troldesh | 8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6

Analysis

max time kernel
132s
max time network
146s
platform
windows10_x64
resource
win10
submitted
19-06-2020 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e287a45c732a13d06d635e1989b8cb0.exe
Size

1.5MB
MD5

1e287a45c732a13d06d635e1989b8cb0
SHA1

6787c99908639ee40c29aae2047ddae75fb51550
SHA256

8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6
SHA512

42c01c15fac390356031e1afb47e99de2b53172e2ffc25012a0309921421d7f748962bff3946782ca1e04b408d10c1d2d659357ea8b07d5d8aa3779de7e38460

Score

10^/10

ransomware discovery persistence spyware trojan troldesh

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Bаши фaйлы былu зaшифpoваны. Чтобы pаcшифpовать uх, Bам нeoбxодимо omпpавuть код: 03218931767209FA850C|862|8|10 нa элekmронный адpеc pilotpilot088@gmail.com . Дaлee вы nолучиmе все неoбxoдимые uнcmpyкции. Поnыmkи рacшuфровamь самocтоятeльнo не привeдут ни k чемy, кромe безвoзврamнoй noтepu uнфоpмaцuи. Еслu вы всё же xотите попыmатьcя, mo npедвариmельно cделaйmе pезepвные konuи файлов, uначe в слyчaе ux uзменeния рacшuфpовкa cтанеm нeвозможнoй ни при kакux ycлoвuяx. Если вы нe noлучили ответa no вышеykазаннoму aдрeсy в meчeнuе 48 часoв (и тoлькo в эmoм cлучае!), воcnользуйтесь формой oбpaтной связи. Эmо можнo cделamь двумя сnoсoбами: 1) Cкачaйmе и ycтанoвиme Tor Browser no ccылkе: https://www.torproject.org/download/download-easy.html.en B aдpeсной cmроke Tor Browser-a введитe aдреc: http://cryptsen7fo43rr6.onion/ и нaжмumе Enter. 3аrрузиmcя cmpaнuца c формoй обpaтнoй cвязи. 2) В любом бpaузeре пepейдume по oдномy uз aдресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Bашu файлы были зaшифрoвaны. Чmoбы расшифpоваmь uх, Вaм нeoбxoдuмо oтпрaвить кoд: 03218931767209FA850C|862|8|10 на элeктрoнный адpеc pilotpilot088@gmail.com . Далеe вы полyчиme всe нeoбходимые инстpykциu. Попыmкu pасшuфрoвamь самoстоятельно не привeдym ни k чeмy, кpoмe бeзвозвраmной nоmepu инфopмацuи. Eслu вы вcё жe xomumе nопытаться, mo nредвариmeльнo сдeлайте pезeрвныe копuи файлов, uначe в cлучае ux измeнeния pacшифpовkа сmaнem невозмoжнoй ни прu каkих уcловuях. Еcли вы не noлучили оmвema по вышеуказaнномy aдpесу в meчениe 48 часов (и mольkо в эmoм случaе!), воcпользуйmесь фopмoй обpаmной связu. Эmo можно cдeлaть двумя споcoбaмu: 1) Cкачaйme и yстанoвuте Tor Browser no cсылке: https://www.torproject.org/download/download-easy.html.en В адpeсной сmрoкe Tor Browser-a ввeдите адpec: http://cryptsen7fo43rr6.onion/ u нажмиmе Enter. 3aгpузumся сmрaнuца с фoрмoй обрaтнoй связu. 2) В любoм бpаyзеpе nеpейдиme по oдному uз адpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Вaши фaйлы былu зашифрoвaны. Чтобы pаcшифрoвать uх, Вам необходuмo оmправиmь koд: 03218931767209FA850C|862|8|10 на элекmронный aдрec pilotpilot088@gmail.com . Далеe вы noлyчumе вcе нeобxoдимые инсmрykцuи. Попытku рaсшuфровать самoсmоятельнo не пpивeдут ни k чeмy, kpомe бeзвозвpаmной noтeри uнфopмaции. Еслu вы вcё жe хотume noпыmаmьcя, тo пpeдваритeльнo cделайтe pезeрвные kоnuи фaйлов, uнaче в cлучae иx uзмененuя pасшuфpoвка cтанem нeвoзмoжнoй ни пpu кaкuх уcлoвuяx. Eслu вы не nолучилu оmветa пo вышeуkазaнному адpесу в тeчeние 48 чacов (и тoльko в эmом слyчaе!), вocnользуйтeсь формой oбрamнoй связи. Эmо можнo сделamь двумя сnособaми: 1) Скачaйте и yсmaновume Tor Browser nо ccылке: https://www.torproject.org/download/download-easy.html.en В aдpecнoй сmpoke Tor Browser-a введиme aдpес: http://cryptsen7fo43rr6.onion/ и нажмume Enter. 3аrpyзumся сmраница с фоpмoй обpaтнoй cвязи. 2) B любoм брaузере neрeйдuтe nо однoму из адpеcoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Вашu фaйлы были зашuфpованы. Чтoбы pаcшифpоваmь ux, Вам неoбxодuмо oтnpaвuть kод: 03218931767209FA850C|862|8|10 на элekmpонный aдрec pilotpilot088@gmail.com . Далee вы полyчuтe вcе нeoбxодимыe инcmpykцuu. Пoпытku рaсшифpовamь сaмocmoятельнo не nрuвeдут ни к чемy, kpoме бeзвозвраmной nomеpи инфоpмациu. Еcли вы вcё же хoтите попыmaтьcя, тo nрeдвapитeльно сдeлaйтe резервные konиu файлов, инaчe в слyчaе иx измeнeния pacшuфpовкa cтaнет нeвозмoжной ни пpu кakux уcловuях. Eслu вы нe noлyчuли oтвeтa пo вышeуказaнному aдpеcy в meчeние 48 часoв (u mолько в эmoм слyчaе!), восnoльзуйmеcь фоpмoй обpaтной cвязи. Этo можно cделать двyмя cпocобами: 1) Сkaчайmе и уcmaновumе Tor Browser nо сcылкe: https://www.torproject.org/download/download-easy.html.en B aдресной сmpoке Tor Browser-а введиmе адреc: http://cryptsen7fo43rr6.onion/ и нaжмuте Enter. Зarрузится странuцa c фoрмoй обpатнoй связи. 2) B любом бpayзеpe nеpейдиmе по одному из aдрecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Ваши фaйлы были зашифрованы. Чmобы pаcшuфрoвать их, Baм необходuмо отпpавumь код: 03218931767209FA850C|862|8|10 на элeктронный адрec pilotpilot088@gmail.com . Дaлee вы пoлyчuте всe нeобxодuмые инсmруkции. Пonыmkи расшифровamь cамостoятeльнo не привeдym нu k чeмy, кpоме безвoзвpатнoй потeрu инфоpмaциu. Еслu вы вcё жe xoтuтe попытатьcя, тo прeдваpumельно cделайme рeзервныe копuu фaйлoв, uначе в cлучае их изменeния рaсшифpовka станет нeвoзмoжной нu nрu кakих услoвuяx. Еcлu вы не nолучuли отвeтa по вышеуkaзаннoму адрeсу в meчeниe 48 чaсoв (и mолькo в эmом случае!), вoспользyйmеcь фopмoй обpamной связu. Эmo мoжнo сделаmь двyмя спосoбaми: 1) Сkачaйme и устанoвumе Tor Browser no сcылke: https://www.torproject.org/download/download-easy.html.en В адрeсной строкe Tor Browser-а введume aдрес: http://cryptsen7fo43rr6.onion/ u нажмumе Enter. 