{
	"id": "3356dea2-9009-4258-866d-162d9534e250",
	"created_at": "2026-04-10T03:21:02.04702Z",
	"updated_at": "2026-04-10T13:12:39.516511Z",
	"deleted_at": null,
	"sha1_hash": "c83d6bc4c133749f5adf1fd713b3a64869bb3b96",
	"title": "malware-notes/Ransomware-Windows-Yanluowang at master · albertzsigovits/malware-notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93397,
	"plain_text": "malware-notes/Ransomware-Windows-Yanluowang at master ·\r\nalbertzsigovits/malware-notes\r\nBy albertzsigovits\r\nArchived: 2026-04-10 03:03:11 UTC\r\nSHA256\r\n d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c\r\n 49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d\r\nPassword for execution (--pass):\r\n D86BDXL9N3H\r\nRC4 decryption key (RSA public key and ransom note):\r\n RSCNFZJCXGCGF8Q6TOY7IKPE9J3PO6DAPGZFKLHARGXW\r\nRSA Public key: 1024-bit\r\n -----BEGIN PUBLIC KEY-----\r\n MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDghZ1IjKZQIMvxDBd6BtWu6ytb\r\n VtkGOQItQivbeKA4yFnVPlpX7X/vm8CPnspbmzxEmr13DTcT6N0+Uvaz/cw6FDzA\r\n qThpj2Xl3OKW0Ph3ACSIezg3h187ITcOiOuMu0wn3QjNamNwWhQ7Q9uLiwLk1HNb\r\n A1LD9h4cDMfQvwq3oQIDAQAB\r\n -----END PUBLIC KEY-----\r\nCrypto APIs used:\r\n CryptAcquireContextA\r\n CryptAcquireContextW\r\n CryptDecodeObjectEx\r\n CryptEncrypt\r\n CryptGenRandom\r\n CryptImportPublicKeyInfo\r\n CryptReleaseContext\r\n CryptStringToBinaryA\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 1 of 8\n\nEncryption details:\r\n 32-byte random key, via CryptGenRandom\r\n dwProvType: PROV_RSA_FULL (0x00000001)\r\n szContainer: Crypto++ RNG\r\n OID: 1.2.840.113549.1.1.1\r\n Encryption Scheme: RSAES-PKCS1-V1_5\r\nFollowing the encryption:\r\n32-byte random key via CryptGenRandom\r\n00F15CF0 4F 46 95 F1 DC 2C CA 36 F3 C9 57 60 97 B5 6A 05 OF.ñÜ,Ê6óÉW`.µj.\r\n00F15D00 1C 25 7D CD 7A AE 62 48 03 A1 DE 2E 7C 0C C2 2A .%}Íz®bH.¡Þ.|.Â*\r\nRC4 decryption of RSA public key\r\n00F15DF0 2D 2D 2D 2D 2D 42 45 47 49 4E 20 50 55 42 4C 49 -----BEGIN PUBLI\r\n00F15E00 43 20 4B 45 59 2D 2D 2D 2D 2D 0A 4D 49 47 66 4D C KEY-----.MIGfM\r\n00F15E10 41 30 47 43 53 71 47 53 49 62 33 44 51 45 42 41 A0GCSqGSIb3DQEBA\r\n00F15E20 51 55 41 41 34 47 4E 41 44 43 42 69 51 4B 42 67 QUAA4GNADCBiQKBg\r\n00F15E30 51 44 67 68 5A 31 49 6A 4B 5A 51 49 4D 76 78 44 QDghZ1IjKZQIMvxD\r\n00F15E40 42 64 36 42 74 57 75 36 79 74 62 0A 56 74 6B 47 Bd6BtWu6ytb.VtkG\r\n00F15E50 4F 51 49 74 51 69 76 62 65 4B 41 34 79 46 6E 56 OQItQivbeKA4yFnV\r\n00F15E60 50 6C 70 58 37 58 2F 76 6D 38 43 50 6E 73 70 62 PlpX7X/vm8CPnspb\r\n00F15E70 6D 7A 78 45 6D 72 31 33 44 54 63 54 36 4E 30 2B mzxEmr13DTcT6N0+\r\n00F15E80 55 76 61 7A 2F 63 77 36 46 44 7A 41 0A 71 54 68 Uvaz/cw6FDzA.qTh\r\n00F15E90 70 6A 32 58 6C 33 4F 4B 57 30 50 68 33 41 43 53 pj2Xl3OKW0Ph3ACS\r\n00F15EA0 49 65 7A 67 33 68 31 38 37 49 54 63 4F 69 4F 75 Iezg3h187ITcOiOu\r\n00F15EB0 4D 75 30 77 6E 33 51 6A 4E 61 6D 4E 77 57 68 51 Mu0wn3QjNamNwWhQ\r\n00F15EC0 37 51 39 75 4C 69 77 4C 6B 31 48 4E 62 0A 41 31 7Q9uLiwLk1HNb.A1\r\n00F15ED0 4C 44 39 68 34 63 44 4D 66 51 76 77 71 33 6F 51 LD9h4cDMfQvwq3oQ\r\n00F15EE0 49 44 41 51 41 42 0A 2D 2D 2D 2D 2D 45 4E 44 20 IDAQAB.