29193136d80aafae929bcb2a1aca4ea81d4f771e32

        SHA512

        0fae409d88ad9391f13c103a9f8b4d39614955815915b36c6eb04b223f27c216930c5740727b20808a67116e43f949590ea7d329b870b944bb5e08f0a243fb92

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        8c45b8a314274fbe5e30c1baae7dfd14

        SHA1

        5d1581490d69d1e68aa35bfdbc24281120eeeedb

        SHA256

        6a081ee9fe645cfdd9dfff3fda3c37ca666a5544b32d2c0e7a602f9f000cbd84

        SHA512

        2a6286b606bf205ba100c0585f6413994a6663f3ea79cabdac48a5c4a5a3ed414e98091b8736445ca1d0ddf0cd667af68bf7d35fbec8c32bcf0b203614ff9d65

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        b0257f0ec09af7de22b96510a1e9ee5f

        SHA1

        ca1c18fe2ee0edb1e1210743338867391fb57027

        SHA256

        5ebf300c614526cacc7c58911a496feed7813caf5be038aa9cd6ef0bb8363a3d

        SHA512

        37d41920164e09e3805479e6a762ab745e54eec3667fc90b827de107eb5519cbeefe4566d4532e8b12e17b6cae5cb3eb25738aa03445fcd1f47193d01083d011

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        fee3c28b15fab0761ee5eead95cab67e

        SHA1

        f31e5a27e11bd097f5f814cc59c5389724d05036

        SHA256

        5c8e76c1a562263b822ad2ea906f85f4a3636a15229e782eb65fcf36edf6438c

        SHA512

        307fbc088298211458afc541fb148afba7b2e34dd07d04bc5ee3e1ba5155136f6d1b640f7a915b5d0aa11de5204b3810a7b8e4d98361a756755c1a34593dba9c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        dc60c6dce4fc55f582d5197bc970f659

        SHA1

        e80924ecae0f40b06f692274348efdaf5d273fee

        SHA256

        57f7d9d73b3fc9d63e9e98b0a46a1f5c5fd4fcc83e07c2cb57be50407cbf58c0

        SHA512

        a32aab9960ea1dbdb87eae37b3b01cc1df1c46c7f1f5d8d001a2da5cf1436c30ac403f301aa47e5c756b7f7348243ce5d27f291c95637644c1b723a20fd4f6cd

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        f404b555eeb0efbe44c55cf761c9f4c5

        SHA1

        8f4dab9b83fcfb7576381f630a88b633c02b0fbe

        SHA256

        15b93477dc11c08d49e16a1afc359b0b2ee319955cec67f6e8b3903b66b25701

        SHA512

        3c86926b111ad47d72e566916cd9571d27452d433ad32928f2bc265251164cdc9b6b951dd5a7c2b4f053ef817dd6dd7e840498cc80c74f073036e85972d46f94

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        cb762469851697c710d5b4d46cb41fe4

        SHA1

        bfa22ea6b2d19852dc953051c6472238c2f8d8bc

        SHA256

        64eb769779ed50a47a6d4ff8d73b8284edde8f90c3d3d67a068bc97be11eacf9

        SHA512

        ea43a68fb59a89c2450373c933d2ad0c923d572076b94aec7a750ab2eb898e94a8cb1007909fecca6eb37c37dd1513fb19b1960b6ae723737bb4a952d2adb827

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        212d49c6d8df8c28874944f04588032f

        SHA1

        8fbff86f8eef1e77acad84b7f704381afeb068ae

        SHA256

        bdac82b414c9ee73d41d9d6e4579f6ba573c795cb4cd25a83fa90cae942d28d4

        SHA512

        ff710aa198d6d16d2f940d33eabe0a20024782983f200b0d9d9c0a6e6c24eb0f6aaafa2f7ea1ec1eb833df34af30105483c46208c135f640d922464982abd960

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        28bfb6b5d89d32d371d0b0f55669f4de