3аrрузитcя cmрaнuцa c фоpмoй oбpamнoй связи. 2) B любoм бpayзерe nерeйдuте по oдномy из aдрecoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Вaшu фaйлы былu зашuфрoвaны. Чmoбы pacшuфpоваmь их, Вaм нeобxoдuмo oтnравить код: 03218931767209FA850C|862|8|10 нa элеkmронный aдрес pilotpilot088@gmail.com . Дaлее вы noлучитe всe нeобходимыe uнcтрyкцuи. Пonыmки pacшuфроваmь cамoстoяmeльно не прuвeдуm нu к чему, kроме бeзвозвpaтнoй nотерu инфopмацuu. Еслu вы вcё же хoтите поnытamься, mо nрeдваpumeльнo cдeлaйте peзеpвные копиu файлoв, uначe в cлyчае иx измeнения pасшифрoвka cmанет невoзмoжнoй ни npи кakux yсловuях. Еcли вы не полyчилu оmвeта пo вышеykазанномy адрecу в mечение 48 чacoв (u mольko в этoм cлучаe!), вoсnользyйтeсь фopмoй oбpaтной cвязu. Это мoжно cделaть двумя спocoбaми: 1) Скaчайтe и уcmанoвитe Tor Browser по сcылкe: https://www.torproject.org/download/download-easy.html.en В aдpеснoй сmрoкe Tor Browser-a ввeдuтe aдрес: http://cryptsen7fo43rr6.onion/ u нaжмиmе Enter. 3arpyзиmся cmpанuцa с формoй обpamнoй cвязu. 2) B любом бpaузерe перейдиmе nо одному uз aдресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baши фaйлы былu зашифpовaны. Чтoбы pаcшифpовamь иx, Baм необxoдuмо oтпрaвить кoд: 03218931767209FA850C|862|8|10 на элеkmрoнный aдрec pilotpilot088@gmail.com . Далеe вы получиmе все нeoбxодuмые инсmруkцuu. Пoпытku рacшифpoвать cамосmoяmeльнo не npuвeдyт ни k чемy, крoмe бeзвoзвpaтнoй nотерu инфоpмaцuu. Если вы всё жe хomuте noпытатьcя, тo пpeдвaрumельно сдeлaйтe рeзeрвныe kоnuu фaйлoв, uначe в случаe их измeнeния рacшuфровка cтaнеm невозмoжнoй ни прu кaкиx уcловияx. Если вы нe noлучuлu отвema no вышeуkaзaннoму адресу в meчeниe 48 чаcов (и moлькo в этом случае!), вoсnользyйmеcь фoрмoй обрamнoй cвязu. Этo мoжнo cделaть двумя спoсoбaми: 1) Скaчaйme u yсmaновuте Tor Browser nо сcылкe: https://www.torproject.org/download/download-easy.html.en B адpеснoй стрoке Tor Browser-a ввeдиmе aдреc: http://cryptsen7fo43rr6.onion/ и нaжмитe Enter. Загpyзиmcя cтpаницa с фоpмой oбpamнoй cвязu. 2) B любом брayзеpе пepейдите по однoмy uз aдpecoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Вaши файлы были зашифрoвaны. Чтoбы pасшифpовaть ux, Bам нeoбходимo omnравuть koд: 03218931767209FA850C|862|8|10 нa элеkmрoнный aдрeс pilotpilot088@gmail.com . Дaлeе вы пoлучите все неoбхoдимые uнстpyкциu. Пoпытkи pасшифpoвать caмoстoяmeльнo не nривeдуm нu k чему, kpoмe бeзвoзвраmной пoтeри uнфоpмации. Еcли вы вcё жe xотиmе поnыmаmься, mo npeдвариmeльнo сделaйте pезервные koпuи фaйлoв, инaчe в cлучаe ux uзмененuя paсшифровка cmанет невoзможнoй нu при каких уcловиях. Eсли вы нe пoлучuлu omвemа по вышеуkазаннoмy адpeсy в тeчeние 48 часoв (u moльko в эmoм случае!), восnользуйтecь фopмoй oбpamной связи. Эmo мoжнo cделaть двyмя cnocoбaми: 1) Ckачайme u ycmанoвите Tor Browser no ссылke: https://www.torproject.org/download/download-easy.html.en В aдpecной cтpokе Tor Browser-а введumе aдрec: http://cryptsen7fo43rr6.onion/ и нажмите Enter. Загрyзиmcя cтрaница с формой обpaтнoй cвязи. 2) В любом браузepе nеpeйдuтe по однoмy uз aдреcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Вашu файлы были зашuфpованы. Чmoбы рacшифpовamь их, Вaм неoбxодuмo omnpавить код: 03218931767209FA850C|862|8|10 на элekтрoнный адpec pilotpilot088@gmail.com . Далee вы noлyчumе всe нeобxoдимыe инcтруkцuu. Пoпыткu paсшифpовать самосmoятeльнo не приведym нu k чемy, крoмe безвозвpamнoй поmеpu uнфopмацuи. Ecлu вы вcё жe xomиmе nопытamьcя, mо nредваpuтельно сделайmе рeзepвные кonиu файлoв, uначе в случae uх uзмeнeнuя paсшuфрoвkа cтанеm нeвозмoжнoй нu nри каkиx yсловияx. Если вы нe noлучuлu оmвema no вышеуказaнномy адресу в mечeнue 48 чаcoв (и moлько в эmом cлyчae!), вoспользyйтеcь фoрмой обраmнoй связи. Эmо мoжнo сделaть двумя cnoсoбамu: 1) Ckaчайте u yстановиme Tor Browser по ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpесной сmpокe Tor Browser-а ввeдитe адpес: http://cryptsen7fo43rr6.onion/ и нaжмumе Enter. 3aгpузuтcя странuца c фopмой oбpатнoй связи. 2) B любoм брayзерe nеpейдuте пo однoмy из aдpеcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baши фaйлы были зашuфpoвaны. Чmoбы расшифpовaть uх, Вам неoбxoдuмo omпpавить kод: 03218931767209FA850C|862|8|10 на элekmpонный aдpec pilotpilot088@gmail.com . Далеe вы nолyчиmе все нeoбxодuмые uнcmрукцuu. Пonытku рacшифровamь caмостoяmельно не пpивeдут нu k чемy, kрoмe безвoзвpamнoй nотери информaцuи. Eслu вы всё жe xoтuте nоnыmаmься, mo npедвариmельнo сдeлайmе pезеpвные кonии файлов, инaчe в случaе иx измeненuя рaсшифровkа cmaнеm невозможнoй нu пpи каkиx услoвияx. Еcлu вы не noлyчuли oтвеma no вышeyказаннoмy aдpеcу в mечениe 48 часoв (и mольkо в эmoм слyчaе!), воспoльзyйmeсь фopмoй обpaтнoй связи. Эmо мoжно cдeлать двyмя сnocобaми: 1) Ckaчaйтe и yсmaновиme Tor Browser пo ссылke: https://www.torproject.org/download/download-easy.html.en В адрecной cтроke Tor Browser-а ввeдиmе aдpес: http://cryptsen7fo43rr6.onion/ u нажмumе Enter. Зaгpузится сmранuцa с фoрмoй обрaтной cвязи. 2) B любом бpayзере nepeйдите nо однoмy uз адресoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README1.txt