-----END\r\n00F15EF0 50 55 42 4C 49 43 20 4B 45 59 2D 2D 2D 2D 2D PUBLIC KEY-----\r\nCryptStringBinaryA and LocalAlloc (30 81 9F 30)\r\n00F182F8 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 0..0...*.H.÷....\r\n00F18308 05 00 03 81 8D 00 30 81 89 02 81 81 00 E0 85 9D ......0......à..\r\n00F18318 48 8C A6 50 20 CB F1 0C 17 7A 06 D5 AE EB 2B 5B H.¦P Ëñ..z.Õ®ë+[\r\n00F18328 56 D9 06 39 02 2D 42 2B DB 78 A0 38 C8 59 D5 3E VÙ.9.-B+Ûx8ÈYÕ\u003e\r\n00F18338 5A 57 ED 7F EF 9B C0 8F 9E CA 5B 9B 3C 44 9A BD ZWí.ï.À..Ê[.\u003cD.½\r\n00F18348 77 0D 37 13 E8 DD 3E 52 F6 B3 FD CC 3A 14 3C C0 w.7.èÝ\u003eRö³ýÌ:.\u003cÀ\r\n00F18358 A9 38 69 8F 65 E5 DC E2 96 D0 F8 77 00 24 88 7B ©8i.eåÜâ.Ðøw.$.{\r\n00F18368 38 37 87 5F 3B 21 37 0E 88 EB 8C BB 4C 27 DD 08 87._;!7..ë.»L'Ý.\r\n00F18378 CD 6A 63 70 5A 14 3B 43 DB 8B 8B 02 E4 D4 73 5B ÍjcpZ.;CÛ...äÔs[\r\n00F18388 03 52 C3 F6 1E 1C 0C C7 D0 BF 0A B7 A1 02 03 01 .RÃö...Çп.·¡...\r\n00F18398 00 01 ..\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 2 of 8\n\nCryptDecodeObjectEx and LocalAlloc (05 00 AD BA)\r\nCryptImportPublicKey OID: 1.2.840.113549.1.1.1\r\n00F19588 A0 95 F1 00 02 00 00 00 B8 95 F1 00 8C 00 00 00 .ñ.....¸.ñ.....\r\n00F19598 C0 95 F1 00 00 00 00 00 31 2E 32 2E 38 34 30 2E À.ñ.....1.2.840.\r\n00F195A8 31 31 33 35 34 39 2E 31 2E 31 2E 31 00 F0 AD BA 113549.1.1.1.ð.º\r\n00F195B8 05 00 AD BA 0D F0 AD BA 30 81 89 02 81 81 00 E0 ...º.ð.º0......à\r\n00F195C8 85 9D 48 8C A6 50 20 CB F1 0C 17 7A 06 D5 AE EB ..H.¦P Ëñ..z.Õ®ë\r\n00F195D8 2B 5B 56 D9 06 39 02 2D 42 2B DB 78 A0 38 C8 59 +[VÙ.9.-B+Ûx8ÈY\r\n00F195E8 D5 3E 5A 57 ED 7F EF 9B C0 8F 9E CA 5B 9B 3C 44 Õ\u003eZWí.ï.À..Ê[.\u003cD\r\n00F195F8 9A BD 77 0D 37 13 E8 DD 3E 52 F6 B3 FD CC 3A 14 .½w.7.èÝ\u003eRö³ýÌ:.\r\n00F19608 3C C0 A9 38 69 8F 65 E5 DC E2 96 D0 F8 77 00 24 \u003cÀ©8i.eåÜâ.Ðøw.$\r\n00F19618 88 7B 38 37 87 5F 3B 21 37 0E 88 EB 8C BB 4C 27 .{87._;!7..ë.»L'\r\n00F19628 DD 08 CD 6A 63 70 5A 14 3B 43 DB 8B 8B 02 E4 D4 Ý.ÍjcpZ.;CÛ...äÔ\r\n00F19638 73 5B 03 52 C3 F6 1E 1C 0C C7 D0 BF 0A B7 A1 02 s[.RÃö...Çп.·¡.\r\n00F19648 03 01 00 01 ....\r\n32-byte random key via CryptGenRandom gets copied to the first 32 byte (step #1)\r\n00F19688 4F 46 95 F1 DC 2C CA 36 F3 C9 57 60 97 B5 6A 05 OF.ñÜ,Ê6óÉW`.µj.\r\n00F19698 1C 25 7D CD 7A AE 62 48 03 A1 DE 2E 7C 0C C2 2A .%}Íz®bH.¡Þ.|.