        SHA1

        9624d71046f3690c0bc6680576cfc4f1990b1e0a

        SHA256

        0bd02ea1d5db4e477245ff5d5808e08b0fd416811da02f23c63573c34e07ea55

        SHA512

        8846850ef56c688f3d1c4c02e5e4115a53ecb457557ffead137caf0cdfe505621d6d4374f1b5fc48ffd7a0afac33201a2c5a2aeadbffe84014ea178169e48fd9

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        f3a22d038d4b83c595767f1c4469f4e0

        SHA1

        fa875042ddac63a8a6983f3db0c423888183f691

        SHA256

        28766396858ebe251afcf6e5f836fed74b5b35c7db73b980d5ea299ad12b1868

        SHA512

        4dd5e0e131e25ca52ef94a373cc56fdde36fecf2f9bfd8d269371cf808f012a456edb750913650bdabb8eaf3ab17bb903f0c2d8c1d29daee82a5e4f5735679b7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        ac013c300c79bf2cb193a136af892ee8

        SHA1

        291bfc7157d4bed91b4a7ce51a1d3434c0b6156c

        SHA256

        fc140cb3e10e1148ef7f053d320649436d66db264fdc4035a370e6c3d68f329c

        SHA512

        ed2e5625ca77619bdfd4feb4e817bfe7fb1cfa0601922ee167216caf52006cfebb3fa1f957c2468648060c0ee55ece6e03f0a86c5fb0a899d9839100e972abda

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        825bdfafd6b57f4b1b38b3b77e63a8a6

        SHA1

        7eae358345d4ec11efb97e01013b9fa91cc07ed8

        SHA256

        6c1774445b421e0f8abef95ab4d154dd34241919f217107cfb65285338e0e264

        SHA512

        3e719e96d4f1e47604627228a18c141a82d7ad0b88a329dc6a85b39aae9fba21506edcd59bb24969ef921c2a452004a3c89f078317a0c2a827c551c751d431e8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        293cb845b26ebc2693334bc9be65cf95

        SHA1

        0448313c14931659dd6cfafbe6b50502885256ee

        SHA256

        e7b3a6c4cda138628e3c738e76ee02719797bd74686206beb9dc984fbe6bda05

        SHA512

        8218d23e53c81b5bd8bdce17781307622f8b8230fab08edceb58ef679bc14ab905be69a2364b218f609dbed1c60f019165e5fccaf0cd5607c8b5975c4acd1f2e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        04edb5b774228f94f8129e8e17b9b5b7

        SHA1

        e622a3ec46cdee4e82f49a393c555e28f08f16c1

        SHA256

        0f85cbbc90b8534b827399c01af8e675afb18f39a0267f17ab9e3045d178d78d

        SHA512

        3669fc56e8270106785ee26fadf5bb8b5ea2625dd3e77477e37ba4b41f404d33b034ac3b828d196781e2f9d8d6ad5535d35b7960807547b96b712d165245af29

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FBF105F1-CC9F-11EF-93CA-E62D5E492327}.dat

        Filesize

        5KB

        MD5

        73fe1de0014696ceb0bd3ec4aa6eb304

        SHA1

        477e5fc19a35d2e8505d0735bd567e4c5cc5ccf0

        SHA256

        dd7e9bebc59234e89ce4941f5b760b8e46d6ccf6bf9679616a0ca253c6c64133

        SHA512

        2a3dae8fe2ac78aadcd28544c445daa7984c1f6a930715d087a11dca677ce583d1af1f1e6fc36f38c9a2c068492da73bdff2079d496a5c08b0711c74412f1e4e

      • C:\Users\Admin\AppData\Local\Temp\CabF3B5.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\TarF463.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\dccw.lnk

