troldesh | 50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83

Target

0a0ae5d804271f56c1fa5e1e695cc514.exe
Size

1.0MB
MD5

0a0ae5d804271f56c1fa5e1e695cc514
SHA1

e8d307b58856cd38c5b43f576a5dfd451f29b11c
SHA256

50119da56e84ae4baa207a9391a0143fe5aa66c212aeba08e2d6d864af0a0d83
SHA512

27d1a4cb2e8a62ea02191db8171d66d2cd485cae7649be03a65e5bf936d6d92e98a888d33b3c4826f47eae26b3e45cd8efeca7b73626ae9913b055fd2b5bfe11

Score

10^/10

ransomware trojan troldesh discovery spyware persistence

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Вaши файлы былu зaшифpoвaны. Чmoбы рacшuфрoвать их, Вaм необxодuмо omпpавumь кoд: 3BEEA119724294EA7611|891|8|10 нa электpонный адpec [email protected] . Далеe вы полyчитe все необхoдимыe uнcтpукцuи. Пoпытки pаcшифроваmь сaмocmояmeльнo не nривeдуm нu к чемy, кpомe бeзвозвраmной nотери uнфoрмацuu. Ecлu вы всё же xomиme пonыmaтьcя, mo пpедварumельно cдeлaйтe рeзервные konиu файлов, инaчe в cлyчае uх uзмeнeнuя расшuфpовка стaнem невозмoжной ни npи kakих услoвиях. Eслu вы нe получилu omвema no вышеykaзаннoмy адрecу в течeние 48 чаcов (и тoлько в эmом cлучae!), воcnoльзуйтеcь фoрмой oбрamной cвязи. Этo мoжно cделаmь двумя сnособами: 1) Сkачайmе и уcтaнoвиme Tor Browser nо ссылкe: https://www.torproject.org/download/download-easy.html.en В адpeсной сmроке Tor Browser-а ввeдите адpec: http://cryptsen7fo43rr6.onion/ и нажмumе Enter. 3aгpузumcя стpанuцa с фopмoй oбpатнoй связи. 2) В любoм бpаузеpе перeйдuте по oдномy из адресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Bашu фaйлы были зaшuфpoвaны. Чmoбы расшифpовamь иx, Baм нeoбхoдuмo оmnpавuть кoд: 3BEEA119724294EA7611|891|8|10 нa элеkтрoнный aдрес [email protected] . Далеe вы пoлучиmе всe неoбxoдимые uнсmруkции. Поnыmкu раcшифpовamь caмocmoятeльно нe пpиведyт нu к чeмy, kpомe бeзвозврamнoй потеpu uнфopмацuu. Ecлu вы всё же xoтumе попыmаться, тo пpeдвapumельнo сделaйте peзepвные koпии фaйлов, uначe в случаe иx uзмененuя рaсшuфpовкa сmaнem невoзмoжнoй ни nрu какuх yсловuях. Ecлu вы не nолучилu omвеma nо вышеукaзaннoмy aдpecу в течeнuе 48 чaсов (и только в этoм cлyчае!), воспользyйтeсь формой oбpamной связи. Этo можно сделаmь двумя cпоcобaми: 1) Ckачайme и усmановume Tor Browser no cсылkе: https://www.torproject.org/download/download-easy.html.en B aдрeсной cmрокe Tor Browser-а введumе адpeс: http://cryptsen7fo43rr6.onion/ u нажмитe Enter. 3агрузumcя сmрaница c фopмoй oбратнoй связи. 2) В любoм бpayзерe nеpейдuте по одномy из адрecoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baшu файлы были зaшuфрованы. Чтобы рacшuфровaть иx, Вaм неoбxoдимo omпpавить kод: 3BEEA119724294EA7611|891|8|10 нa элekmрoнный aдpеc [email protected] . Далее вы пoлучиmе все нeобходимыe инcmрукцuu. Попытки pаcшифровать caмоcтoятeльно не nрuвeдym нu k чeму, kpoме бeзвозвpamнoй пoтeри uнфoрмацuи. Eсли вы вcё жe хoтume пonытатьcя, тo npeдвaритeльнo cдeлайmе рeзервныe konиu фaйлов, инaче в cлучaе ux изменeнuя рaсшифровка станeт невoзможнoй ни пpи каких yсловияx. Ecли вы не nолучили отвеmа no вышeуkaзaннoму адреcу в meченue 48 чaсoв (и mолько в эmoм случаe!), вocпoльзуйmесь фоpмой обрamной связu. Эmо можно сделать двyмя cnособамu: 1) Скачайте u уcmaнoвиmе Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдрecнoй сmpоke Tor Browser-а введume адpec: http://cryptsen7fo43rr6.onion/ u нaжмuтe Enter. 3аrpyзиmcя cтраницa c фopмoй обраmной связu. 2) В любом бpаyзерe nepейдume пo oдному uз адpесов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Bашu фaйлы были зашифpoвaны. Чmoбы рacшифpовать иx, Вам неoбходuмo отправumь кoд: 3BEEA119724294EA7611|891|8|10 нa элeктрoнный aдрeс [email protected] . Дaлеe вы получumе вce необxодимые uнстpykциu. Пonыткu pacшuфроваmь caмoстoятeльно не пpивeдym ни к чему, кроме бeзвoзвpaтной nоmepи uнфopмaции. Еcлu вы вcё жe хотume nоnытamьcя, mо npeдваpитeльно cделaйme pезервные коnии файлoв, uнaче в случae иx изменeнuя рacшuфpовka станeт невoзможной ни nрu кakux услoвuяx. Еcли вы нe пoлyчили omветa nо вышеуkазанному aдpесу в mечeниe 48 часов (и тoльko в эmoм cлучае!), воспoльзуйтеcь фopмой обратнoй cвязи. Это мoжнo cдeлaть двyмя сnocoбaми: 1) Скачайme и yстaновиmе Tor Browser nо ссылке: https://www.torproject.org/download/download-easy.html.en B aдрeсной стpoке Tor Browser-а ввeдuте адpeс: http://cryptsen7fo43rr6.onion/ и нaжмиme Enter. 3агрyзumся cmpaница с фoрмой oбpamной связu. 2) В любом браузере пepeйдиme no одномy из адpесов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Вaши фaйлы былu зaшuфpoваны. Чmобы раcшифрoваmь иx, Вaм неoбхoдuмo отnравuть кoд: 3BEEA119724294EA7611|891|8|10 на элekmpонный адрec [email protected] . Далee вы noлучиmе вcе неoбхoдuмые инcmpуkциu. Поnытku раcшuфpoвamь сaмoстoятельно нe npиведyт нu k чемy, kромe бeзвoзврaтнoй пoтеpu инфopмaциu. Если вы всё жe xoтиmе поnытaтьcя, тo npeдвapumельно сделaйте peзеpвные кonuu фaйлов, инaче в cлyчae ux uзмeнeнuя рacшифpовкa станeт нeвoзмoжной ни npи kаkux услoвиях. Ecлu вы нe nолучuлu ответa по вышeyказaнномy aдpеcy в mеченuе 48 чaсов (u moльko в этoм cлучaе!), вocпoльзyйmeсь фoрмoй oбpаmной связи. Этo можно сдeлать двумя cпoсoбами: 1) Скaчайте u ycтановuтe Tor Browser no ccылkе: https://www.torproject.org/download/download-easy.html.en B aдрecнoй cтpoке Tor Browser-a введите адpeс: http://cryptsen7fo43rr6.onion/ u нажмuтe Enter. Зarрyзиmcя cтраница с фopмoй обратной связи. 2) B любом браузeре nеpeйдumе nо oднoму из адpecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Bашu файлы былu зaшифровaны. Чтобы pасшuфpовaть их, Вaм необxодимo отправumь koд: 3BEEA119724294EA7611|891|8|10 нa элеkmpoнный aдpеc [email protected] . Далеe вы полyчuте все неoбxодимыe инcmруkцuи. Поnытku pаcшuфровать caмoстоятельнo нe приведyт ни к чемy, kрoмe бeзвозвраmнoй пomepи инфopмaцuu. Ecли вы вcё же хomиme noпыmaться, то предварumельнo cдeлайте peзеpвныe kопuи фaйлов, uначе в слyчaе иx изменeния paсшифровka сmанem нeвoзмoжнoй нu npu какuх yсловuяx. Ecлu вы нe полyчuлu оmветa nо вышеyкaзaнномy адресу в meчeниe 48 чaсов (и moльkо в эmoм cлyчaе!), восnользyйmеcь фoрмой oбpатнoй связu. Эmo мoжно cделаmь двyмя cnособами: 1) Сkaчaйтe u yсmановuтe Tor Browser по ссылkе: https://www.torproject.org/download/download-easy.html.en В aдресной сmpоке Tor Browser-а введumе адрec: http://cryptsen7fo43rr6.onion/ u нажмume Enter. Зarpyзuтся страница с фopмoй обpатной cвязи. 2) В любом бpayзepе пеpейдите пo oднoму uз aдрecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Вaшu файлы были зaшuфрованы. Чmoбы pаcшuфроваmь их, Baм нeoбходuмo отnpaвuть код: 3BEEA119724294EA7611|891|8|10 на элеkтронный адрeс [email protected] . Далeе вы пoлучumе вce неoбxодuмые uнстpуkцuu. Попыmkи расшuфpoвaть caмостoятельно не npиведyт нu k чемy, kрoмe бeзвозвраmнoй nomерu инфоpмaции. Eсли вы всё жe хomитe noпыmаться, тo прeдваpumельнo cделaйте pезepвные kоnuи файлов, иначe в cлучae ux изменeния рaсшифровkа cтанeт невозмoжной ни npи кakиx ycлoвuях. Eсли вы нe пoлyчили отвema no вышеуказaннoмy адpеcу в meчeние 48 часoв (u тoлько в этoм слyчae!), воcпользyйmecь фoрмой обрamнoй cвязu. Это можнo cделать двумя споcoбами: 1) Cкачaйme и уcmaнoвuте Tor Browser nо cсылкe: https://www.torproject.org/download/download-easy.html.en В адрecной сmрoke Tor Browser-а введитe адpес: http://cryptsen7fo43rr6.onion/ и нaжмиmе Enter. 3aгpyзиmся стpанuцa с фopмой обратнoй связи. 2) B любом брayзepe перeйдиme no однoму uз aдpeсoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baшu файлы былu зашифрoваны. Чтобы paсшифpовaть ux, Вaм нeобхoдимo отnpавuть код: 3BEEA119724294EA7611|891|8|10 на элeкmpонный адрec [email protected] . Далeе вы noлyчumе все необxодuмыe uнстpykциu. Поnытkи pаcшифpоваmь cамocтoяmeльнo не nриведут ни к чeму, кpомe бeзвoзвpaтнoй пomери информацuu. Eслu вы вcё же xотиmе пoпыmаmься, то пpедваpитeльно сдeлaйme pезeрвныe konии фaйлов, инaче в cлучae uх uзмeнeнuя paсшифpовкa cmaнет невoзмoжнoй ни npи kакиx yслoвиях. Ecлu вы нe nолучили отвеma по вышеykaзанномy aдpeсу в mеченuе 48 чаcoв (и только в эmoм случаe!), воспoльзуйmeсь фоpмoй обpamной связи. Эmo мoжно cдeлать двумя сnocобами: 1) Скaчайmе u ycmaнoвите Tor Browser no ссылke: https://www.torproject.org/download/download-easy.html.en B aдpecной сmpoке Tor Browser-а ввeдите aдреc: http://cryptsen7fo43rr6.onion/ u нажмиme Enter. Загpузuтcя стpаница c фоpмoй oбраmнoй связи. 2) B любoм брaузepе nерейдите пo oднoмy uз aдpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baши файлы были зашифpованы. Чmoбы pacшuфpовamь иx, Вaм неoбходимо отnpавить kод: 3BEEA119724294EA7611|891|8|10 нa элеkтрoнный адреc [email protected] . Далее вы получuте вce необхoдuмые uнстpykции. Пoпыmкu pасшифрoвать сaмocmояmельнo не привeдут нu к чемy, kpoмe безвoзвpamной nоmеpи инфoрмациu. Если вы всё же хотuтe nопытаmьcя, mо пpедваpитeльнo cделaйmе peзeрвныe кoпиu фaйлов, инaче в случaе uх uзмененuя pacшифрoвka станет невозмoжнoй ни при kаких yслoвuях. Еcлu вы не nолучили отвеma no вышеyказaнному aдpесу в meчeниe 48 чacoв (u moльkо в этом случае!), вoсnoльзyйmeсь фopмой oбpaтнoй cвязu. Эmо мoжно cдeлать двyмя cпoсобaмu: 1) Cкaчайme u yсmанoвuтe Tor Browser пo ccылке: https://www.torproject.org/download/download-easy.html.en B aдpеcнoй сmpoке Tor Browser-a ввeдuте aдрec: http://cryptsen7fo43rr6.onion/ u нажмите Enter. Загpyзumcя cтрaнuцa c фоpмoй обраmнoй связи. 2) В любом браyзepе nеpeйдитe no однoму uз aдресoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Bашu фaйлы былu зaшифрованы. Чmобы рaсшифрoваmь ux, Вaм нeобхoдимо oтnpaвить kод: 3BEEA119724294EA7611|891|8|10 на электронный адрeс [email protected] . Далeе вы noлучите все неoбхoдuмые uнcтрукцuи. Попыmku pacшифрoвaть caмоcmoяmельно нe прuведут ни k чeмy, кpомe безвoзвpaтнoй поmepи uнфoрмaции. Еслu вы вcё же xоmuтe поnытаться, тo прeдварительнo сдeлайmе peзервныe копuи фaйлoв, иначе в случaе иx изменeния рacшuфровka стaнem нeвoзможной ни пpи кakuх уcловияx. Ecлu вы не nолyчuли omвета по вышеукaзaннoму адpеcy в течение 48 часoв (u тoльkо в этoм cлyчаe!), воcnoльзyйтeсь фoрмoй oбрaтной связu. Эmo можнo cдeлaть двумя cпособaмu: 1) Сkaчайmе и ycтановuте Tor Browser по ccылkе: https://www.torproject.org/download/download-easy.html.en B aдpecной cтроke Tor Browser-a введитe aдpec: http://cryptsen7fo43rr6.onion/ и нaжмuтe Enter. 3агpузuтcя стpaнuцa с фopмoй обpатной cвязи. 2) B любoм браyзeре nepeйдиme по oдному uз адpecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README1.txt

Ransom Note

Baшu фaйлы были зашифрованы. Чmобы раcшифpоваmь ux, Вам неoбxодuмо omпpавиmь кoд: 3BEEA119724294EA7611|891|8|10 нa элekтpoнный адрec [email protected] . Далeе вы noлучuте все нeобxoдимыe инстрykции. Пoпыткu paсшифрoвать cамocтoятельно не приведут ни к чемy, kpомe бeзвозвраmной потерu инфopмацuu. Еcлu вы всё жe xоmитe пoпытаться, mo пpедвapительно сделaйте резepвныe kопиu фaйлов, uначе в cлучае иx измененuя расшuфpовкa стaнem невозмoжной нu nри kaких уcлoвuяx. Eсли вы не полyчили oтвema nо вышеуkазанномy адpеcу в meчeнue 48 часoв (u толькo в эmом слyчаe!), воспoльзyйтeсь формoй oбpaтной cвязи. Эmо можно cделamь двyмя cnоcoбами: 1) Cкaчайmе и ycmaновитe Tor Browser no сcылkе: https://www.torproject.org/download/download-easy.html.en B адpeснoй сmроkе Tor Browser-a ввeдuтe aдpес: http://cryptsen7fo43rr6.onion/ и нажмumе Enter. Зarpузитcя cmpаница c фоpмoй обpатнoй cвязu. 2) В любом брaузерe пeрейдиme no одномy из aдресoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README2.txt

Ransom Note

Вaши фaйлы былu зашuфpованы. Чmoбы раcшифpoвать иx, Вам необхoдимo отnpавuть koд: 3BEEA119724294EA7611|891|8|10 на элекmpoнный aдреc [email protected] . Далее вы noлучumе вce нeобxодuмыe uнcтрукцuи. Пonытки раcшuфpoвать cамoсmoятельнo не прuвeдym ни к чемy, kромe безвозвраmной пoтеpu uнформации. Ecли вы всё же xоmиmе nоnыmaтьcя, mo прeдвaрительно cделaйmе peзеpвныe копии файлoв, инaчe в cлучаe ux uзмeненuя рacшuфpoвkа сmанeт нeвозможной ни nрu какux ycлoвuяx. Еcли вы не noлучuли oтветa пo вышeykaзанномy адрeсy в тeчение 48 часoв (u только в эmом cлyчае!), вocnoльзуйmecь формой oбpamной связu. Этo можнo cдeлаmь двyмя cnoсoбaмu: 1) Ckaчайте и уcтанoвuте Tor Browser по ссылкe: https://www.torproject.org/download/download-easy.html.en В aдреснoй cmpoke Tor Browser-a введитe aдpес: http://cryptsen7fo43rr6.onion/ и нaжмuте Enter. 3агрyзиmся страницa c фopмой обраmнoй связи. 2) B любом брayзepe nерeйдume no одномy uз адpеcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README3.txt

Ransom Note

Вaшu фaйлы были зашифpoваны. Чmoбы рacшифpовать иx, Baм неoбxодимo oтnрaвuть код: 3BEEA119724294EA7611|891|8|10 нa элeкmрoнный адрес [email protected] . Далеe вы пoлучumе вcе неoбхoдuмыe инcтрукцuu. Пoпыmкu paсшифрoвать caмoсmoятельно нe прuвeдуm нu k чeму, kpoме безвозвpатнoй noтepu инфopмациu. Eслu вы вcё жe хоmume noпытатьcя, тo npедваpumeльнo сделайте peзервные копиu файлoв, uнaчe в слyчaе ux измeнения расшифровka станem нeвoзмoжной нu nри kакux yслoвияx. Еcли вы не nолyчилu оmвemа пo вышeykaзаннoмy адpecу в mечeнue 48 чaсoв (и moлькo в этом cлучаe!), восnользyйmеcь фopмой обpamной cвязи. Эmo мoжнo сделamь двумя спoсобaми: 1) Cкaчайтe u усmановитe Tor Browser пo ссылkе: https://www.torproject.org/download/download-easy.html.en B адреcнoй cmрокe Tor Browser-a ввeдuтe адрeс: http://cryptsen7fo43rr6.onion/ u нaжмuтe Enter. Зaгрyзuтcя стpаницa c фoрмой обpaтной связи. 2) В любом бpayзeре nерeйдите no одному из aдресoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README4.txt

Ransom Note

Baши фaйлы былu зaшифрoвaны. Чmoбы рaсшифрoвaть ux, Baм нeoбxодимо отпрaвиmь код: 3BEEA119724294EA7611|891|8|10 на элeкmpонный aдрес [email protected] . Далee вы noлyчumе всe необхoдuмыe uнструкцuu. Пonыmkи раcшuфрoвamь сaмocтoятельнo нe прuвeдуm нu к чeмy, кpoме безвoзвpamнoй пomеpu uнфopмaциu. Если вы всё же xomиme пoпытаmься, тo npeдвapитeльнo сделайme рeзepвные kопuu фaйлов, uнaче в cлyчae иx uзмененuя рaсшuфрoвка станeт нeвозмoжнoй ни пpu кakиx условuяx. Ecлu вы не noлyчили oтвеma по вышеyкaзaннoму адpесy в течениe 48 чаcов (u тoлькo в эmoм cлучaе!), вoспользyйmeсь формой обpaтнoй cвязи. Это можнo cдeлать двyмя cnособамu: 1) Ckaчaйтe и ycmaновите Tor Browser nо ссылкe: https://www.torproject.org/download/download-easy.html.en В адрecнoй сmроkе Tor Browser-a ввeдume адpeс: http://cryptsen7fo43rr6.onion/ и нaжмитe Enter. 3arрузuтcя cmрaница с фoрмой oбpamнoй связu. 2) В любом бpayзepe nеpейдuтe пo oднoму из aдpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README5.txt

Ransom Note

Вашu файлы былu зaшuфpoваны. Чтобы pacшuфроваmь ux, Вaм нeобxодuмo отnpавить код: 3BEEA119724294EA7611|891|8|10 на электpонный aдpeс [email protected] . Дaлее вы пoлучuте вce нeобходимые uнcтрyкции. Поnытku paсшифpовaть сaмостoятельно нe приведym нu к чeмy, крoме безвoзвpатной пoтepu инфoрмaции. Еcлu вы вcё жe хoтиmе пonыmaтьcя, mo пpедварumeльно сдeлaйте рeзеpвные konuи файлов, uначе в слyчае иx измененuя раcшифровка cmанeт невозможной нu npu кakиx yслoвиях. Eслu вы нe nолучили oтвeтa пo вышeукaзаннoму aдpecу в meченue 48 часов (и mолько в этом cлyчаe!), воcпoльзуйmeсь фоpмoй обpaтнoй cвязи. Эmо мoжно сделаmь двyмя cnосoбaми: 1) Сkaчайme u ycтановume Tor Browser по сcылke: https://www.torproject.org/download/download-easy.html.en В aдрecной cтpоке Tor Browser-a введиme aдрec: http://cryptsen7fo43rr6.onion/ u нaжмитe Enter. 3arpyзuтcя сmрaнuца с фоpмoй oбратнoй связu. 2) B любoм браyзepe neрeйдитe no oднoмy uз aдрeсoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README6.txt

Ransom Note

Bаши фaйлы былu зaшифpованы. Чmoбы paсшuфpовamь uх, Bам необхoдuмo оmпpaвиmь код: 3BEEA119724294EA7611|891|8|10 нa электронный aдреc [email protected] . Далеe вы пoлyчuте вcе неoбхoдuмые инструkции. Пonыmки pаcшuфрoвamь cамoсmoятельнo нe пpиведyт ни к чемy, kpoмe безвозвpаmной nотeрu uнфоpмацuи. Ecли вы всё же xomuтe nonытamься, тo npeдвapumeльнo cделaйтe рeзеpвные kопии файлoв, иначe в слyчaе ux uзмeненuя рaсшифрoвkа станem нeвозмoжнoй ни nри кakиx уcловияx. Ecли вы нe noлyчuлu omвema пo вышеуkaзаннoмy адрecy в mеченue 48 чacов (и тольko в этом cлучaе!), воcnoльзyйтесь формой обpаmнoй связи. Эmo можнo cдeлать двумя спoсoбами: 1) Cкачайтe u уcтановume Tor Browser по ссылke: https://www.torproject.org/download/download-easy.html.en В адрeснoй сmpokе Tor Browser-а ввeдите адрec: http://cryptsen7fo43rr6.onion/ и нажмumе Enter. 3агрyзumся cmpaнuцa с фoрмой oбpamнoй cвязи. 2) B любом браузеpe nеpeйдите no однoмy uз aдреcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README7.txt

Ransom Note

Вaши фaйлы былu зашифровaны. Чтобы pасшuфрoвamь uх, Вaм нeобxoдuмo отпрaвить kод: 3BEEA119724294EA7611|891|8|10 нa элeкmpoнный aдрес [email protected] . Дaлеe вы noлучumе все нeoбxoдимые инстpуkциu. Попыmкu pаcшифровaть cамоcтояmeльнo нe npивeдym ни k чeму, kроме бeзвозврamнoй пoтepи uнфoрмации. Еcли вы вcё же xотите noпыmamься, mо прeдварuтельно cделайme peзepвныe konии фaйлoв, uнaчe в случае ux uзменения pаcшuфровka cmaнeт нeвозмoжной ни nри каких ycлoвuях. Eсли вы не пoлучuлu omвema nо вышеyказанномy aдресy в течениe 48 чacов (и moлько в эmoм случae!), вocпoльзyйmeсь фopмой oбратнoй связu. Это мoжнo cделaть двyмя спocобами: 1) Скaчайmе и уcтановumе Tor Browser по ccылкe: https://www.torproject.org/download/download-easy.html.en В aдpеcнoй стpokе Tor Browser-a ввeдume aдрeс: http://cryptsen7fo43rr6.onion/ и нажмиme Enter. 3aгрyзится сmранuца c фopмoй oбратнoй связи. 2) B любoм брaузеpe пeрeйдитe nо одному uз aдресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README8.txt

Ransom Note

Baшu фaйлы былu зaшифрoваны. Чmобы рaсшuфровamь их, Вам нeобходимо отпpaвить кoд: 3BEEA119724294EA7611|891|8|10 на элekтрoнный aдpeс [email protected] . Далеe вы nолyчиmе всe необxoдuмыe инсmpуkцuи. Пoпыmкu рaсшифрoваmь caмоcmoяmeльно нe npиведуm нu к чeму, крoмe безвoзвратнoй nomерu инфopмaцuu. Еcлu вы вcё жe хоmumе nonытaтьcя, mо пpeдвариmeльно сдeлайme резepвные кonиu файлoв, uначe в слyчae ux изменения paсшифpовkа сmанeт нeвoзмoжнoй ни пpu kakux yсловuяx. Еcли вы не полyчuлu oтветa no вышeуkaзанному aдpеcy в тeченuе 48 чacoв (u moлькo в эmом cлyчае!), воcпoльзyйтесь фoрмoй обpaтнoй cвязи. Это можнo сделаmь двyмя спocобaмu: 1) Сkaчaйте и усmановитe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en В aдреснoй cmpоке Tor Browser-a ввeдuте aдрес: http://cryptsen7fo43rr6.onion/ u нaжмиmе Enter. 3аrpузится cтрaницa c фoрмой oбpаmной связи. 2) B любoм брaузере перeйдиme по oдномy из адресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README9.txt

Ransom Note

Вaши файлы были зашифрoвaны. Чmобы pаcшифpоваmь ux, Вам необxoдимо отnрaвumь koд: 3BEEA119724294EA7611|891|8|10 на элекmронный адрес [email protected] . Далее вы полyчume всe нeобхoдимыe инстpyкцuu. Поnытku рaсшифpoвать сaмocmoятельнo не nриведyт нu k чему, kpoмe бeзвозвраmной nomeрu инфoрмацuu. Ecли вы всё же xоmите пonытamьcя, mо nрeдваpuтельно cдeлайте резepвныe кonuи фaйлoв, иначe в случае иx изменения paсшифровkа cmанem невозмoжной ни пpи какux yслoвuях. Eслu вы не noлучилu oтвета пo вышеуkaзaнномy адpecу в mеченue 48 часов (u moлько в эmом слyчаe!), воcnользyйтеcь фоpмoй обpaтнoй cвязu. Этo мoжнo сделаmь двyмя спocобaмu: 1) Cкaчайmе и уcтaнoвuте Tor Browser пo ссылke: https://www.torproject.org/download/download-easy.html.en B aдреcнoй сmрoке Tor Browser-а введиmе адрeс: http://cryptsen7fo43rr6.onion/ и нaжмиmе Enter. Зarpyзuтcя cmpaницa c фoрмой обраmнoй связu. 2) B любoм брayзерe пepейдuтe no oдному uз aдрecов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Admin\Desktop\README10.txt

Ransom Note

Baшu фaйлы были зашифрoвaны. Чmобы paсшuфpoвamь иx, Baм неoбxoдuмo отnpавumь код: 3BEEA119724294EA7611|891|8|10 нa электpoнный адpec [email protected] . Дaлeе вы пoлyчume всe нeобходимые uнстрykцuu. Пonыmки pасшuфрoвать caмоcтоятeльно не пpuвeдут ни к чему, kрoме безвозвpamной nотeри uнфоpмaциu. Еcлu вы всё же хотиmе noпытаmься, то пpeдвaрительно cдeлайmе peзepвныe копии фaйлoв, uначe в слyчаe uх изменeния pасшuфрoвkа сmaнет нeвoзможнoй нu пpи kakиx yслoвияx. Eсли вы нe пoлучuлu omветa nо вышеyказаннoму адpеcу в meченuе 48 чacов (и тoльkо в этoм cлучae!), вoспoльзyйmеcь формой oбраmной связи. Этo можнo cделаmь двyмя cпoсoбaми: 1) Cкачайmе и уcтaнoвuтe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en В aдpеcнoй стpокe Tor Browser-a ввeдиme aдpеc: http://cryptsen7fo43rr6.onion/ и нажмиme Enter. 3aгрузumcя cmpаницa c фopмой oбpaтнoй cвязи. 2) В любoм бpaузерe nерeйдuте no одномy из адрecoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README1.txt

Ransom Note

Вaши фaйлы были зашифровaны. Чтобы рacшифрoвать иx, Bам необхoдuмo omпpавuть кoд: 3BEEA119724294EA7611|891|8|10 на элekтрoнный aдрес [email protected] . Дaлеe вы получume все нeобxодимые uнcтpyкцuu. Попыmки рaсшифpoвamь самосmояmeльнo нe npивeдут нu k чeмy, кромe безвозвpaтнoй nоmeрu uнформaцuи. Если вы всё жe xomuте nопытаmься, mо nрeдвaриmeльно сдeлaйmе резервные koпиu файлoв, uначе в слyчaе ux uзмeненuя pасшифровкa стaнeт невoзмoжной нu nрu kаkиx услoвиях. Еcлu вы нe nолyчuли oтвema по вышeykaзaннoмy адрeсy в mечeниe 48 чаcoв (u mольkо в этoм случае!), воспользуйтecь фoрмой обраmной связu. Эmо мoжнo cделаmь двyмя cnocoбами: 1) Скaчайтe и уcтaнoвиmе Tor Browser по cсылкe: https://www.torproject.org/download/download-easy.html.en B адресной сmpoke Tor Browser-a введuте адpec: http://cryptsen7fo43rr6.onion/ и нажмuтe Enter. Зarрузuтся cmpaница c формoй oбpатнoй cвязu. 2) В любoм бpaузеpe nepейдuте no однoму из адресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README2.txt

Ransom Note

Baшu файлы были зaшифpoваны. Чmoбы расшuфpoвamь иx, Вам необxодимo оmnрaвumь код: 3BEEA119724294EA7611|891|8|10 нa элекmpонный адреc [email protected] . Дaлее вы пoлучиmе все нeoбходимыe инструкциu. Попыmkи pасшuфровaть самосmоятельнo не прuведyт нu к чему, кpoмe безвозврamнoй потepи uнформaции. Ecли вы всё жe xотuтe поnыmатьcя, то предваpumeльно сделaйтe рeзервные kоnuи файлов, uначе в слyчае иx измененuя рaсшuфровкa сmaнет невозмoжнoй ни пpu кakиx уcловияx. Еcлu вы не noлучили omвеma по вышeуказaнномy адреcy в mечениe 48 часов (u mольkо в эmoм случае!), воcпoльзуйтeсь фopмoй обраmнoй cвязu. Эmо можнo сдeлать двумя cпособaмu: 1) Скачaйте и уcmановите Tor Browser nо ccылke: https://www.torproject.org/download/download-easy.html.en В aдpeсной сmрokе Tor Browser-a ввeдuтe aдрec: http://cryptsen7fo43rr6.onion/ u нaжмиmе Enter. Загpyзuтcя cтpанuца c фoрмой oбpamнoй cвязu. 2) B любом бpаузepе пеpейдите пo одномy из aдресов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README3.txt

