Overview

overview

10

Static

static

47f4229f3f...5d.exe

windows7_x64

10

47f4229f3f...5d.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe

  • Size

    265KB

  • MD5

    478e706e3f0e7b95cc63ebe380d4377a

  • SHA1

    e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

  • SHA256

    47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

  • SHA512

    8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

Score
10/10
cerberursnif_rm3bankerevasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565 | | 2. http://bqyjebfh25oellur.onion.cab/377E-5E97-E499-0000-0565 | | 3. http://bqyjebfh25oellur.onion.nu/377E-5E97-E499-0000-0565 | | 4. http://bqyjebfh25oellur.onion.link/377E-5E97-E499-0000-0565 | | 5. http://bqyjebfh25oellur.tor2web.org/377E-5E97-E499-0000-0565 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/377E-5E97-E499-0000-0565 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion.cab/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion.nu/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion.link/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.tor2web.org/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion/377E-5E97-E499-0000-0565

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". If you are reading this message it means the software "Cerber" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: Please wait... http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565(Get a NEW address!) http://bqyjebfh25oellur.onion.cab/377E-5E97-E499-0000-0565 http://bqyjebfh25oellur.onion.nu/377E-5E97-E499-0000-0565 http://bqyjebfh25oellur.onion.link/377E-5E97-E499-0000-0565 http://bqyjebfh25oellur.tor2web.org/377E-5E97-E499-0000-0565 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address Please wait... http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://bqyjebfh25oellur.onion/377E-5E97-E499-0000-0565 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565(Get

http://bqyjebfh25oellur.onion.cab/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion.nu/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion.link/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.tor2web.org/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565);

http://bqyjebfh25oellur.onion.to/377E-5E97-E499-0000-0565

http://bqyjebfh25oellur.onion/377E-5E97-E499-0000-0565

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • JavaScript code in executable 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 62 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 330 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe
    "C:\Users\Admin\AppData\Local\Temp\47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
      "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1784
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:537601 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1892
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1896
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:2056
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "fsutil.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "fsutil.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2304
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1508
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {5F226EE3-AC0A-43E3-B38A-B279041B8D94} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:828
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1524
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2132
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x4f4
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2172

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          a04d2e851e48aefe2f189c938b2dedfa

          SHA1

          05564b656fbbfec893801fa1a93e59873bb0a6c9

          SHA256

          4560d835a338b78a2e56bb5e9db2dce133b9540985b2bd89f2050446a6ee84e6

          SHA512

          7bf715525e797c87419143dad0d8a8bdfdad9b981f87ee35c1b643945f965d659c3f8152c96bdfce8d0711e5223b9f9dec0e39132040b2e2c857182ee30f1715

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{576D62D1-23EF-11EB-A016-EE401B9E63CB}.dat
          MD5

          4172bf7b676baa135b9250bbbe80352c

          SHA1

          3dfb89adcd44b9040f21fa89e853ad4d1c3bc94c

          SHA256

          4a9fe3e3e06aa0701c31664865b68a5bea2b236977b0388742dd09aa10af8fac

          SHA512

          80fe2d5dcf5d48a3d075ac664db95f49056242dba5cca0f7b80becc43a74011ecab219eeab300c05ebcd736295b73550418b1ed4e200cc3cd76207f185bf62cf

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{579378D1-23EF-11EB-A016-EE401B9E63CB}.dat
          MD5

          4affd16ee28f0d8fb81e0726f2e4ab59

          SHA1

          2ab9234ceb357f4fb548bd40e711d66844b3f125

          SHA256

          dbb8feedb54126ec569eb2cbd93627102f10e296d3087c6aac5a3b4467000af2

          SHA512

          e936fca1d8971c39cd32e9752cb5f267203da979b8877fd7fc5a217c87b56e9c442b98779a16bccb60116bf8dc2966d0fd74dd266b375593aa379cf51db9e154

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DU8C79EN.txt
          MD5

          51da0e6c87af6223278ef08f67e06d6f

          SHA1

          ca7b332c5f321f7d285f876eb2e09d7d2ad67f2b

          SHA256

          022b4ed572c0ef4b9aee1d6e42b91d36c2a898c854a306cafac20add3f5ee6f9

          SHA512

          58360b73c6f83572c213f2af7687227e8350c99163460d32e5c65a0cf8e8e08ffb6659e8bc2df9dde08e0b610d347dea17ebdaeacc0cc64e345203f55356a496

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X8RPFFB8.txt
          MD5

          c1057652bf4d968482cd4c36a32bb09d

          SHA1

          ab6349b66700a30097ab3b612ce5ac16a4ce1fba

          SHA256

          e8929ff15563d5165fd28b78773632f77d7d95ba0bf34b9f532d26981b3b6f7c

          SHA512

          43cd23bb5922d877d254d9e4779f1ea90bd73f0a111e13c055626d1cdef9a68d32cd0954c1c9ca2af62e1ae0fc06f8428014f863b21157eec023c6dda5d2c75e

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fsutil.lnk
          MD5

          6142ebec5245c880c06390ff78b218b4

          SHA1

          de27640f128e693cada0a0d6aa47581354441a50

          SHA256

          99d0665530f122660586ea7d238ecc72e58a711ce34bc79ecf60efbe9b476136

          SHA512

          cb6bb4e25d99e33d7bff7736dd93b877514cdc9f8c597970db67cff8855e96cca7fb5f50ad77f00207845cf5a5fe6727b25edf1870b5df97364ae9bac355c883

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          MD5

          478e706e3f0e7b95cc63ebe380d4377a

          SHA1

          e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

          SHA256

          47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

          SHA512

          8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          MD5

          478e706e3f0e7b95cc63ebe380d4377a

          SHA1

          e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

          SHA256

          47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

          SHA512

          8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          MD5

          478e706e3f0e7b95cc63ebe380d4377a

          SHA1

          e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

          SHA256

          47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

          SHA512

          8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          MD5

          e86fb2d935872187ceba46d1273642e9

          SHA1

          d91ef8bc1b571e5740f731420a23b26d15d10e59

          SHA256

          169ab8f2fd22be43e0c3f32792845452aa52862e6008108917e83040ea7f6622

          SHA512

          80eef30ae5ecd78bf4fce5f3dcca7626e399ed3628da349a191ac9ba0b36bc90d639964fb2d633a5cd8400d1e4085f73f936d5ff688030273af870edc4232c02

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
          MD5

          78c7b48bc2ca105cf29e98fea5c50e2d

          SHA1

          2082752d289a49e6f29c0944778782bc23e11aff

          SHA256

          c2da6fb78dfd6544b700861a3f39494f9a902d8bc23dcaf655767546d3e8bdd9

          SHA512

          b68b9cb56acf194992f3dec04730df9eb90a751756e95cd73354f79806b96e2d92aad7e446847fba844272cdc4eb2e1c8591c12692ba920b1481e1a00a966388

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
          MD5

          14317cd917fb484ccb613bf2b6d7824b

          SHA1

          9ebe4c26c7088d2870ee0c20755b92caf3f2a07c

          SHA256

          70895c47010f7eb0675822916513165047957ce956e12e880022abbef40121b8

          SHA512

          e3a993533bd2d1696e0fc9918a80cb4f031135b8a52e7947c5b69b6ef88a204a939015faeccb8fb08a722e2299bdfb959340cd7d400288be605e9bbff7f9e651

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
          MD5

          1c2a24505278e661eca32666d4311ce5

          SHA1

          d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

          SHA256

          3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

          SHA512

          ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

          Download Submit
        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          MD5

          478e706e3f0e7b95cc63ebe380d4377a

          SHA1

          e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

          SHA256

          47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

          SHA512

          8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

          Download Submit
        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fsutil.exe
          MD5

          478e706e3f0e7b95cc63ebe380d4377a

          SHA1

          e2aa8ef7e2ced5596d26ea5340ebc300f26fab13

          SHA256

          47f4229f3f433d5591fa59599a2496a21030b13187c7ebf8759beec2a25c0a5d

          SHA512

          8108bf74bb6de6f13eeee05cf25877bc88e720ed0b6b4eb1ff1506cccecf9f6fb820c5af2c18588098446cc77746b035d313069385dc423bc553e61e400de433

          Download Submit
        • memory/476-7-0x000007FEF6350000-0x000007FEF65CA000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/828-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1180-12-0x0000000000000000-mapping.dmp
          Download
        • memory/1508-6-0x0000000000000000-mapping.dmp
          Download
        • memory/1524-16-0x0000000000000000-mapping.dmp
          Download
        • memory/1696-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1736-3-0x0000000000000000-mapping.dmp
          Download
        • memory/1784-15-0x0000000000000000-mapping.dmp
          Download
        • memory/1788-1-0x0000000000000000-mapping.dmp
          Download
        • memory/1892-20-0x0000000000000000-mapping.dmp
          Download
        • memory/1896-13-0x0000000000000000-mapping.dmp
          Download
        • memory/2056-22-0x0000000000000000-mapping.dmp
          Download
        • memory/2268-27-0x0000000000000000-mapping.dmp
          Download
        • memory/2304-28-0x0000000000000000-mapping.dmp
          Download
        • memory/2388-29-0x0000000000000000-mapping.dmp
          Download