Overview

overview

10

Static

static

9a6164b262...a9.exe

windows7_x64

10

9a6164b262...a9.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-11-2020 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9.exe

  • Size

    270KB

  • MD5

    e1f33c600d3cc76771aaa3bf940ff3fe

  • SHA1

    a9bf1c6f3f08203cf10fdaf141012dc83646aee1

  • SHA256

    9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9

  • SHA512

    ad96e7cd9e5c3fe7ba45c82d5183210b8dc58fc72faaad71e39e129f0356e7c6db5a72e2e52b3e4e7c30cf06872eb879d3577e76f7f3dba3ba7fa2eb62d7a08b

Score
10/10
cerberursnif_rm3bankerevasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277 | | 2. http://bqyjebfh25oellur.onion.cab/DA18-B58F-AE58-0072-8277 | | 3. http://bqyjebfh25oellur.onion.nu/DA18-B58F-AE58-0072-8277 | | 4. http://bqyjebfh25oellur.onion.link/DA18-B58F-AE58-0072-8277 | | 5. http://bqyjebfh25oellur.tor2web.org/DA18-B58F-AE58-0072-8277 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/DA18-B58F-AE58-0072-8277 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion.cab/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion.nu/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion.link/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.tor2web.org/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion/DA18-B58F-AE58-0072-8277

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". If you are reading this message it means the software "Cerber" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: Please wait... http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277(Get a NEW address!) http://bqyjebfh25oellur.onion.cab/DA18-B58F-AE58-0072-8277 http://bqyjebfh25oellur.onion.nu/DA18-B58F-AE58-0072-8277 http://bqyjebfh25oellur.onion.link/DA18-B58F-AE58-0072-8277 http://bqyjebfh25oellur.tor2web.org/DA18-B58F-AE58-0072-8277 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address Please wait... http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://bqyjebfh25oellur.onion/DA18-B58F-AE58-0072-8277 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277(Get

http://bqyjebfh25oellur.onion.cab/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion.nu/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion.link/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.tor2web.org/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277);

http://bqyjebfh25oellur.onion.to/DA18-B58F-AE58-0072-8277

http://bqyjebfh25oellur.onion/DA18-B58F-AE58-0072-8277

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • JavaScript code in executable 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Gathers system information 1 TTPs 2 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 240 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9.exe
    "C:\Users\Admin\AppData\Local\Temp\9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
      "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Gathers system information
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:344
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:406530 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1344
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1840
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1808
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "systeminfo.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2236
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "systeminfo.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2292
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2348
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1360
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {73611AA5-DC7C-4DFE-8844-B3511293F755} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          2⤵
          • Executes dropped EXE
          • Gathers system information
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:1064
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:768
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2092
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x5bc
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2140

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          bffb9b030c35a434dd1b6d45315729bd

          SHA1

          5557b8b81ccad2f197d2ac59408e88fdad564bba

          SHA256

          e404cc1fd057a05070eaf713991eca3faf3d25de363ab390e8fd08b517ff9860

          SHA512

          1e4a2b5072b544a21350dc7615b2d359ab7ff11b2918936041049663212c2ea4533d23170482e1f998fd7759557657bfbc8e62de385e029104d8bff33f81891a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{62050D51-25ED-11EB-AA42-6A86915434CB}.dat
          MD5

          7ab1e76e578d4fbe241997f7c81d3922

          SHA1

          f78b9337e903925b075a0a7528d284aaf7a52ed3

          SHA256

          4fd2f944b77916112cb83523484bb88bef175502a6a8da94ab6e440c8e60962a

          SHA512

          2a5add4da0822070806bb860765c04282908b704df8c0a19161464725d09709e4f96c9a2764d658c78dc6a1ac53c9efb272d95c73284eba09f06ef4016d75d33

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R5RU5IDW.txt
          MD5

          c8b6a0e2f978948e385478c3a59a2953

          SHA1

          56fb7ae567a135324070b4e8f6bb2d89fbdd47cd

          SHA256

          ebfd7c03b8dadb112626fed4ff4e04f57769432fcfbdadebf70298218e8fdc33

          SHA512

          5121289ae34e8b1c6319454cad6005368105bb3be7bfd6df772fc302c139494262149c208c01d4fb4c3d2d8c5add9dd2d0b56e72cc7fd1363b89f726bdbe7db0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W6YACVKM.txt
          MD5

          65d2a89bb64df3fb396a269898bb3b16

          SHA1

          1d99f7f7e873f83273fd371f541096dee4af8515

          SHA256

          efa9bafa28fe45d77304383a492aac54dc6b51905001ae2c2578fcf9be056164

          SHA512

          7c71bc6c7b51b99b3223f1ba4621c0e7bb686508a86c7341e7a13fdd00f0a648d08afcd127c6c134eda38a514770eec63a86ad7ed5af709db11f2740e7e56c36

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\systeminfo.lnk
          MD5

          ef971cb0ec9206df219490f6066ecaa5

          SHA1

          b0d3d899deae997b02f2b16f0e712f5065d43686

          SHA256

          8a256a2ec03f35f50edf6123147f5de2b65f04c3854e29d23e4764df31b9eb5d

          SHA512

          557a3e6e7e72f413d85dfb0f68b505378ecf415670f6cf4d4605bb9bbf560530cf08f4468f0c860c3f63e841f97877932c8f6d18e51b8922171a656f22b37404

          Download Submit

        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          MD5

          e1f33c600d3cc76771aaa3bf940ff3fe

          SHA1

          a9bf1c6f3f08203cf10fdaf141012dc83646aee1

          SHA256

          9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9

          SHA512

          ad96e7cd9e5c3fe7ba45c82d5183210b8dc58fc72faaad71e39e129f0356e7c6db5a72e2e52b3e4e7c30cf06872eb879d3577e76f7f3dba3ba7fa2eb62d7a08b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          MD5

          e1f33c600d3cc76771aaa3bf940ff3fe

          SHA1

          a9bf1c6f3f08203cf10fdaf141012dc83646aee1

          SHA256

          9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9

          SHA512

          ad96e7cd9e5c3fe7ba45c82d5183210b8dc58fc72faaad71e39e129f0356e7c6db5a72e2e52b3e4e7c30cf06872eb879d3577e76f7f3dba3ba7fa2eb62d7a08b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          MD5

          e1f33c600d3cc76771aaa3bf940ff3fe

          SHA1

          a9bf1c6f3f08203cf10fdaf141012dc83646aee1

          SHA256

          9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9

          SHA512

          ad96e7cd9e5c3fe7ba45c82d5183210b8dc58fc72faaad71e39e129f0356e7c6db5a72e2e52b3e4e7c30cf06872eb879d3577e76f7f3dba3ba7fa2eb62d7a08b

          Download Submit

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          MD5

          d3d229033531532ad4605277912f723b

          SHA1

          4fe1657f2f982849d490723484b8267574f0ae91

          SHA256

          d8735658c47a5530d5b979368e269b6b222270cbe8889a18e1989c894d76f016

          SHA512

          293619ec9de14635c40b7947997a5e391a6eecef21de01dd256a35baad6f855771f0d9edec25cf5b96c29129945a70352e9af1456a28a09827ca5c189f45713b

          Download Submit

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
          MD5

          f032c07adf72af6df8b64d99ecead53d

          SHA1

          de8d9825a31a34c674dc5c11244611c275b8889a

          SHA256

          d53d3efcc7ea6cedc0ae3263dfe299459186cf1bbc4bc5bbe0eb38122671263c

          SHA512

          dcd3534aa8c758ef06a21e65d84ee1d6dba07d54f7e1bba6b83c68de4ac6566bdc69d5c200d34cead5b83dea7a3be6ac0de5bd22ce966791027f3d1c23e2a8f2

          Download Submit

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
          MD5

          00f6a618918d1f92c8e54b127ad33ba3

          SHA1

          2fba619625b557b214cfa7ee31c3a57a60ea183e

          SHA256

          1c66e8d1948b1eb7642530d4b891dabed9f960f2419ccff4e1b1e263a3909121

          SHA512

          3aa0824103cfa007f147ef47a14f1b3574852751d78238d1c85e04ae97349938d4eb41681372d2746db2a79828ea7c3e38f5cc3df4ab00c915c75db65a214402

          Download Submit

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
          MD5

          1c2a24505278e661eca32666d4311ce5

          SHA1

          d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

          SHA256

          3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

          SHA512

          ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

          Download Submit

        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          MD5

          e1f33c600d3cc76771aaa3bf940ff3fe

          SHA1

          a9bf1c6f3f08203cf10fdaf141012dc83646aee1

          SHA256

          9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9

          SHA512

          ad96e7cd9e5c3fe7ba45c82d5183210b8dc58fc72faaad71e39e129f0356e7c6db5a72e2e52b3e4e7c30cf06872eb879d3577e76f7f3dba3ba7fa2eb62d7a08b

          Download Submit

        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\systeminfo.exe
          MD5

          e1f33c600d3cc76771aaa3bf940ff3fe

          SHA1

          a9bf1c6f3f08203cf10fdaf141012dc83646aee1

          SHA256

          9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9

          SHA512

          ad96e7cd9e5c3fe7ba45c82d5183210b8dc58fc72faaad71e39e129f0356e7c6db5a72e2e52b3e4e7c30cf06872eb879d3577e76f7f3dba3ba7fa2eb62d7a08b

          Download Submit

        • memory/344-16-0x0000000000000000-mapping.dmp

          Download

        • memory/768-17-0x0000000000000000-mapping.dmp

          Download

        • memory/1064-9-0x0000000000000000-mapping.dmp

          Download

        • memory/1144-12-0x0000000000000000-mapping.dmp

          Download

        • memory/1344-19-0x0000000000000000-mapping.dmp

          Download

        • memory/1360-6-0x0000000000000000-mapping.dmp

          Download

        • memory/1552-7-0x000007FEF6500000-0x000007FEF677A000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/1732-4-0x0000000000000000-mapping.dmp

          Download

        • memory/1808-22-0x0000000000000000-mapping.dmp

          Download

        • memory/1840-14-0x0000000000000000-mapping.dmp

          Download

        • memory/1948-3-0x0000000000000000-mapping.dmp

          Download

        • memory/1976-1-0x0000000000000000-mapping.dmp

          Download

        • memory/2236-27-0x0000000000000000-mapping.dmp

          Download

        • memory/2292-28-0x0000000000000000-mapping.dmp

          Download

        • memory/2348-29-0x0000000000000000-mapping.dmp

          Download