        Filesize

        1KB

        MD5

        ff46d50dd097b72700c523974bf16512

        SHA1

        fe0b8ebfdb91e142b84f500a6704754a461e9315

        SHA256

        3dbff9e42a50885ec883bcb554fccf7f166fcef24dcf558de8635c233954b229

        SHA512

        e21b218ff74f3074b8f0c9dce7e949138343c3435edf28a728772ecbfc5c0270338c60da15b01e3817a405e5fe6f92855c01f7b3419f5b8acf65ad835dc30de1

      • C:\Users\Admin\Music\# DECRYPT MY FILES #.html

        Filesize

        19KB

        MD5

        a6769c75ae68feb536fdf8579430c13e

        SHA1

        db285e379641d87563eb164fb798c82c92425754

        SHA256

        a5c120c9109d01a93353061a6d41186a742b17668f8b2b4177c2fa5ab09c602a

        SHA512

        9b1b9b97a574eaebb8784d630bdabb78e424e91ba0751081b9e39776f6dc288455626fb788830fb40a844fa80ff1c2ef7b9d77e9c287a1d7d9622522f82e9d52

      • C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

        Filesize

        10KB

        MD5

        1932794f661226fb43d1796dcf42de00

        SHA1

        577db8d7e2f4dbaa17cba35baf1b7c0dec155c9c

        SHA256

        1002ea6c5400bcc3e167424560b9985415537988c6822e60ef0fa872b6a9071e

        SHA512

        89ada74fa378bf541619852a1498c4e7432c5f07806d2829ce26b02e95ab4b2b40b3985ea24b02f192113ab96d2475c4d13485e81d9df50770776dfd70aec303

      • C:\Users\Admin\Music\# DECRYPT MY FILES #.url

        Filesize

        88B

        MD5

        a5a817f885e2ec90d7e503b72d96a670

        SHA1

        0b2ef976677a1c72a34b2afad1f9d07668d5b686

        SHA256

        db6b4c3c459b5553e3a4517f6ee8fd55c5f2cddb80c512bdfe824b77342b7ee2

        SHA512

        8b2a5b83c3537183bcf6498a598349cc132b68529fe852340960a1eaf35c90bbcadeb9bee3d63f073e15fe1fb5ac26488f09781cfc5597e0f366c5ba31847bf8

      • C:\Users\Admin\Music\# DECRYPT MY FILES #.vbs

        Filesize

        246B

        MD5

        d3e80e1e6dffc81a2e72c05c9b482fc6

        SHA1

        bdcca42f5f612531bc5a4d14af649fa8a80bab34

        SHA256

        f7902386a8d4572575441be399933b81fa4a16090925ef49a3914cff256f806b

        SHA512

        3e5bfc95e0b3c80b6edf8d63157456f3a918d93db972ed4868539eabf63a1e737dbbb8d320e9f9e490d08aa7f7458bad67e8220f7df3e3f725b01b44b0564680

      • \Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\dccw.exe

        Filesize

        395KB

        MD5

        9b55e3dbb34b1d422fe46487f42019a6

        SHA1

        ecc8ee4fe83f00d2b307a17ce4a323646aece2e0

        SHA256

        fe95cbedb9018ba0dbd0d78a82110a775a131c57f627e620171300f1fe0a40c6

        SHA512

        8a0fca1dc36bf9053eab2a2c4e549e83e192b2b34e8ef814e031274d37157d13b2d02befb795195acb28af1a201a39dcb9356f2dad2187aaf4f5e86de051ae45

      • memory/288-492-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/288-493-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-424-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-439-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-479-0x0000000005DD0000-0x0000000005DD2000-memory.dmp

        Filesize

        8KB

      • memory/2128-469-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-466-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-463-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-460-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-457-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-454-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-451-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-448-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-445-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-442-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-495-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-436-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-433-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-430-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-427-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-17-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-26-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-25-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-24-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2128-22-0x0000000002930000-0x0000000002931000-memory.dmp

        Filesize

        4KB

      • memory/2280-20-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2280-0-0x0000000000120000-0x0000000000146000-memory.dmp

        Filesize

        152KB

      • memory/2280-4-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/2280-1-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB