Overview

overview

10

Static

static

28b2811188...8e.exe

windows7_x64

10

28b2811188...8e.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-11-2020 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e.exe

  • Size

    270KB

  • MD5

    1e97fda428488834e73a9d21f45905ca

  • SHA1

    349780006801787b966a14ff7b9b7d5d0872feb6

  • SHA256

    28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

  • SHA512

    5e6848598bb9e51df29237e3154a1f271b4b6ccb474f34c0bfbc0682a53d2e41c84214a1405d63e85dcaee95e83049a465d58ede46a6d1a1324eaf3a13a19fb9

Score
10/10
cerberursnif_rm3bankerevasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5 | | 2. http://bqyjebfh25oellur.onion.cab/1128-E828-FA7D-0072-88D5 | | 3. http://bqyjebfh25oellur.onion.nu/1128-E828-FA7D-0072-88D5 | | 4. http://bqyjebfh25oellur.onion.link/1128-E828-FA7D-0072-88D5 | | 5. http://bqyjebfh25oellur.tor2web.org/1128-E828-FA7D-0072-88D5 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/1128-E828-FA7D-0072-88D5 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion.cab/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion.nu/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion.link/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.tor2web.org/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion/1128-E828-FA7D-0072-88D5

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerber Ransomware". If you are reading this message it means the software "Cerber" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: Please wait... http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5(Get a NEW address!) http://bqyjebfh25oellur.onion.cab/1128-E828-FA7D-0072-88D5 http://bqyjebfh25oellur.onion.nu/1128-E828-FA7D-0072-88D5 http://bqyjebfh25oellur.onion.link/1128-E828-FA7D-0072-88D5 http://bqyjebfh25oellur.tor2web.org/1128-E828-FA7D-0072-88D5 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address Please wait... http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is Please wait... http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://bqyjebfh25oellur.onion/1128-E828-FA7D-0072-88D5 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5(Get

http://bqyjebfh25oellur.onion.cab/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion.nu/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion.link/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.tor2web.org/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5);

http://bqyjebfh25oellur.onion.to/1128-E828-FA7D-0072-88D5

http://bqyjebfh25oellur.onion/1128-E828-FA7D-0072-88D5

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • JavaScript code in executable 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 240 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e.exe
    "C:\Users\Admin\AppData\Local\Temp\28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
      "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:616
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1212
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:537601 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1084
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1432
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1552
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "setx.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "setx.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2184
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2336
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1212
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1252
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {DAE8DB98-746F-4134-A995-709CBFB654B1} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:932
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1860
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1988
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x584
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1848

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          ae744fd4eac004aad11ca0dce2bb8392

          SHA1

          3514f9aba24d47e7108d598b9d310ce771344d9e

          SHA256

          4fb119871704d8c13c37b26b9d80626c7c8c6acbcc1b0a32fea88ba73c6d56b0

          SHA512

          67e437463e0d444b707c0992c645a1a961ccb56866d825bd59af1c4c6479a616300fcabbb63324840e6e8bfb05badd81f9bbfe6032616b03d09ace88336d5791

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E4AC1F1-27A0-11EB-B97E-C2515532CB8E}.dat
          MD5

          d032479753584616c5106221ffdc40d3

          SHA1

          7b2408d33921735616089f8d18b6ced42c546455

          SHA256

          6e04a6993f4ba3c7230b735eab2caa6eea909ad09791ea25571cecd044caea3f

          SHA512

          c9805109b725a110ae5b188f0dce0408037d64fd9dac1da4769b4f8556f8fab065d7c9ba16b8e7dec29bd2078e812c2f443b7ae41e5c292f01cd8b82469a7595

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4I1MNQYY.txt
          MD5

          b372cf1dae4eddfde139c3da841fbc7d

          SHA1

          a92be9ac6cde1faa7d1d299f8228ea7e186c89e3

          SHA256

          5d8be29a394119ecb88f45e65a69129a80a9a9524f108a17551d23ff5eb54a3f

          SHA512

          3ab103d94fdb2c75b83aa77c85b2a555b553fc18b6b9d850e7eb8a94b4816d109d1a88c57f224f912cc9a45a3414484adcb9bf6cc97ef37978935f20addad1c5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I90W50W6.txt
          MD5

          845c940e8ef6c924b1211b4d3124d23f

          SHA1

          96152cf06232025122fba2a9dd837f5c3df00f9f

          SHA256

          8d228bdb9a5c94beb888fae1789052b6995acbe791f9eb2bc9510e2bed49e0fa

          SHA512

          8de93683adb8d17bec5034aead33cb4823e4bca61a4140d062244b395ffa3553ce144121ececedfb7df25be236151be13f0039c1fc7c38a6e88903808eefb217

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk
          MD5

          9022c261cd1e36d3628d4b44fe87e831

          SHA1

          e782e600c5c11385067339a8f1243235e7e62823

          SHA256

          b31baf38b56edfe4c606e845d1c5e6656fb7c2b47fd31f1638f9517f7b396957

          SHA512

          c22f8151c7bbdb1617dd8f3f408be630b89fea073b8fd4f6416899f7532fae7aa871dd3d0d311326b58c97c53ccbe2bdddfb3023aac6fef79fd8266ec9f81063