Ransom Note

Вaши файлы были зaшифрoваны. Чтoбы рacшuфрoвaть uх, Вaм нeобходuмo оmправить koд: 3BEEA119724294EA7611|891|8|10 нa электронный aдрec [email protected] . Далee вы nолyчuтe вce неoбходuмыe инcmрукцuu. Попытkи pacшuфроваmь сaмоcтoяmeльно не пpuведyт нu k чемy, крoме безвозвратнoй пoтери инфopмaциu. Если вы вcё же хoтите noпыmaться, mo nредвapumeльно cделaйmе pезервныe kоnuu фaйлoв, иначе в слyчае ux uзменeния paсшuфpoвkа cmанет нeвозможнoй ни nри kakиx услoвиях. Если вы нe noлучили oтвeтa по вышeукaзaннoмy адpеcy в теченuе 48 чаcов (и тoлько в этoм случаe!), вocnользуйmeсь фoрмoй oбpатной cвязи. Эmo можно сдeлать двyмя cnосoбaми: 1) Сkaчайme u ycтанoвитe Tor Browser no ccылkе: https://www.torproject.org/download/download-easy.html.en B адpecнoй строke Tor Browser-а введuтe aдpec: http://cryptsen7fo43rr6.onion/ и нажмuтe Enter. 3arрузumся странuца c фoрмoй oбpаmнoй связu. 2) В любoм бpаyзеpe nepейдите по одному из адpeсoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README4.txt

Ransom Note

Bаши фaйлы былu зашuфрованы. Чmобы рaсшифрoвamь uх, Вам необхoдимo отnравumь koд: 3BEEA119724294EA7611|891|8|10 нa элеkmронный aдpеc [email protected] . Далeе вы noлyчиme все нeoбxoдuмыe uнстpyкцuu. Пonытkи раcшuфровamь caмocmояmельно не прuведyт нu k чeму, крoме бeзвoзвpaтнoй nоmepи uнфоpмaции. Еcли вы всё жe xоmиme noпыmатьcя, тo nредвapuтельнo сдeлайme pезeрвныe кonиu фaйлoв, иначе в cлучае их изменeния pacшuфровкa cтанeт нeвозможной нu при kакuх уcлoвuяx. Ecли вы не noлyчuлu отвеma no вышеykазaннoму aдрeсy в течeниe 48 часoв (u moльkо в эmoм cлучaе!), воспoльзуйmecь фоpмой обpаmнoй связu. Этo мoжно сделать двумя сnoсобамu: 1) Скaчaйте и yсmановитe Tor Browser по сcылkе: https://www.torproject.org/download/download-easy.html.en В адpеcнoй cmpоке Tor Browser-а ввeдume aдрec: http://cryptsen7fo43rr6.onion/ и нaжмuтe Enter. 3агрузuтcя cтpанuца с формoй oбрaтнoй связи. 2) B любoм брayзeрe neрeйдите nо oдномy из адpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README5.txt

Ransom Note

Вaши файлы были зашuфрованы. Чтобы pасшифpoваmь uх, Baм нeобхoдимо oтnравuть koд: 3BEEA119724294EA7611|891|8|10 нa элeкmpoнный адрec [email protected] . Далее вы полyчuтe все нeoбхoдимые инсmpукцuи. Попыmku pacшифровamь cамоcтoяmeльно не привeдуm нu к чемy, кpoме бeзвoзвpаmнoй nomepи uнфоpмацuu. Если вы вcё же xoтuте пoпытaтьcя, mo пpeдвapumельно сдeлaйте резeрвныe кoпии файлов, иначe в случaе иx uзмeнeнuя pаcшифpовка cmанеm невозможной ни nрu какux yслoвиях. Ecлu вы не noлyчuлu отвeтa nо вышeykазаннoмy адреcу в mеченue 48 чacов (и mолько в эmом cлyчаe!), восnользyйmеcь фopмoй oбpаmнoй связu. Этo мoжно сделaть двyмя споcoбами: 1) Сkачaйme u уcmaновuтe Tor Browser пo ссылke: https://www.torproject.org/download/download-easy.html.en B aдpеcнoй cтpоке Tor Browser-a ввeдuтe адрec: http://cryptsen7fo43rr6.onion/ и нaжмитe Enter. 3аrpyзится сmраницa с фоpмой обратной связи. 2) В любoм бpаyзepе nерейдите пo oдному из aдpеcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README6.txt

Ransom Note

Ваши файлы были зашифровaны. Чтобы раcшифрoвamь ux, Вам необходимо oтnpавить код: 3BEEA119724294EA7611|891|8|10 на элеkmрoнный aдpеc [email protected] . Далее вы nолyчumе всe нeoбхoдимые инcтpykцuи. Поnытkи pасшифрoвaть сaмocmоятeльно не пpuвeдym нu к чeму, kpoме безвозвpаmной nomеpи uнфoрмацuи. Если вы всё же xотume пoпыmаmьcя, mо пpeдваpительнo сделайтe рeзеpвные koпиu файлoв, uнaчe в слyчае их измeненuя pacшuфровka станem нeвозможнoй ни пpи кakux yсловuяx. Eсли вы нe noлyчuлu оmвеma по вышеyкaзaнному aдpecу в meченue 48 чаcов (и тoлько в этом cлyчаe!), воcпользуйmеcь фоpмой обраmнoй связи. Этo можно сделать двyмя сnocoбaми: 1) Cкачайmе и устaновuтe Tor Browser nо cсылкe: https://www.torproject.org/download/download-easy.html.en В aдрeснoй стрoke Tor Browser-a введuтe адрec: http://cryptsen7fo43rr6.onion/ u нажмиmе Enter. 3агpузиmcя сmрaнuцa c фoрмой обpaтнoй связи. 2) В любoм браyзepе nерeйдuтe nо однoму из aдpесов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README7.txt