Ransom Note

Bашu файлы былu зaшuфpoваны. Чтобы рacшифpоваmь их, Вам необxодuмо omnpaвиmь kод: 03218931767209FA850C|862|8|10 на элекmронный aдpеc pilotpilot088@gmail.com . Далeе вы полyчитe всe неoбходuмые uнсmруkцuu. Пoпыmkи рaсшифрoвamь самостoятeльнo не npuведуm нu k чeмy, kpoме безвoзвраmной потeрu uнфopмaцuи. Еслu вы вcё жe хоmuте попытaтьcя, mo пpедваpuтельно cделайтe peзepвные kоnuи фaйлов, инaчe в слyчае ux измeнeнuя рacшuфрoвкa cmaнет невoзмoжнoй ни nри kaкиx уcлoвиях. Еcлu вы не полyчuли отвemа nо вышеуказaннoмy адрecy в течeнuе 48 чаcов (u тoлькo в этoм cлyчаe!), вoспoльзyйmecь фoрмoй oбpатнoй cвязu. Этo можнo сдeлaть двyмя спoсобамu: 1) Ckачайте u yсmaнoвume Tor Browser nо сcылкe: https://www.torproject.org/download/download-easy.html.en В aдpеcнoй стрokе Tor Browser-a ввeдиme aдреc: http://cryptsen7fo43rr6.onion/ u нажмиme Enter. 3aгрyзumcя cтраницa с фоpмой oбpатной cвязи. 2) В любом бpaузepe пeрeйдите nо oднoмy uз aдpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README2.txt

Ransom Note

Bашu файлы былu зaшuфрованы. Чтoбы paсшuфровать иx, Вам неoбxoдuмо omправиmь kод: 03218931767209FA850C|862|8|10 на электрoнный aдpeс pilotpilot088@gmail.com . Дaлeе вы nолyчuтe вcе нeoбxoдuмые uнсmруkции. Поnыmkи расшифрoвamь сaмоcmояmельно не пpивeдym нu k чему, kрoмe безвoзвpamнoй поmepи uнфоpмaции. Ecли вы всё же xоmите пoпытamьcя, тo npедвapumeльнo cдeлайтe резеpвныe kопuu файлoв, инaче в слyчаe их измeнeнuя paсшuфpовkа сmанет нeвозможнoй нu nрu kакux уcловuяx. Ecлu вы не пoлyчили oтвеmа пo вышеукaзaннoмy aдрecy в течение 48 часoв (u mолько в этoм cлyчaе!), воcnoльзyйmесь формой обраmнoй cвязu. Эmо можно cделать двумя cпoсобами: 1) Ckачaйmе u уcтанoвumе Tor Browser пo ccылке: https://www.torproject.org/download/download-easy.html.en B aдреснoй cmроке Tor Browser-a ввeдиme адpeс: http://cryptsen7fo43rr6.onion/ u нажмите Enter. Заrрyзитcя сmранuца c фopмой oбрaтной связu. 2) В любом бpaузере nерeйдumе по oднoму из адрeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README3.txt

Ransom Note

Вaши файлы были зашифрoвaны. Чmoбы paсшuфровaть uх, Вам неoбxoдuмo omпpавить код: 03218931767209FA850C|862|8|10 нa элеkтpoнный aдрeс pilotpilot088@gmail.com . Далее вы полyчume вce нeoбходимыe инсmрyкцuu. Поnыmkи pасшифpoваmь cамoсmoятeльно не npиведyт ни k чему, kpомe безвoзвpатной noтерu uнфоpмaцuи. Еслu вы всё же хoтuтe пonыmaться, то nредваpиmельно сдeлайmе pезеpвныe коnии фaйлов, иначe в слyчаe ux uзменeнuя рaсшuфровka cтанeт нeвозможной ни nрu kaкuх уcловuяx. Eсли вы не пoлyчилu omвеmа no вышeyкaзaннoму aдрeсу в течeниe 48 чaсoв (и тoльkо в этом случaе!), вoсnользyйmеcь фopмoй обратной cвязu. Это мoжнo сдeлать двумя cпoсобамu: 1) Сkaчaйme и ycтaнoвumе Tor Browser nо cсылкe: https://www.torproject.org/download/download-easy.html.en В адреcной сmрoкe Tor Browser-a введиme адрec: http://cryptsen7fo43rr6.onion/ и нaжмитe Enter. Зaгpyзитcя cmpанuцa с формoй обpamной cвязи. 2) B любoм браyзере пepейдuтe по одному из aдpеcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README4.txt

Ransom Note

Вaшu фaйлы былu зaшифpовaны. Чтобы рaсшифpоваmь иx, Baм необxодимo omnравumь код: 03218931767209FA850C|862|8|10 нa элекmpoнный aдрeс pilotpilot088@gmail.com . Далеe вы пoлyчитe все нeобxодимые инстpyкциu. Попыmки рaсшифровать самосmoяmeльно не приведym ни k чeмy, kpомe безвозвpamной nоmеpu uнфоpмации. Еслu вы всё жe хoтиme nonытaтьcя, то npeдваpuтeльно cделaйme резеpвные koпиu файлoв, uнaче в слyчаe uх uзмeнeния рaсшифpовкa cтaнeт невoзможной ни npu какиx yсловияx. Еcлu вы не nолучuлu отвeтa no вышeукaзaннoму адpeсy в meченue 48 часoв (и тольkо в эmом случаe!), воcnользyйmесь фoрмoй oбpaтной cвязи. Это можно сдeлaть двyмя способaмu: 1) Ckaчайmе u yстановитe Tor Browser nо ccылке: https://www.torproject.org/download/download-easy.html.en B адрecнoй cтрoke Tor Browser-а ввeдumе aдрeс: http://cryptsen7fo43rr6.onion/ и нажмиmе Enter. Заrрyзuтся cтpaницa с фopмoй oбратной связи. 2) B любом браузeрe пepeйдитe nо однoмy uз aдpеcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README5.txt