Â*\r\n00F196A8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º\r\n00F196B8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º\r\n00F196C8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º\r\n00F196D8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º\r\n00F196E8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º\r\n00F196F8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º\r\nCryptEncrypt and CryptBinaryToStringA (0x00F19688) (step #2)\r\nFinal session key gets appended to the end of all encrypted files\r\n00F19688 5E C6 31 97 BE 65 F1 86 22 4F 32 0A 18 C9 2C CE ^Æ1.¾eñ.\"O2..É,Î\r\n00F19698 A3 D8 50 61 9B 1E E6 5F 9E 3E 38 87 F2 77 8D 4B £ØPa..æ_.\u003e8.òw.K\r\n00F196A8 41 10 C5 FF AE B6 26 3A F8 2E 64 9B 81 39 37 43 A.Åÿ®¶\u0026:ø.d..97C\r\n00F196B8 83 AF 1B 6D 3E 24 31 F8 DC 74 2D AA 12 6E 98 03 .¯.m\u003e$1øÜt-ª.n..\r\n00F196C8 60 7B FD 3F 91 BD 1D F4 40 11 3E 65 3F 93 48 C6 `{ý?.½.ô@.\u003ee?.HÆ\r\n00F196D8 3C F7 49 13 35 0B 7F 14 2F 8B 21 BA 23 E0 21 D7 \u003c÷I.5.../.!º#à!×\r\n00F196E8 D0 18 3F CA 8E C9 2A E4 E1 4B DA BB 67 E0 50 74 Ð.?Ê.É*äáKÚ»gàPt\r\n00F196F8 B1 47 65 2A 9C C5 9A 29 0E 4E 98 52 BD 07 DA 6F ±Ge*.Å.).N.R½.Úo\r\nFinal session key gets converted to Base64\r\n00F1A920 58 73 59 78 6C 37 35 6C 38 59 59 69 54 7A 49 4B XsYxl75l8YYiTzIK\r\n00F1A930 47 4D 6B 73 7A 71 50 59 55 47 47 62 48 75 5A 66 GMkszqPYUGGbHuZf\r\n00F1A940 6E 6A 34 34 68 2F 4A 33 6A 55 74 42 45 4D 58 2F nj44h/J3jUtBEMX/\r\n00F1A950 72 72 59 6D 4F 76 67 75 5A 4A 75 42 4F 54 64 44 rrYmOvguZJuBOTdD\r\n00F1A960 0D 0A 67 36 38 62 62 54 34 6B 4D 66 6A 63 64 43 ..g68bbT4kMfjcdC\r\n00F1A970 32 71 45 6D 36 59 41 32 42 37 2F 54 2B 52 76 52 2qEm6YA2B7/T+RvR\r\n00F1A980 33 30 51 42 45 2B 5A 54 2B 54 53 4D 59 38 39 30 30QBE+ZT+TSMY890\r\n00F1A990 6B 54 4E 51 74 2F 46 43 2B 4C 49 62 6F 6A 34 43 kTNQt/FC+LIboj4C\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 3 of 8\n\n00F1A9A0 48 58 0D 0A 30 42 67 2F 79 6F 37 4A 4B 75 54 68 HX..0Bg/yo7JKuTh\r\n00F1A9B0 53 39 71 37 5A 2B 42 51 64 4C 46 48 5A 53 71 63 S9q7Z+BQdLFHZSqc\r\n00F1A9C0 78 5A 6F 70 44 6B 36 59 55 72 30 48 32 6D 38 3D xZopDk6YUr0H2m8=\r\nBase64 gets added to the end of the ransom note\r\n00F1B570 63 61 6E 67 2E 6C 65 65 6E 40 6D 61 69 6C 66 65 cang.leen@mailfe\r\n00F1B580 6E 63 65 2E 63 6F 6D 0A 32 29 79 61 6E 2E 6C 61 nce.com.2)yan.la\r\n00F1B590 6F 77 61 6E 67 40 6D 61 69 6C 66 65 6E 63 65 2E owang@mailfence.\r\n00F1B5A0 63 6F 6D 4A 58 73 59 78 6C 37 35 6C 38 59 59 69 comJXsYxl75l8YYi\r\n00F1B5B0 54 7A 49 4B 47 4D 6B 73 7A 71 50 59 55 47 47 62 TzIKGMkszqPYUGGb\r\n00F1B5C0 48 75 5A 66 6E 6A 34 34 68 2F 4A 33 6A 55 74 42 HuZfnj44h/J3jUtB\r\n00F1B5D0 45 4D 58 2F 72 72 59 6D 4F 76 67 75 5A 4A 75 42 EMX/rrYmOvguZJuB\r\n00F1B5E0 4F 54 64 44 0D 0A 67 36 38 62 62 54 34 6B 4D 66 OTdD..g68bbT4kMf\r\n00F1B5F0 6A 63 64 43 32 71 45 6D 36 