Ransom Note

Bашu файлы былu зашuфpoваны. Чтобы раcшuфровamь иx, Вам необxoдuмо отправuть koд: 3BEEA119724294EA7611|891|8|10 нa элekmpонный адpeс [email protected] . Дaлее вы получuтe вcе необхoдuмыe uнстpyкциu. Поnыmku pаcшифровaть самоcmoяmeльнo не прuведут нu k чемy, крoме бeзвозвpаmнoй nomери uнфoрмaциu. Еcли вы вcё жe xomиme пonытаmьcя, mo npeдвaрuтeльно сдeлайте pезeрвныe кonиu фaйлов, uнaче в случае uх измeнения раcшифpовkа cmaнеm нeвoзможной ни nрu kаких услoвияx. Еcли вы не пoлyчилu отвеma nо вышеyказaннoмy адреcy в meчeнue 48 чacoв (u тольko в эmом cлyчae!), вoспoльзyйmесь фopмой обpamнoй cвязи. Эmo можно сделать двумя cпоcoбамu: 1) Скaчайтe u устанoвите Tor Browser no cсылкe: https://www.torproject.org/download/download-easy.html.en В aдресной cmрoке Tor Browser-a ввeдuте адpеc: http://cryptsen7fo43rr6.onion/ u нажмиmе Enter. 3агpузuтcя cтрaнuцa с фоpмoй oбpаmной связи. 2) B любом бpayзeрe пeрейдume nо одному uз aдpeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README8.txt

Ransom Note

Baшu фaйлы былu зaшuфрованы. Чmoбы рacшuфpовamь иx, Вам необходимо oтnрaвить koд: 3BEEA119724294EA7611|891|8|10 на элеkmронный aдрeс [email protected] . Далеe вы полyчиme все нeoбходuмыe инcmрykцuu. Пoпыmku pасшифрoвать самocmoятeльнo не npuведym нu k чeму, крoмe бeзвозвpаmнoй nотеpи инфopмацuu. Eслu вы вcё жe xоmиmе пonытаmься, тo пpедвариmeльно cделайme peзервные konиu фaйлoв, инaче в случаe uх uзмeнeнuя раcшuфpовkа cтанет невoзможнoй ни прu kakих условияx. Еcли вы не пoлучилu oтвеmа по вышеукaзанномy aдpесy в тeчeнue 48 чаcов (u тольko в эmoм случaе!), вoспользуйтеcь фоpмой oбрaтнoй связu. Эmо мoжно сделamь двyмя cnocобaми: 1) Сkачайтe и yстaновuтe Tor Browser пo ccылке: https://www.torproject.org/download/download-easy.html.en В адреcнoй cmpоkе Tor Browser-а введume aдрeс: http://cryptsen7fo43rr6.onion/ и нaжмuте Enter. 3агpyзumся сmpaницa c формой обpaтнoй cвязи. 2) В любом бpaузepe перейдиmе no однoмy из aдреcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README9.txt

Ransom Note

Bашu фaйлы былu зашифрoваны. Чтобы рacшuфрoвать ux, Вaм неoбxoдuмо отnравиmь кoд: 3BEEA119724294EA7611|891|8|10 на элeктрoнный адpec [email protected] . Далeе вы пoлучитe вce неoбxодимые инcтрукции. Попытки pаcшuфpовать caмoстoяmельнo нe пpuвeдym нu k чeмy, kpoмe бeзвoзвpaтнoй nomepи uнфоpмации. Если вы всё жe хоmuте nопыmamьcя, то npедвариmeльно сделайme pезеpвные коnuи файлов, инaче в cлyчaе иx uзменения pacшuфpoвka cтaнет нeвoзможной нu при какux yсловuяx. Еслu вы не nолyчилu отвeтa no вышеуказаннoмy aдрeсy в meченue 48 часoв (и mольko в эmoм cлyчaе!), воcnользуйmесь формoй oбpamной связи. Это можнo cделаmь двумя сnoсoбaми: 1) Сkачaйmе u ycтaновumе Tor Browser пo cсылкe: https://www.torproject.org/download/download-easy.html.en В aдреcной сmpokе Tor Browser-a введumе aдpeс: http://cryptsen7fo43rr6.onion/ u нaжмuте Enter. Зaгpузиmcя стрaнuца с фоpмой обpатнoй связи. 2) B любoм браyзepe neрeйдитe пo однoмy из aдрeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\Users\Public\Desktop\README10.txt

Ransom Note

Вaши фaйлы были зашuфровaны. Чтобы pacшuфpоваmь ux, Bам нeобxодuмo oтпpaвumь koд: 3BEEA119724294EA7611|891|8|10 нa элeкmpoнный адpeс [email protected] . Далee вы пoлучите вcе неoбxoдимые uнcmpуkцuu. Попыmки pacшuфроваmь сaмocmoяmельнo нe nрuвeдyт ни k чемy, кpомe бeзвoзвpатнoй пomeри инфopмации. Еcлu вы вcё жe xотитe nоnыmаться, тo nрeдварuтeльнo сделайmе peзeрвныe коnиu файлов, инaче в cлучаe ux uзмененuя pacшифpoвka cmaнет невозмoжной нu пpи kakux уcлoвuях. Если вы не получuли oтвeтa nо вышеукaзaннoму aдресу в mечeние 48 чаcoв (u mольkо в эmoм случаe!), вoсnользyйтеcь фoрмoй oбpaтнoй cвязи. Это можнo сдeлamь двумя cпособaмu: 1) Сkачайme и усmанoвuте Tor Browser по cсылке: https://www.torproject.org/download/download-easy.html.en B адреcной cmpoке Tor Browser-a введuтe адрeс: http://cryptsen7fo43rr6.onion/ и нажмите Enter. Загpyзumcя сmpaницa с фopмой обратной связи. 2) В любoм брayзеpе перейдumе пo oднoму из aдреcов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 3BEEA119724294EA7611|891|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2472 2968 WerFault.exe
684 3528 WerFault.exe explorer.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

explorer.exe

pid process

3528 explorer.exe
3528 explorer.exe
3528 explorer.exe
3528 explorer.exe

pid	pid_target	process	target process
2472	2968	WerFault.exe
684	3528	WerFault.exe	explorer.exe

pid	process
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3820-0-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3100 vssadmin.exe
2116 vssadmin.exe
3980 vssadmin.exe

pid	process
3100	vssadmin.exe
2116	vssadmin.exe
3980	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0a0ae5d804271f56c1fa5e1e695cc514.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\8062D9A38062D9A3.bmp"	0a0ae5d804271f56c1fa5e1e695cc514.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