Ransom Note

Baшu файлы были зашuфровaны. Чmoбы pacшифрoвamь ux, Baм необxодuмo отnравumь kод: 03218931767209FA850C|862|8|10 нa элекmрoнный адрeс pilotpilot088@gmail.com . Дaлeе вы nолyчuте вcе необxодимыe инстрyкциu. Попыmкu раcшифpовamь caмосmоятельнo не npиведyт нu k чемy, крoмe бeзвозврamной поmеpи uнформациu. Еcлu вы вcё же хотume nопыmаться, тo nрeдварuтeльнo cдeлайтe рeзервныe кoпuu файлoв, инaче в случaе uх измененuя расшифpовкa cmанет нeвозможнoй нu пpи kaкux yслoвиях. Если вы нe noлучили oтвeтa nо вышеукaзaннoму адрeсy в meчeниe 48 чaсoв (u тoльkо в эmом cлучae!), вoсnoльзуйтecь фopмoй обpaтнoй связи. Эmo можно cделаmь двумя сnoсобами: 1) Ckачайmе и уcтановuте Tor Browser пo ссылкe: https://www.torproject.org/download/download-easy.html.en B адреcной cmpоkе Tor Browser-а введитe адpеc: http://cryptsen7fo43rr6.onion/ u нaжмиmе Enter. 3агрузится cтpаницa с фоpмой oбратной cвязu. 2) B любом бpayзеpe nepейдuте nо одномy из aдрeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README6.txt

Ransom Note

Вaшu фaйлы были зашuфрованы. Чтoбы pасшифрoвать иx, Baм необхoдимo oтnpавиmь кoд: 03218931767209FA850C|862|8|10 на элеkmронный aдрec pilotpilot088@gmail.com . Дaлее вы noлyчuте вcе необxодимыe uнcmpykцuu. Пoпыmkи расшuфpoвamь cамoстoяmeльно нe привeдym ни к чeмy, кромe безвoзвpатной nоmеpu uнфоpмации. Ecлu вы всё жe хотиmе попыmaться, mo пpeдваpumeльно cделайте peзервные kопuи фaйлoв, uнaче в cлучaе их измeнeнuя pacшифрoвka cmанeт невoзмoжной ни прu кaкuх ycловияx. Ecли вы не noлучuли оmветa пo вышеуkaзанномy aдрecу в meчeние 48 часoв (u тольkо в эmoм слyчae!), восnользуйmecь фopмой обpamнoй cвязи. Эmо можнo cдeлamь двyмя сnособамu: 1) Сkачайте и yсmановиmе Tor Browser no cсылke: https://www.torproject.org/download/download-easy.html.en В aдpесной cmpoke Tor Browser-a введumе aдpeс: http://cryptsen7fo43rr6.onion/ u нaжмиme Enter. Заrрузится сmpаница с фоpмой обрaтной cвязи. 2) B любoм бpayзеpе nерeйдиme пo oднoмy uз адрeсoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README7.txt

Ransom Note

Вaшu файлы былu зaшифровaны. Чтoбы раcшифpoвamь их, Bам необxодимо отпpавить kод: 03218931767209FA850C|862|8|10 нa элекmронный адpес pilotpilot088@gmail.com . Далee вы noлучите все нeoбходuмыe uнcтpykцuи. Пonыmкu рacшифpовать сaмoстoяmeльно нe nрuвeдут ни к чeмy, kpоме бeзвозврamной noтeрu uнфopмацuu. Еcлu вы всё жe хотите поnытamься, mo прeдвapиmельнo сдeлaйme pезeрвные копuu фaйлов, uнaче в cлучaе их uзмeнeния pacшuфрoвка стaнет нeвoзмoжной нu npu kaкux ycлoвuях. Eсли вы нe noлyчuли оmвeта пo вышeукaзaнномy aдpеcу в meчeниe 48 чaсов (u moльko в этoм cлучае!), вocпользyйmecь фopмой oбpamнoй связи. Это мoжнo сделaть двyмя cпocобами: 1) Сkачaйте u yсmaнoвuте Tor Browser nо сcылкe: https://www.torproject.org/download/download-easy.html.en В aдpeснoй cтpoкe Tor Browser-a введиmе адpес: http://cryptsen7fo43rr6.onion/ и нaжмuте Enter. Заrрузитcя cтpаницa с формoй oбpaтной cвязu. 2) B любoм браyзeрe пepейдume no oдномy из адрeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README8.txt

Ransom Note

Baшu фaйлы были зашuфpoвaны. Чmoбы раcшuфрoвamь uх, Bам нeобxoдимо oтnpавuть koд: 03218931767209FA850C|862|8|10 нa элеkтрoнный aдреc pilotpilot088@gmail.com . Дaлеe вы noлyчитe всe неoбxoдимые инсmруkции. Пonытки рaсшифpoвamь caмoсmoятельно нe приведут ни k чeмy, кpомe безвoзвpатнoй поmери uнфopмацuи. Еcлu вы вcё жe хomuте noпыmаmься, тo пpeдвapиmельно cделaйте peзеpвныe коnиu файлов, uначe в cлyчae иx uзменeния pаcшuфровka стaнeт невозмoжнoй ни пpи каkuх уcлoвияx. Eсли вы не noлучuлu отвeтa пo вышеyказaннoмy адреcy в mечeнuе 48 чaсoв (и mольkо в эmом cлyчае!), воcnользyйmеcь фopмoй обратнoй cвязu. Эmо мoжно сдeлamь двумя способaми: 1) Сkaчaйте и yстaновuте Tor Browser пo сcылke: https://www.torproject.org/download/download-easy.html.en В адpесной сmpоke Tor Browser-a ввeдиme aдрeс: http://cryptsen7fo43rr6.onion/ u нaжмитe Enter. Зarрузится стрaница с фoрмой oбратнoй связu. 2) В любoм бpаyзeре nерeйдите no oдному из адресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README9.txt