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          MD5

          1e97fda428488834e73a9d21f45905ca

          SHA1

          349780006801787b966a14ff7b9b7d5d0872feb6

          SHA256

          28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

          SHA512

          5e6848598bb9e51df29237e3154a1f271b4b6ccb474f34c0bfbc0682a53d2e41c84214a1405d63e85dcaee95e83049a465d58ede46a6d1a1324eaf3a13a19fb9

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          MD5

          1e97fda428488834e73a9d21f45905ca

          SHA1

          349780006801787b966a14ff7b9b7d5d0872feb6

          SHA256

          28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

          SHA512

          5e6848598bb9e51df29237e3154a1f271b4b6ccb474f34c0bfbc0682a53d2e41c84214a1405d63e85dcaee95e83049a465d58ede46a6d1a1324eaf3a13a19fb9

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          MD5

          1e97fda428488834e73a9d21f45905ca

          SHA1

          349780006801787b966a14ff7b9b7d5d0872feb6

          SHA256

          28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

          SHA512

          5e6848598bb9e51df29237e3154a1f271b4b6ccb474f34c0bfbc0682a53d2e41c84214a1405d63e85dcaee95e83049a465d58ede46a6d1a1324eaf3a13a19fb9

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          MD5

          063b4c2cf5804805b75277dd33fa58d8

          SHA1

          eb0023ecd4ddaede699aa731097cb40589875bcc

          SHA256

          6204c5231e7a7392f2bf5fee0024abb5789b94495d48582ea99efbeac2515931

          SHA512

          5874cc02556f178da051ecd7016ecd92635a259b49947af1032053e33a931dd33b7b96669ea115b3fe8349b4a2034ccc62144699ceecfc9a0f5dfa08695a492f

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
          MD5

          72065898fbfa8a0b97d6abbf4d79cd53

          SHA1

          1cfbc6ff0369ba2bdad9e25f3f8086776c699e2b

          SHA256

          4e6d29a9e63a0d5a6e441b407c2ea141fd1828bce0e77380147fe23843c32f1e

          SHA512

          e8cf4d4b238863d9392912ed8da5267f0a6f86f57dd3c7359ec0d07c1bec3475ca73a639eb198a5ee34783cd39be0825527f2a639074ed83e256577224412a1f

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
          MD5

          43449685187ddd99c1c54abf57b9bc50

          SHA1

          f931edace50c494a11a977c86c2638fae1f2d40f

          SHA256

          606daecb0253483368944e6343576a540c248c41f87c807e99cc80c04a83bf13

          SHA512

          8abf3fdc9c52ff4715d1ffb2fee07f25ea82fa937eb300984454e283c48bd6778159fdbb17f77ecec0d0a6c58a66e73c2b262dd97909c8005f25d399d022b337

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
          MD5

          1c2a24505278e661eca32666d4311ce5

          SHA1

          d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee

          SHA256

          3f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628

          SHA512

          ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c

          Download Submit
        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          MD5

          1e97fda428488834e73a9d21f45905ca

          SHA1

          349780006801787b966a14ff7b9b7d5d0872feb6

          SHA256

          28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

          SHA512

          5e6848598bb9e51df29237e3154a1f271b4b6ccb474f34c0bfbc0682a53d2e41c84214a1405d63e85dcaee95e83049a465d58ede46a6d1a1324eaf3a13a19fb9

          Download Submit
        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\setx.exe
          MD5

          1e97fda428488834e73a9d21f45905ca

          SHA1

          349780006801787b966a14ff7b9b7d5d0872feb6

          SHA256

          28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

          SHA512

          5e6848598bb9e51df29237e3154a1f271b4b6ccb474f34c0bfbc0682a53d2e41c84214a1405d63e85dcaee95e83049a465d58ede46a6d1a1324eaf3a13a19fb9

          Download Submit
        • memory/616-1-0x0000000000000000-mapping.dmp
          Download
        • memory/892-12-0x0000000000000000-mapping.dmp
          Download
        • memory/932-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1084-18-0x0000000000000000-mapping.dmp
          Download
        • memory/1100-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1212-3-0x0000000000000000-mapping.dmp
          Download
        • memory/1212-15-0x0000000000000000-mapping.dmp
          Download
        • memory/1252-6-0x0000000000000000-mapping.dmp
          Download
        • memory/1432-13-0x0000000000000000-mapping.dmp
          Download
        • memory/1552-21-0x0000000000000000-mapping.dmp
          Download
        • memory/1860-16-0x0000000000000000-mapping.dmp
          Download
        • memory/2008-7-0x000007FEF61D0000-0x000007FEF644A000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/2136-26-0x0000000000000000-mapping.dmp
          Download
        • memory/2184-27-0x0000000000000000-mapping.dmp
          Download
        • memory/2336-33-0x0000000000000000-mapping.dmp
          Download