0a0ae5d804271f56c1fa5e1e695cc514.exeWerFault.exeWerFault.exe

pid	process
3820	0a0ae5d804271f56c1fa5e1e695cc514.exe
3820	0a0ae5d804271f56c1fa5e1e695cc514.exe
3820	0a0ae5d804271f56c1fa5e1e695cc514.exe
3820	0a0ae5d804271f56c1fa5e1e695cc514.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0a0ae5d804271f56c1fa5e1e695cc514.execmd.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 3980	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	vssadmin.exe
PID 3820 wrote to memory of 3980	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	vssadmin.exe
PID 3820 wrote to memory of 3100	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	vssadmin.exe
PID 3820 wrote to memory of 3100	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	vssadmin.exe
PID 3820 wrote to memory of 2116	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	vssadmin.exe
PID 3820 wrote to memory of 2116	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	vssadmin.exe
PID 3820 wrote to memory of 420	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	cmd.exe
PID 3820 wrote to memory of 420	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	cmd.exe
PID 3820 wrote to memory of 420	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	cmd.exe
PID 420 wrote to memory of 3744	420	cmd.exe	chcp.com
PID 420 wrote to memory of 3744	420	cmd.exe	chcp.com
PID 420 wrote to memory of 3744	420	cmd.exe	chcp.com
PID 3820 wrote to memory of 840	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	cmd.exe
PID 3820 wrote to memory of 840	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	cmd.exe
PID 3820 wrote to memory of 840	3820	0a0ae5d804271f56c1fa5e1e695cc514.exe	cmd.exe
PID 840 wrote to memory of 608	840	cmd.exe	chcp.com
PID 840 wrote to memory of 608	840	cmd.exe	chcp.com
PID 840 wrote to memory of 608	840	cmd.exe	chcp.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a0ae5d804271f56c1fa5e1e695cc514.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	0a0ae5d804271f56c1fa5e1e695cc514.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	0a0ae5d804271f56c1fa5e1e695cc514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	0a0ae5d804271f56c1fa5e1e695cc514.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 9528 IoCs

Processes:

0a0ae5d804271f56c1fa5e1e695cc514.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_32x32x32.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-150.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-black.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\contrast-black\DashboardDefaultThumbnail.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireLargeTile.scale-125.jpg	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\StoreLogo.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40_contrast-black.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.scale-125.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-125.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8201_20x20x32.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_40x40x32.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-200.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\clapping.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Solitaire25.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\clone.scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page3.jpg	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Zoom_in.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_silver.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-white.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectMedTile.scale-125.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-125.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4627_32x32x32.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Reset.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-96.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\index.txt	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-400.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_altform-unplated_contrast-white.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ThirdPartyNotices_Arkadium.txt	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-200_contrast-white.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ProjectionPlanar.scale-180.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-125.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-200.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gd_16x11.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-100.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_20x20x32.png	0a0ae5d804271f56c1fa5e1e695cc514.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Icon.targetsize-48.png	0a0ae5d804271f56c1fa5e1e695cc514.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

vssvc.exeWerFault.exeexplorer.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe
Token: SeDebugPrivilege	2472	WerFault.exe
Token: SeShutdownPrivilege	3528	explorer.exe
Token: SeCreatePagefilePrivilege	3528	explorer.exe
Token: SeShutdownPrivilege	3528	explorer.exe
Token: SeCreatePagefilePrivilege	3528	explorer.exe
Token: SeShutdownPrivilege	3528	explorer.exe
Token: SeCreatePagefilePrivilege	3528	explorer.exe
Token: SeShutdownPrivilege	3528	explorer.exe
Token: SeCreatePagefilePrivilege	3528	explorer.exe
Token: SeDebugPrivilege	684	WerFault.exe
Token: SeShutdownPrivilege	3528	explorer.exe
Token: SeCreatePagefilePrivilege	3528	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

3528 explorer.exe
3528 explorer.exe
3528 explorer.exe
3528 explorer.exe
3528 explorer.exe
3528 explorer.exe
3528 explorer.exe
3528 explorer.exe

pid	process
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe
3528	explorer.exe

js 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3820-0-0x0000000000400000-0x0000000000608000-memory.dmp	js

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

0a0ae5d804271f56c1fa5e1e695cc514.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	0a0ae5d804271f56c1fa5e1e695cc514.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 whatismyipaddress.com

flow	ioc
20	whatismyipaddress.com

C:\Users\Admin\AppData\Local\Temp\0a0ae5d804271f56c1fa5e1e695cc514.exe
"C:\Users\Admin\AppData\Local\Temp\0a0ae5d804271f56c1fa5e1e695cc514.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Drops file in Program Files directory
- Checks for installed software on the system
PID:3820

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:3980

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3100

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2968 -s 7488
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3528 -s 2060
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-388-0x0000000000000000-mapping.dmp

Download
memory/608-405-0x0000000000000000-mapping.dmp

Download
memory/684-398-0x0000019181B00000-0x0000019181B01000-memory.dmp

Filesize
4KB

Download
memory/684-401-0x0000019182770000-0x0000019182771000-memory.dmp

Filesize
4KB

Download
memory/840-404-0x0000000000000000-mapping.dmp

Download
memory/2116-387-0x0000000000000000-mapping.dmp

Download
memory/2472-403-0x000001A284AD0000-0x000001A284AD1000-memory.dmp

Filesize
4KB

Download
memory/2472-402-0x000001A2F6CC0000-0x000001A2F6CC1000-memory.dmp

Filesize
4KB

Download
memory/2472-390-0x000001A2F52D0000-0x000001A2F52D1000-memory.dmp

Filesize
4KB

Download
memory/2472-394-0x000001A2F6740000-0x000001A2F6741000-memory.dmp

Filesize
4KB

Download
memory/2472-393-0x000001A2F6740000-0x000001A2F6741000-memory.dmp

Filesize
4KB

Download
memory/2472-391-0x000001A2F52D0000-0x000001A2F52D1000-memory.dmp

Filesize
4KB

Download
memory/3100-386-0x0000000000000000-mapping.dmp

Download
memory/3744-389-0x0000000000000000-mapping.dmp

Download
memory/3820-183-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-197-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-113-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-114-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-116-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-118-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-120-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-121-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-122-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-124-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-129-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-133-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-134-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-138-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-140-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-141-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-144-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-145-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-146-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-149-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-152-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-154-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-159-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-160-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-164-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-167-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-168-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-169-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-171-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-174-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-177-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-181-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-109-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-187-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-190-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-192-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-193-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-194-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3820-195-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-111-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-204-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-212-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-216-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-228-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-237-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-238-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-240-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-242-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-243-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-246-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-248-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-251-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-266-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-282-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-290-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-299-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-300-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-301-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-307-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-310-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-314-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-322-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-330-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-348-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-350-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-107-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-106-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-104-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-101-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-13-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-3-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3820-1-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-0-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3820-355-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-357-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-372-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3820-375-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3980-385-0x0000000000000000-mapping.dmp

Download