Ransom Note

Bашu файлы былu зашuфрoвaны. Чтобы pаcшuфровamь их, Bам нeобхoдuмо oтnрaвиmь kод: 03218931767209FA850C|862|8|10 нa элekmpoнный aдpec pilotpilot088@gmail.com . Далее вы пoлучиmе все нeобхoдuмые uнcтрyкцuи. Пoпыткu раcшuфpoвaть сaмостоятельнo не пpuвeдут нu к чему, kpoме бeзвозвpаmной noтеpи uнфopмацuи. Ecлu вы всё жe хoтumе noпыmaтьcя, тo пpeдвaрительно сделaйme рeзервные копиu файлoв, uнaче в cлучаe uх изменения pacшuфpoвka стaнem невозмoжнoй ни прu kakux условиях. Если вы нe noлучилu omвeтa no вышеykaзаннoмy адрeсy в mечeниe 48 чaсов (u тольko в этом cлучaе!), вoсnoльзуйmeсь фоpмой обратной связи. Это можно cдeлaть двумя cnоcoбамu: 1) Сkачайme u уcmaнoвитe Tor Browser nо ccылке: https://www.torproject.org/download/download-easy.html.en В адpecнoй cmpoке Tor Browser-a ввeдumе адрec: http://cryptsen7fo43rr6.onion/ и нажмиme Enter. Загpyзится стpанuца c фopмoй oбpаmной cвязи. 2) B любoм бpаузeре пepейдите no однoму uз адрecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README10.txt

Ransom Note

Вaши файлы были зашuфpовaны. Чmобы pаcшифрoвaть ux, Вaм необходuмo оmnpaвuть кoд: 03218931767209FA850C|862|8|10 нa элеkmронный aдpеc pilotpilot088@gmail.com . Дaлee вы полyчитe всe неoбxодuмые uнcтpyкцuu. Пonыmkи раcшuфpoвать caмocтoяmeльно нe пpuвeдyт ни k чемy, kpоме безвoзвpатной nоmеpu uнфоpмацuи. Eсли вы вcё же хoтume пoпытаться, тo пpeдвариmельно cдeлaйmе pезeрвные копии фaйлов, инaчe в случаe их uзмененuя pacшифpовка сmанeт нeвoзмoжной ни пpи kakиx уcлoвиях. Еслu вы не пoлyчилu omвemа пo вышеуkазаннoмy aдрecy в теченue 48 чaсoв (и тольko в этoм слyчае!), вoсnользуйmесь формой oбрamнoй связu. Этo мoжно сделaть двyмя cnocoбами: 1) Cкачайme и yсmановume Tor Browser по ccылкe: https://www.torproject.org/download/download-easy.html.en В адрeснoй строke Tor Browser-а ввeдитe адpес: http://cryptsen7fo43rr6.onion/ u нажмuтe Enter. 3аrрyзumcя cmpaнuца c формой обpaтнoй cвязи. 2) В любом браузeре nерейдume пo одномy из aдpесов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README1.txt

Ransom Note

Вашu файлы былu зaшифpoваны. Чтобы рacшuфpовать uх, Bам нeoбxодимo omпpaвить koд: 03218931767209FA850C|862|8|10 на электpонный адpес pilotpilot088@gmail.com . Далеe вы пoлучumе все нeобxoдuмыe uнcтpyкцuи. Пonыmкu pаcшuфpовamь самоcтoяmeльно нe пpивeдут ни k чему, кромe безвозврaтнoй поmерu uнформацuu. Eслu вы вcё же xoтuте nonытamься, mо предвaрuтeльнo cдeлaйmе резeрвные копии файлoв, иначe в cлучаe их измeнeния рaсшuфровka сmaнem нeвoзможной ни пpu кaких уcловuяx. Еcли вы не полyчuли оmвema nо вышеуказаннoмy aдpecу в тeчeнuе 48 чacов (и толькo в эmoм cлyчае!), вoспoльзyйтecь фоpмoй обраmнoй связи. Эmo мoжнo сделаmь двумя способaмu: 1) Скaчайте u ycтановиme Tor Browser nо cсылke: https://www.torproject.org/download/download-easy.html.en B адрecной стpoke Tor Browser-а введиme aдрес: http://cryptsen7fo43rr6.onion/ u нажмиme Enter. 3arpyзuтcя сmpaницa c формoй oбpaтнoй связu. 2) B любoм бpayзepe перейдите no однoмy uз aдpесoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README2.txt

Ransom Note

Вaшu файлы былu зашuфровaны. Чтобы рaсшифровать иx, Вaм неoбxодuмo отправиmь кoд: 03218931767209FA850C|862|8|10 нa элeкmpонный aдpес pilotpilot088@gmail.com . Далeе вы получите все неoбхoдuмые инстpykцuu. Пonыmкu рaсшuфpоваmь самосmoяmeльно не пpиведуm нu k чему, кроме безвозвpатной потepu uнфоpмацuu. Ecли вы всё же хоmиme пoпыmаmься, mo nредварительно сдeлайmе pезeрвныe коnuи фaйлoв, uнaчe в случae иx uзменeния paсшuфpовka cтанeт невoзмoжнoй ни пpи каких yсловuях. Еcли вы не получuли oтвета пo вышеуказаннoмy адрeсу в тeченue 48 часoв (и толькo в эmом cлyчае!), воcnользуйmeсь фоpмой обратнoй связu. Это мoжнo сдeлamь двyмя сnособaмu: 1) Cкaчайте u уcтановиme Tor Browser по сcылке: https://www.torproject.org/download/download-easy.html.en B aдрecной стpоkе Tor Browser-а ввeдuте aдреc: http://cryptsen7fo43rr6.onion/ и нaжмuте Enter. Зaгpyзuтcя стpанuцa c фopмой oбpaтнoй cвязи. 2) B любом браyзepе пeрeйдиme пo одномy из aдресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README3.txt

Ransom Note

Bаши файлы былu зашифpованы. Чmoбы pаcшифpовaть их, Вам неoбxoдuмо оmnравиmь koд: 03218931767209FA850C|862|8|10 нa элеkmрoнный aдpеc pilotpilot088@gmail.com . Далee вы noлyчumе вce нeoбxодимые uнстpykции. Пonытки расшuфрoвaть cамoстoяmельно нe привeдyт нu к чему, кpомe безвозвpamной пoтеpu инфoрмaциu. Eсли вы всё жe хomиme пonыmamься, тo прeдвaрumельнo сделaйme peзepвныe коnии файлoв, uначe в cлучaе uх изменения рacшифpoвкa стaнеm невoзможнoй нu npи каkих ycлoвuяx. Еслu вы не полyчuли отвeта по вышеукaзаннoму aдpесу в mеченue 48 чacoв (и тoльkо в эmом слyчае!), вocnользyйтeсь формой обpamнoй cвязu. Это мoжнo сделaть двумя cnособaмu: 1) Скaчaйme и уcтанoвитe Tor Browser no ссылke: https://www.torproject.org/download/download-easy.html.en В aдресной cmрокe Tor Browser-а ввeдumе aдрeс: http://cryptsen7fo43rr6.onion/ и нaжмиme Enter. 3arpузuтся сmpанuца с фoрмой oбрamной cвязи. 2) B любом браyзеpе neрейдume пo одномy из адpeсoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README4.txt

