Overview

overview

10

Static

static

735e27f460...b0.exe

windows7_x64

10

735e27f460...b0.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    735e27f460be6edce9f0cd5c0d0972b0.exe

  • Size

    173KB

  • MD5

    2df254dce86ca636e77f4ad422d21da4

  • SHA1

    4efa723962bc64e753742f5fdeec4dc1c2985a51

  • SHA256

    a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

  • SHA512

    9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

Score
10/10
ursnif_rm3bankerevasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note
CERBER RANSOMWARE ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415 | | 2. http://cerberhhyed5frqa.onion.cab/83B4-FED4-14BB-0000-0415 | | 3. http://cerberhhyed5frqa.onion.nu/83B4-FED4-14BB-0000-0415 | | 4. http://cerberhhyed5frqa.onion.link/83B4-FED4-14BB-0000-0415 | | 5. http://cerberhhyed5frqa.tor2web.org/83B4-FED4-14BB-0000-0415 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/83B4-FED4-14BB-0000-0415 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.cab/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.nu/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.link/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.tor2web.org/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415);

http://cerberhhyed5frqa.onion/83B4-FED4-14BB-0000-0415

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
CERBER RANSOMWARE Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415 http://cerberhhyed5frqa.onion.cab/83B4-FED4-14BB-0000-0415 http://cerberhhyed5frqa.onion.nu/83B4-FED4-14BB-0000-0415 http://cerberhhyed5frqa.onion.link/83B4-FED4-14BB-0000-0415 http://cerberhhyed5frqa.tor2web.org/83B4-FED4-14BB-0000-0415 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/83B4-FED4-14BB-0000-0415 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.cab/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.nu/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.link/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.tor2web.org/83B4-FED4-14BB-0000-0415

http://cerberhhyed5frqa.onion.to/83B4-FED4-14BB-0000-0415);

http://cerberhhyed5frqa.onion/83B4-FED4-14BB-0000-0415

Signatures

  • Ursnif RM3

    A heavily modified version of Ursnif discovered in the wild.

    bankertrojanursnif_rm3
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\735e27f460be6edce9f0cd5c0d0972b0.exe
    "C:\Users\Admin\AppData\Local\Temp\735e27f460be6edce9f0cd5c0d0972b0.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
      "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:880
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1200
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:592
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1560
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1904
          • C:\Windows\SysWOW64\cmd.exe
            /d /c taskkill /t /f /im "ntoskrnl.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2292
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /t /f /im "ntoskrnl.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2328
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "735e27f460be6edce9f0cd5c0d0972b0.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\735e27f460be6edce9f0cd5c0d0972b0.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1100
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "735e27f460be6edce9f0cd5c0d0972b0.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1416
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {760246CC-2274-42A1-8FCC-3809EBBB384B} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1336
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1624
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:944
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:608
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x57c
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:948

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        4
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{931CBB41-28CC-11EB-B2E7-DA78EDA9FF87}.dat
          MD5

          07dc4c3050321b9fad2ce95b0e58f34e

          SHA1

          a2b3034d04eb43e2a4b739b81a18e55dd3dd2825

          SHA256

          0079aeaedb11cb1ee1ca459fae085a2437bfc93721b482c7f19e8eff1b62af69

          SHA512

          7f193e6dbabb5fec0d4568f1cd69b8d0dca321f26b7d83eb186e4b0002679a5469b5da33fd96e0cdf24e7445adc550ca76265b69ab12e9eb66afb6c10fe6ef39

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{935F61C1-28CC-11EB-B2E7-DA78EDA9FF87}.dat
          MD5

          36c415e9b18e22ff449d335eaff29174

          SHA1

          e95bab7ef785f73309b80d53a0d9a03888239125

          SHA256

          c0730abc3cba3afe1110feb26600c5e6af2ac73e5f93ff47addd88cd075329b1

          SHA512

          141bfae704ea5d8c439134979f1eb07121d43115e0c944233d6c3193bd99283ff97b7e349038a73d6c0bf5f2b9389fcb9dc492026291b0a3bbb4498ca72ee6b0

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9P63FQLK.txt
          MD5

          79cfc051ab86c4d1e6dfa506664998ed

          SHA1

          30b2f9746d73f1ccfe4f2162828a8d64396f39a9

          SHA256

          c349d6e390b140a1defd2cdcb0ebe657b4f98882a4de5c45dfc5387192849351

          SHA512

          df4c464e9460b6e31f617405e5e8343673ff2aca555fc470140f018f09872d170356bad33798c2a3dd79384a08f757d17f21b64f6c5d199f5e870bfb6b887dbc

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ntoskrnl.lnk
          MD5

          eabd3457531a23a471f8ba43801c0de8

          SHA1

          6cdad3f77c9f6f32f96f137d8d890a7e95138096

          SHA256

          f040234547286966a25e3f2ffd42e5f9f66e5daaa4462fb58a21ccc98f88c7ca

          SHA512

          f4749e9fcdb8e571f6f8ebe4444c8f613e9af84812bfa77ccbebf5cedeafc00b613a94011212171c56443695cf4d02f4b6e0ac7d485f7b583bd9ed769cc88774