59 41 32 42 37 2F 54 jcdC2qEm6YA2B7/T\r\n00F1B600 2B 52 76 52 33 30 51 42 45 2B 5A 54 2B 54 53 4D +RvR30QBE+ZT+TSM\r\n00F1B610 59 38 39 30 6B 54 4E 51 74 2F 46 43 2B 4C 49 62 Y890kTNQt/FC+LIb\r\n00F1B620 6F 6A 34 43 48 58 0D 0A 30 42 67 2F 79 6F 37 4A oj4CHX..0Bg/yo7J\r\n00F1B630 4B 75 54 68 53 39 71 37 5A 2B 42 51 64 4C 46 48 KuThS9q7Z+BQdLFH\r\n00F1B640 5A 53 71 63 78 5A 6F 70 44 6B 36 59 55 72 30 48 ZSqcxZopDk6YUr0H\r\n00F1B650 32 6D 38 3D 2m8=.\r\nRansomware executable digital signature:\r\n Name: AdClearance Limited\r\n Thumbprint: 614A13CA73AE2F01D860B5F87B71CA38F5307DBD\r\n SN: 0D 0D A8 84 0C 1A 95 9D 09 32 47 FA 33 6E 5A 2D\r\nMutex:\r\n Type=Mutant\r\n Name=\\Sessions\\1\\BaseNamedObjects\\SM0:pid:handle:WilStaging_02\r\nE-mails from the ransom note:\r\n cang.leen@mailfence.com\r\n yan.laowang@mailfence.com\r\nRansomware execution arguments:\r\n -h\r\n -p\r\n -pass\r\n -path\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 4 of 8\n\n--help\r\n --pass\r\n --path\r\nRansomware extension:\r\n .yanluowang\r\nRansomware note:\r\n README.txt\r\nRansomware (-h) execution helper:\r\n Syntax: encrypt.exe [(-p,-path,--path)\u003cpath\u003e]\r\nInteresting commands executed:\r\n cmd.exe /c powershell -command \"Get-VM | Stop-VM -Force\"\r\n cmd.exe /c for /l %x in (1,1,3) do start wordpad.exe /p\r\nTerminated processes via (CreateToolhelp32Snapshot):\r\n veeam\r\n sql\r\nSkipped folders:\r\n PROGRA~1\r\n PROGRA~2\r\n PROGRA~3\r\n SYSTEM~1\r\n Windows\r\n WINDOWS\r\nSkip-list for extensions:\r\n exe\r\n dll\r\n conf\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 5 of 8\n\na\r\n lib\r\n bat\r\n ps\r\n msi\r\n cfg\r\n reg\r\n sys\r\n lnk\r\n obj\r\n ini\r\n yanluowang\r\nKilled processes via (ShellExecute):\r\n taskkill /f /im CNTAoSMgr*\r\n taskkill /f /im IBM*\r\n taskkill /f /im Notifier*\r\n taskkill /f /im Ntrtscan*\r\n taskkill /f /im TmListen*\r\n taskkill /f /im bes10*\r\n taskkill /f /im black*\r\n taskkill /f /im chrome*\r\n taskkill /f /im copy*\r\n taskkill /f /im ds_monitor*\r\n taskkill /f /im dsa*\r\n taskkill /f /im excel*\r\n taskkill /f /im firefox*\r\n taskkill /f /im iVPAgent*\r\n taskkill /f /im iexplore*\r\n taskkill /f /im mysql*\r\n taskkill /f /im outlook*\r\n taskkill /f /im postg*\r\n taskkill /f /im putty*\r\n taskkill /f /im robo*\r\n taskkill /f /im sage*\r\n taskkill /f /im sql\r\n taskkill /f /im sql*\r\n taskkill /f /im ssh*\r\n taskkill /f /im store.exe\r\n taskkill /f /im tasklist*\r\n taskkill /f /im taskmgr*\r\n taskkill /f /im vee*\r\n taskkill /f /im veeam*\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 6 of 8\n\ntaskkill /f /im wrsa*\r\n taskkill /f /im wrsa.exe\r\nStopped services:\r\n net stop IISADMIN\r\n net stop MSExchangeADTopology\r\n net stop