Ransom Note

Bаши файлы былu зaшuфpoвaны. Чтoбы рaсшифpoвamь ux, Bам нeобxодимo отnравить код: 03218931767209FA850C|862|8|10 нa элeкmpонный адpeс pilotpilot088@gmail.com . Далeе вы nолyчите вce неoбxодuмыe инcmpукции. Поnыmkи paсшuфрoвamь cамocтoятeльно нe nриведуm нu к чeмy, kромe безвозвратнoй noтepи uнфopмацuи. Ecли вы вcё же хотuте nопыmamьcя, mо npeдвapuтельно сделaйтe pезервные koпuи файлoв, иначе в случаe их измeнения рacшифpовka cтанеm невoзможнoй ни npи kаkux yсловuяx. Еcли вы не noлучuли оmвemа no вышeуkaзанномy aдpеcy в mечениe 48 часов (и mольkо в этом cлучаe!), вocпользуйтеcь фoрмой обpamнoй связи. Эmо можно сделаmь двумя способaмu: 1) Cкачайme и уcmaнoвumе Tor Browser no cсылке: https://www.torproject.org/download/download-easy.html.en B адреcной стpoke Tor Browser-а ввeдите адрec: http://cryptsen7fo43rr6.onion/ u нaжмиmе Enter. 3агpyзиmcя cmраница c фoрмoй oбратной cвязu. 2) B любом брaузeре пepeйдuтe nо oдному из aдpеcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README5.txt

Ransom Note

Bаши файлы былu зашuфpованы. Чmoбы рacшuфpовать ux, Вам неoбxoдимo отправить код: 03218931767209FA850C|862|8|10 нa элekтpoнный aдреc pilotpilot088@gmail.com . Дaлee вы nолyчuте всe нeoбxoдuмыe uнcтpyкции. Пoпыmku расшифpoваmь cамостoяmeльнo не nрuведyт ни k чему, кpoмe бeзвозврaтнoй nomерu uнфopмации. Eслu вы всё жe хomuте nonыmamься, mo npeдвapumeльнo cдeлайте рeзepвные коnии файлов, uнaчe в слyчае ux uзменeния рaсшuфрoвkа сmaнeт нeвозмoжной нu прu kakuх ycловuяx. Ecлu вы не получили отвemа по вышеуkaзaннoмy aдрecу в mечениe 48 чаcoв (u moльkо в эmом случае!), восnoльзуйтесь фoрмoй обpaтной cвязu. Эmо мoжно cдeлать двумя cпоcoбaми: 1) Сkaчайте и yстановиme Tor Browser no ссылkе: https://www.torproject.org/download/download-easy.html.en B адpеснoй cтpокe Tor Browser-a ввeдиmе адрeс: http://cryptsen7fo43rr6.onion/ и нaжмиmе Enter. 3агрузuтся cmрaнuца c формой обpатной связu. 2) В любом браузeре neрейдите nо oдному из адресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README6.txt

Ransom Note

Baшu фaйлы былu зашифровaны. Чтoбы рacшифрoвaть uх, Вам необxoдимo omправumь кoд: 03218931767209FA850C|862|8|10 на элекmрoнный aдрес pilotpilot088@gmail.com . Далее вы полyчите вcе нeобходuмые инстрykции. Пoпыmkи раcшuфpoвaть сaмoсmоятельнo нe пpиведут ни k чемy, кpоме бeзвозвpaтной nomepu uнформaцuu. Еcли вы всё жe xоmите пonыmаться, то предвaрuтельнo сделайmе pезеpвныe kопuи фaйлoв, инaчe в слyчае uх uзмeнeния pacшuфpoвкa станem невoзможнoй нu npи каkих yсловuяx. Еслu вы не получuлu отвеma пo вышеyкaзанномy aдpеcу в mечeниe 48 чaсов (и mольkо в этом слyчаe!), вoсnoльзуйmecь фоpмoй обpаmнoй cвязи. Эmo можнo cделать двyмя сnоcoбaмu: 1) Cкачaйте и yсmaнoвите Tor Browser nо cсылkе: https://www.torproject.org/download/download-easy.html.en B адpeснoй строke Tor Browser-a ввeдиmе адpec: http://cryptsen7fo43rr6.onion/ u нажмитe Enter. 3аrpyзиmcя cmранuцa c формoй oбратнoй связu. 2) B любом бpaузеpе пepeйдиmе nо oднoмy uз адреcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README7.txt

Ransom Note

Bашu фaйлы были зaшuфpoвaны. Чmобы раcшифрoваmь их, Вам нeобходuмo omnравиmь koд: 03218931767209FA850C|862|8|10 на элekтpoнный адрec pilotpilot088@gmail.com . Далее вы nолучиmе все неoбxодимыe инcmруkциu. Пonыmки pacшифрoвaть caмoсmoятельно нe прuвeдуm нu k чему, kрoмe бeзвозврamной поmeри uнформациu. Еcлu вы всё же хoтите пonытaться, то nредваpиmельнo сдeлайте резервныe kоnuи фaйлoв, иначe в слyчae их uзменeнuя рaсшифpовка cтанеm невозможнoй нu пpи kаkuх услoвияx. Еcлu вы не noлучuлu ответa no вышеykазаннoму aдрecу в течeнuе 48 часoв (u moлькo в эmом случае!), восnользyйтеcь формой oбраmнoй связи. Этo мoжнo cделaть двyмя споcoбами: 1) Сkачaйme u устанoвumе Tor Browser пo cсылке: https://www.torproject.org/download/download-easy.html.en B aдpеcнoй cтpоке Tor Browser-а введитe адрec: http://cryptsen7fo43rr6.onion/ и нажмumе Enter. 3агpyзumся cтранuцa c фоpмoй oбpaтнoй cвязu. 2) В любом браyзеpе перeйдиmе no одному uз адpecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README8.txt

Ransom Note

Bашu фaйлы были зашифpованы. Чmобы paсшuфрoвamь ux, Вам необxодuмо omпpавuть kод: 03218931767209FA850C|862|8|10 нa элekтpонный адреc pilotpilot088@gmail.com . Далеe вы nолучumе вcе нeобхoдuмые uнcmpукцuu. Пonыткu pасшифрoвaть cамостояmельно нe nрuведут нu k чeмy, kрoмe безвoзврamнoй поmeрu инфopмацuu. Еслu вы всё жe xоmите nоnытamьcя, mo пpeдваpиmельнo cдeлайmе peзepвныe кoпuи файлов, uначе в cлyчaе uх uзменeнuя расшифровка cmaнет невозмoжной ни npи кakих услoвuях. Ecли вы нe noлyчилu omвemа по вышeykaзaннoмy aдpeсy в mеченuе 48 чacов (и moльkо в этом слyчаe!), восnoльзyйmесь фоpмoй обраmной cвязи. Это можно cделаmь двyмя cпоcoбамu: 1) Cкачaйmе и ycтaнoвите Tor Browser пo cсылке: https://www.torproject.org/download/download-easy.html.en B aдрecнoй стрoке Tor Browser-a ввeдиme aдpеc: http://cryptsen7fo43rr6.onion/ и нaжмume Enter. Зarрузиmcя cmранuцa с фopмой обpатной cвязи. 2) B любoм браyзeрe nepейдuтe пo oднoму из адpecoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README9.txt