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          MD5

          2df254dce86ca636e77f4ad422d21da4

          SHA1

          4efa723962bc64e753742f5fdeec4dc1c2985a51

          SHA256

          a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

          SHA512

          9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          MD5

          2df254dce86ca636e77f4ad422d21da4

          SHA1

          4efa723962bc64e753742f5fdeec4dc1c2985a51

          SHA256

          a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

          SHA512

          9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          MD5

          2df254dce86ca636e77f4ad422d21da4

          SHA1

          4efa723962bc64e753742f5fdeec4dc1c2985a51

          SHA256

          a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

          SHA512

          9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          MD5

          2df254dce86ca636e77f4ad422d21da4

          SHA1

          4efa723962bc64e753742f5fdeec4dc1c2985a51

          SHA256

          a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

          SHA512

          9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          MD5

          bb7e4fe4b4d83cd3b314871b2dc44034

          SHA1

          429f37dc498dd31afe73dbb3c862bb7d45934f5c

          SHA256

          c59a0c7c71e1192b2563fe4f14a517c2514e12a6cbe4b4920c47ffb6b57c9750

          SHA512

          4f4fe4c6c23f69177de192a45607da3c9a3cd34ea7dcbdc2de389cd4776066c698379b10390757686f8a3e630981d562f738f7aba30db41c01a2d20cd89f0570

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
          MD5

          013cd64789c31ccf486c6e35b2b01cdc

          SHA1

          ad816730637ebdefa35405c404c5469672529427

          SHA256

          234d8899dc13ca14cf534146197513ad8b777b3f956507483b7ca5e0ca3c3dc9

          SHA512

          bba1b9a79c7af6fd7d8416f9e1f1822df0ce06def53d7e9d7a2a85b5597fb2f24502efc008b70d5f04de55db837fdfc8460b5c0b07b4d49568706a58921a88ac

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
          MD5

          a70761d9300adc2a8c0b740421a85619

          SHA1

          7ffee74be402380fc864f8c76103a0660e7b8d1d

          SHA256

          c44c86d4f500dc18f40c3f275dec339d9f80a2f545af2a6340a3ebff55d0654e

          SHA512

          c9972d4b6c375f9ae0f151639ffa77ce7286ef602d6578e79cb787c93a5cc39ac3725c670d4a5ab8f1a60271013fa84125d2ee3e842c511458fa3e5ac085d006

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
          MD5

          e885e348f83d97db3deb82ed43a64eeb

          SHA1

          931f6266326fb778117d52d9e74eb9b8545bb2f2

          SHA256

          bf4b1b2372317eb80d719b452100e9538ea7d44f5e168a7e59d0aecfebf5b660

          SHA512

          4fee5c7cf95a5930062eea507911d172644c73c592291a520230eca5bb27009923cf03f0b6bdc1912eee841dcc561f82b4071265e75787801a07547650d1be44

          Download Submit
        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          MD5

          2df254dce86ca636e77f4ad422d21da4

          SHA1

          4efa723962bc64e753742f5fdeec4dc1c2985a51

          SHA256

          a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

          SHA512

          9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

          Download Submit
        • \Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\ntoskrnl.exe
          MD5

          2df254dce86ca636e77f4ad422d21da4

          SHA1

          4efa723962bc64e753742f5fdeec4dc1c2985a51

          SHA256

          a1a1e34dbc30a46811f5b717f808908412aa6f3d6840aa526d5c0154e008558e

          SHA512

          9cc70f4525162dfeedba5c3ec421fbf219596077824489cd74d3bc9038c00d96210396312a7426416db1df62d3cad7b71167145aaa1ff8c3623645ffcfa53acd

          Download Submit
        • memory/284-11-0x000007FEF7850000-0x000007FEF7ACA000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/592-20-0x0000000000000000-mapping.dmp
          Download
        • memory/880-6-0x0000000000000000-mapping.dmp
          Download
        • memory/944-21-0x0000000000000000-mapping.dmp
          Download
        • memory/1100-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1144-16-0x0000000000000000-mapping.dmp
          Download
        • memory/1200-8-0x0000000000000000-mapping.dmp
          Download
        • memory/1232-1-0x0000000000000000-mapping.dmp
          Download
        • memory/1232-17-0x0000000003D60000-0x0000000003D70000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1232-37-0x0000000003790000-0x00000000037A2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1336-12-0x0000000000000000-mapping.dmp
          Download
        • memory/1416-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1560-18-0x0000000000000000-mapping.dmp
          Download
        • memory/1624-14-0x0000000000000000-mapping.dmp
          Download
        • memory/1624-7-0x0000000000000000-mapping.dmp
          Download
        • memory/1904-27-0x0000000000000000-mapping.dmp
          Download
        • memory/2292-38-0x0000000000000000-mapping.dmp
          Download
        • memory/2328-39-0x0000000000000000-mapping.dmp
          Download
        • memory/2372-40-0x0000000000000000-mapping.dmp
          Download