MSExchangeFBA\r\n net stop MSExchangeIS\r\n net stop MSExchangeSA\r\n net stop MSSQL$ISARS\r\n net stop MSSQL$MSFW\r\n net stop MSSQLServerADHelper100\r\n net stop QBCFMonitorService\r\n net stop QBPOSDBServiceV12\r\n net stop QBVSS\r\n net stop QuickBooksDB1\r\n net stop QuickBooksDB10\r\n net stop QuickBooksDB11\r\n net stop QuickBooksDB12\r\n net stop QuickBooksDB13\r\n net stop QuickBooksDB14\r\n net stop QuickBooksDB15\r\n net stop QuickBooksDB16\r\n net stop QuickBooksDB17\r\n net stop QuickBooksDB18\r\n net stop QuickBooksDB19\r\n net stop QuickBooksDB2\r\n net stop QuickBooksDB20\r\n net stop QuickBooksDB21\r\n net stop QuickBooksDB22\r\n net stop QuickBooksDB23\r\n net stop QuickBooksDB24\r\n net stop QuickBooksDB25\r\n net stop QuickBooksDB3\r\n net stop QuickBooksDB4\r\n net stop QuickBooksDB5\r\n net stop QuickBooksDB6\r\n net stop QuickBooksDB7\r\n net stop QuickBooksDB8\r\n net stop QuickBooksDB9\r\n net stop ReportServer$ISARS\r\n net stop SPAdminV4\r\n net stop SPSearch4\r\n net stop SPTimerV4\r\n net stop SPTraceV4\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 7 of 8\n\nnet stop SPUserCodeV4\r\n net stop SPWriterV4\r\n net stop SQLAgent$ISARS\r\n net stop SQLAgent$MSFW\r\n net stop SQLBrowser\r\n net stop SQLWriter\r\n net stop ShadowProtectSvc\r\n net stop WinDefend\r\n net stop \"IBM Domino Diagnostics (CProgramFilesIBMDomino)\"\r\n net stop \"IBM Domino Server (CProgramFilesIBMDominodata)\"\r\n net stop \"Simply Accounting Database Connection Manager\"\r\n net stop firebirdguardiandefaultinstance\r\n net stop ibmiasrw\r\n net stop mr2kserv\r\nRansom note:\r\n Hi, since you are reading this it means you have been hacked.\r\n In addition to encrypting all your systems, deleting backups, we also downloaded 2 terabytes of confidential\r\n Here's what you shouldn't do:\r\n 1) Contact the police, fbi or other authorities before the end of our deal\r\n 2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recove\r\n 3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This c\r\n 4) Keep us for fools)\r\n We will also stop any communication with you, and continue DDoS, calls to employees and business partners.\r\n In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEA\r\n Here's what you should do right after reading it:\r\n 1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT departm\r\n 2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company,\r\n We are ready to confirm all our intentions regarding DDOS, calls, and deletion of the date at your first req\r\n As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.