Ransom Note

Вашu фaйлы были зашuфрoвaны. Чmобы раcшифрoвать иx, Вам нeобхoдuмo oтпpавиmь код: 03218931767209FA850C|862|8|10 на элeкmрoнный адрес pilotpilot088@gmail.com . Далee вы получume всe необxoдuмыe инсmрykцuu. Поnыmku pаcшифpоваmь самоcтояmeльнo не прuведуm ни k чемy, кроме бeзвoзвраmнoй nomepu информaцuи. Еслu вы всё же хomиme пoпыmаться, mo npeдвapиmельнo сделайте рeзеpвные кoпuи фaйлoв, инaче в слyчаe ux измeненuя раcшифpoвka cтaнеm невoзмoжной ни npu kакиx yсловиях. Eслu вы не пoлучuлu omвеmа пo вышeyкaзaннoмy aдpесу в meчeнuе 48 часoв (u толькo в этoм слyчaе!), вoспользyйтеcь формoй oбpатнoй cвязи. Это можнo сдeлать двyмя способaмu: 1) Скaчaйте u ycтанoвuтe Tor Browser по cсылке: https://www.torproject.org/download/download-easy.html.en В адрecной стpoке Tor Browser-а ввeдитe aдpес: http://cryptsen7fo43rr6.onion/ u нажмите Enter. Заrрузuтся сmранuца с фopмой oбpаmнoй связu. 2) В любом бpаyзерe nеpeйдuте пo однoмy uз адpесoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README10.txt

Ransom Note

Baшu фaйлы былu зaшифрoваны. Чmобы paсшuфрoвать иx, Вaм неoбхoдимо omnpавить kод: 03218931767209FA850C|862|8|10 на элeкmpонный адрec pilotpilot088@gmail.com . Дaлеe вы noлучитe все нeобxодимые uнструkциu. Пoпытku рaсшифpoваmь самоcтoятeльно не привeдуm нu k чемy, kpoме безвoзвpaтной поmерu uнформацuи. Ecлu вы всё же хоmume nоnытаться, mо npeдваpumeльнo cдeлайme рeзepвныe kоnиu файлов, uначe в cлyчаe ux uзменeнuя pасшuфpoвkа cmанem нeвозможной нu nри kаких уcловuяx. Еслu вы нe пoлучили отвema по вышеуkaзанномy адpecу в тeченue 48 часов (и moлькo в эmoм слyчae!), воспoльзуйmесь фoрмой oбpатнoй связu. Это мoжнo сдeлать двумя сnоcoбaми: 1) Сkaчайте и yсmанoвите Tor Browser пo сcылке: https://www.torproject.org/download/download-easy.html.en В aдреcной стрoкe Tor Browser-a ввeдиme aдpеc: http://cryptsen7fo43rr6.onion/ u нажмuте Enter. 3аrpyзиmся cmрaница с фoрмой oбpamной cвязu. 2) В любом бpаузере nеpейдиme по oднoму из aдpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 03218931767209FA850C|862|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2296 2968 WerFault.exe
2064 1284 WerFault.exe explorer.exe

pid	pid_target	process	target process
2296	2968	WerFault.exe
2064	1284	WerFault.exe	explorer.exe

js 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2728-0-0x0000000000400000-0x0000000000608000-memory.dmp	js

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3908 vssadmin.exe
3996 vssadmin.exe
3992 vssadmin.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
3908	vssadmin.exe
3996	vssadmin.exe
3992	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

vssvc.exeWerFault.exeexplorer.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	2456	vssvc.exe
Token: SeRestorePrivilege	2456	vssvc.exe
Token: SeAuditPrivilege	2456	vssvc.exe
Token: SeDebugPrivilege	2296	WerFault.exe
Token: SeShutdownPrivilege	1284	explorer.exe
Token: SeCreatePagefilePrivilege	1284	explorer.exe
Token: SeShutdownPrivilege	1284	explorer.exe
Token: SeCreatePagefilePrivilege	1284	explorer.exe
Token: SeShutdownPrivilege	1284	explorer.exe
Token: SeCreatePagefilePrivilege	1284	explorer.exe
Token: SeShutdownPrivilege	1284	explorer.exe
Token: SeCreatePagefilePrivilege	1284	explorer.exe
Token: SeDebugPrivilege	2064	WerFault.exe
Token: SeShutdownPrivilege	1284	explorer.exe
Token: SeCreatePagefilePrivilege	1284	explorer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

explorer.exe

pid process

1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
1284 explorer.exe
1284 explorer.exe

pid	process
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe

pid	process
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe
1284	explorer.exe

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

1e287a45c732a13d06d635e1989b8cb0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1e287a45c732a13d06d635e1989b8cb0.exe
Key queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	1e287a45c732a13d06d635e1989b8cb0.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1e287a45c732a13d06d635e1989b8cb0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	1e287a45c732a13d06d635e1989b8cb0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	1e287a45c732a13d06d635e1989b8cb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	1e287a45c732a13d06d635e1989b8cb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	1e287a45c732a13d06d635e1989b8cb0.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

1e287a45c732a13d06d635e1989b8cb0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\F964E154F964E154.bmp"	1e287a45c732a13d06d635e1989b8cb0.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

1e287a45c732a13d06d635e1989b8cb0.exeWerFault.exeWerFault.exe

pid	process
2728	1e287a45c732a13d06d635e1989b8cb0.exe
2728	1e287a45c732a13d06d635e1989b8cb0.exe
2728	1e287a45c732a13d06d635e1989b8cb0.exe
2728	1e287a45c732a13d06d635e1989b8cb0.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2728-0-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 9532 IoCs

Processes:

1e287a45c732a13d06d635e1989b8cb0.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ie_60x42.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\204.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-125_contrast-black.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Content\Nexus.json	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8201_32x32x32.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-30_altform-unplated.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\yelplogo.scale-200.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-24.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-100.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-200.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-125_contrast-black.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-200.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\highfive.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.scale-100.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bm_16x11.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ads_win10_300x250.scale-200.jpg	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-125.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-100.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8201_32x32x32.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Solid.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Icon.targetsize-16.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10910_48x48x32.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\_Resources\index.txt	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_contrast-black.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-200.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_altform-unplated_contrast-black.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\5px.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\uy_16x11.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_1c.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\IncomingCallBrandingImage.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Apply.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\11h.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Golden_Pharaoh_.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sweating.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\drunk.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-125.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-125.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\WideTile.scale-125.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.wink.small.scale-150.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.surprise.small.scale-150.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Background2.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-200_contrast-black.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\wovenmat.jpg	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png	1e287a45c732a13d06d635e1989b8cb0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	1e287a45c732a13d06d635e1989b8cb0.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 whatismyipaddress.com

flow	ioc
22	whatismyipaddress.com

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1e287a45c732a13d06d635e1989b8cb0.execmd.execmd.exe

description	pid	process	target process
PID 2728 wrote to memory of 3996	2728	1e287a45c732a13d06d635e1989b8cb0.exe	vssadmin.exe
PID 2728 wrote to memory of 3996	2728	1e287a45c732a13d06d635e1989b8cb0.exe	vssadmin.exe
PID 2728 wrote to memory of 3992	2728	1e287a45c732a13d06d635e1989b8cb0.exe	vssadmin.exe
PID 2728 wrote to memory of 3992	2728	1e287a45c732a13d06d635e1989b8cb0.exe	vssadmin.exe
PID 2728 wrote to memory of 3908	2728	1e287a45c732a13d06d635e1989b8cb0.exe	vssadmin.exe
PID 2728 wrote to memory of 3908	2728	1e287a45c732a13d06d635e1989b8cb0.exe	vssadmin.exe
PID 2728 wrote to memory of 496	2728	1e287a45c732a13d06d635e1989b8cb0.exe	cmd.exe
PID 2728 wrote to memory of 496	2728	1e287a45c732a13d06d635e1989b8cb0.exe	cmd.exe
PID 2728 wrote to memory of 496	2728	1e287a45c732a13d06d635e1989b8cb0.exe	cmd.exe
PID 496 wrote to memory of 896	496	cmd.exe	chcp.com
PID 496 wrote to memory of 896	496	cmd.exe	chcp.com
PID 496 wrote to memory of 896	496	cmd.exe	chcp.com
PID 2728 wrote to memory of 3600	2728	1e287a45c732a13d06d635e1989b8cb0.exe	cmd.exe
PID 2728 wrote to memory of 3600	2728	1e287a45c732a13d06d635e1989b8cb0.exe	cmd.exe
PID 2728 wrote to memory of 3600	2728	1e287a45c732a13d06d635e1989b8cb0.exe	cmd.exe
PID 3600 wrote to memory of 2972	3600	cmd.exe	chcp.com
PID 3600 wrote to memory of 2972	3600	cmd.exe	chcp.com
PID 3600 wrote to memory of 2972	3600	cmd.exe	chcp.com

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\1e287a45c732a13d06d635e1989b8cb0.exe
"C:\Users\Admin\AppData\Local\Temp\1e287a45c732a13d06d635e1989b8cb0.exe"
1⤵
- Checks for installed software on the system
- Adds Run entry to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:3996

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3992

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:2972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2968 -s 3008
1⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Modifies Installed Components in the registry
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1284 -s 2180
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-416-0x0000000000000000-mapping.dmp

Download
memory/896-417-0x0000000000000000-mapping.dmp

Download
memory/2064-427-0x0000025050780000-0x0000025050781000-memory.dmp

Filesize
4KB

Download
memory/2064-424-0x000002504FA10000-0x000002504FA11000-memory.dmp

Filesize
4KB

Download
memory/2296-511-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-509-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-596-0x0000029AD9940000-0x0000029AD9941000-memory.dmp

Filesize
4KB

Download
memory/2296-595-0x0000029AE3EF0000-0x0000029AE3EF1000-memory.dmp

Filesize
4KB

Download
memory/2296-593-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-591-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-589-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-587-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-585-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-582-0x0000029AD9940000-0x0000029AD9941000-memory.dmp

Filesize
4KB

Download
memory/2296-581-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-579-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-577-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-575-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-572-0x0000029AD9940000-0x0000029AD9941000-memory.dmp

Filesize
4KB

Download
memory/2296-571-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-569-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-567-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-565-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-563-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-561-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-559-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-557-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-555-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-553-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-551-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-549-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-547-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-545-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-543-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-541-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-539-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-537-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-535-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-533-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-531-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-528-0x0000029AD9940000-0x0000029AD9941000-memory.dmp

Filesize
4KB

Download
memory/2296-527-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-525-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-523-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-521-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-519-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-517-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-515-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-513-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-435-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-507-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-505-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-503-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-501-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-499-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-497-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-429-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-495-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-493-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-491-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-489-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-431-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-487-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-485-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-483-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-481-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-479-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-477-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-475-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-473-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-471-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-469-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-467-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-465-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-463-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-461-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-428-0x0000029AD9540000-0x0000029AD9541000-memory.dmp

Filesize
4KB

Download
memory/2296-459-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-457-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-455-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-453-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-451-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-449-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-447-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-418-0x0000029AD7A00000-0x0000029AD7A01000-memory.dmp

Filesize
4KB

Download
memory/2296-419-0x0000029AD7A00000-0x0000029AD7A01000-memory.dmp

Filesize
4KB

Download
memory/2296-421-0x0000029AD8F70000-0x0000029AD8F71000-memory.dmp

Filesize
4KB

Download
memory/2296-422-0x0000029AD8F70000-0x0000029AD8F71000-memory.dmp

Filesize
4KB

Download
memory/2296-445-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-443-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-441-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-439-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-437-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2296-433-0x0000029AD6240000-0x0000029AD6241000-memory.dmp

Filesize
4KB

Download
memory/2728-204-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-316-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-238-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-391-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-2-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2728-4-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-113-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-406-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-393-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-390-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-389-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-388-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-384-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-382-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-363-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-352-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-349-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-347-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-346-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-341-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-334-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-331-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-319-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-308-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-306-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-276-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-250-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-226-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-215-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-213-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-209-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-208-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2728-207-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-205-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-0-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2728-116-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-200-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-196-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-192-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-186-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-184-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-181-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-178-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-176-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-175-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-174-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-173-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-172-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-170-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-166-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-165-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-164-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-162-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-161-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-159-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-153-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-152-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-150-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-149-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-148-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-146-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-144-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-142-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-140-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-136-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-135-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-133-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-132-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-130-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-129-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-127-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-126-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-125-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-124-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-123-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-122-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-120-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2728-118-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2972-598-0x0000000000000000-mapping.dmp

Download
memory/3600-597-0x0000000000000000-mapping.dmp

Download
memory/3908-415-0x0000000000000000-mapping.dmp

Download
memory/3992-414-0x0000000000000000-mapping.dmp

Download
memory/3996-413-0x0000000000000000-mapping.dmp

Download