\r\n Mails to contact us:\r\n 1)cang.leen@mailfence.com\r\n 2)yan.laowang@mailfence.comJ0mAm8SN6C0BPAImmRDBChtERC7nTlQ49bsh2xDb4IrtDvr17bCwy+GSiq+IFUT4H\r\n irx+WpNuWBzpS2CUO6pR+FkYoaltOtN+fMpogxD3jzCC29ksq2BfcXqLSIr/zJuz\r\n HJ3saoWSBxf0XTA5SMU1xJ0d/Nx/wu2t7Vb4sethsj4=\r\nThe J right after the email address is hardcoded, and not part of the base64 encoded key.\r\n2)yan.laowang@mailfence.comJ0mAm8SN6C0BPAImmRDBChtERC7nTlQ49bsh2xDb4IrtDvr17bCwy+GSiq+IFUT4H\r\nSource: https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nhttps://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang\r\nPage 8 of 8\n\n  https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang  \n00F1A9A0 48 58 0D 0A 30 42 67 2F 79 6F 37 4A 4B 75 54 68 HX..0Bg/yo7JKuTh\n00F1A9B0 53 39 71 37 5A 2B 42 51 64 4C 46 48 5A 53 71 63 S9q7Z+BQdLFHZSqc\n00F1A9C0 78 5A 6F 70 44 6B 36 59 55 72 30 48 32 6D 38 3D xZopDk6YUr0H2m8=\nBase64 gets added to the end of the ransom note \n00F1B570 63 61 6E 67 2E 6C 65 65 6E 40 6D 61 69 6C 66 65 cang.leen@mailfe\n00F1B580 6E 63 65 2E 63 6F 6D 0A 32 29 79 61 6E 2E 6C 61 nce.com.2)yan.la\n00F1B590 6F 77 61 6E 67 40 6D 61 69 6C 66 65 6E 63 65 2E owang@mailfence.\n00F1B5A0 63 6F 6D 4A 58 73 59 78 6C 37 35 6C 38 59 59 69 comJXsYxl75l8YYi\n00F1B5B0 54 7A 49 4B 47 4D 6B 73 7A 71 50 59 55 47 47 62 TzIKGMkszqPYUGGb\n00F1B5C0 48 75 5A 66 6E 6A 34 34 68 2F 4A 33 6A 55 74 42 HuZfnj44h/J3jUtB\n00F1B5D0 45 4D 58 2F 72 72 59 6D 4F 76 67 75 5A 4A 75 42 EMX/rrYmOvguZJuB\n00F1B5E0 4F 54 64 44 0D 0A 67 36 38 62 62 54 34 6B 4D 66 OTdD..g68bbT4kMf\n00F1B5F0 6A 63 64 43 32 71 45 6D 36 59 41 32 42 37 2F 54 jcdC2qEm6YA2B7/T\n00F1B600 2B 52 76 52 33 30 51 42 45 2B 5A 54 2B 54 53 4D +RvR30QBe+ZT+TSM\n00F1B610 59 38 39 30 6B 54 4E 51 74 2F 46 43 2B 4C 49 62 Y890kTNQt/FC+LIb\n00F1B620 6F 6A 34 43 48 58 0D 0A 30 42 67 2F 79 6F 37 4A oj4CHX..0Bg/yo7J\n00F1B630 4B 75 54 68 53 39 71 37 5A 2B 42 51 64 4C 46 48 KuThS9q7Z+BQdLFH\n00F1B640 5A 53 71 63 78 5A 6F 70 44 6B 36 59 55 72 30 48 ZSqcxZopDk6YUr0H\n00F1B650 32 6D 38 3D   2m8=.\nRansomware executable digital signature:  \nName: AdClearance Limited  \nThumbprint: 614A13CA73AE2F01D860B5F87B71CA38F5307DBD   \nSN: 0D 0D A8 84 0C 1A 95 9D 09 32 47 FA 33 6E 5A 2D\nMutex:    \nType=Mutant    \nName=\\Sessions\\1\\BaseNamedObjects\\SM0:pid:handle:WilStaging_02    \ne-mails from the ransom note:  \ncang.leen@mailfence.com    \nyan.laowang@mailfence.com    \nRansomware execution arguments:  \n-h    \n-p    \n-pass    \n-path    \n    Page 4 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang"
	],
	"report_names": [
		"Ransomware-Windows-Yanluowang"
	],
	"threat_actors": [],
	"ts_created_at": 1775791262,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c83d6bc4c133749f5adf1fd713b3a64869bb3b96.pdf",
		"text": "https://archive.orkl.eu/c83d6bc4c133749f5adf1fd713b3a64869bb3b96.txt",
		"img": "https://archive.orkl.eu/c83d6bc4c133749f5adf1fd713b3a64869bb3b96.jpg"
	}
}