Overview

overview

10

Static

static

392e471bab...le.exe

windows7_x64

10

392e471bab...le.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe

  • Size

    125KB

  • MD5

    c4472cd02b1396ca49935f029db6a8ec

  • SHA1

    fa4891fc8416a191d255fc186ef534d022d665e2

  • SHA256

    392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

  • SHA512

    4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

Score
10/10
cerbergozi_rm3bankerevasionpersistenceransomwarespywarestealersuricatatrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055 | | 2. http://cerberhhyed5frqa.onion.cab/AA89-A485-DC83-0006-4055 | | 3. http://cerberhhyed5frqa.onion.nu/AA89-A485-DC83-0006-4055 | | 4. http://cerberhhyed5frqa.onion.link/AA89-A485-DC83-0006-4055 | | 5. http://cerberhhyed5frqa.tor2web.org/AA89-A485-DC83-0006-4055 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/AA89-A485-DC83-0006-4055 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion.cab/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion.nu/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion.link/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.tor2web.org/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion/AA89-A485-DC83-0006-4055

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
C E R B E R R A N S O M W A R E Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: decrypt all your files; work with your documents; view your photos and other media; continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page below: http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055 http://cerberhhyed5frqa.onion.cab/AA89-A485-DC83-0006-4055 http://cerberhhyed5frqa.onion.nu/AA89-A485-DC83-0006-4055 http://cerberhhyed5frqa.onion.link/AA89-A485-DC83-0006-4055 http://cerberhhyed5frqa.tor2web.org/AA89-A485-DC83-0006-4055 What should you do with these addresses? If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055); select it with the mouse cursor holding the left mouse button and moving the cursor to the right; release the left mouse button and press the right one; select "Copy" in the appeared menu; run your Internet browser (if you do not know what it is run the Internet Explorer); move the mouse cursor to the address bar of the browser (this is the place where the site address is written); click the right mouse button in the field where the site address is written; select the button "Insert" in the appeared menu; then you will see the address http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055 appeared there; press ENTER; the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055); in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://cerberhhyed5frqa.onion/AA89-A485-DC83-0006-4055 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion.cab/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion.nu/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion.link/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.tor2web.org/AA89-A485-DC83-0006-4055

http://cerberhhyed5frqa.onion/AA89-A485-DC83-0006-4055

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • suricata: ET MALWARE Ransomware/Cerber Checkin 2
    suricata
  • suricata: ET MALWARE Ransomware/Cerber Checkin M3 (11)
    suricata
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
      "C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1688
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:968
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:596
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "netbtugc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2252
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "netbtugc.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2288
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2332
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1808
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {798E8EE4-CE89-484A-85CE-128FA6F0A739} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
        • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:284
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1736
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x1ac
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2052

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2793DFD1-EE15-11EB-A1A8-4E3F7CC12DEF}.dat
          MD5

          88f9c1ed07689da90ed772afc774aeaa

          SHA1

          bc857b521917fd93e79ca015dca146caf8798c51

          SHA256

          f6a158ea4cefdb5e114e8549fd46ae311735fe2098bab1bbc96ba3dbee4627cb

          SHA512

          f10f900c136c75e6047715090979fd8f0b5e8326a88dc225eda2db4e300268d6f30227b02e66e4f3dd508093b1cb69f81bf1b3e8c88aec9db906e1a30cb21aae

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BX2OIPZX.txt
          MD5

          1885da683e864a5583304108e404d52c

          SHA1

          75832c5ad2b4f9e35a9e97c5ffd4f07cfac584ee

          SHA256

          0db22dad3b3582a8c8b97e17355ee2cf3bf0d9b9c7cfdef7896561e14be89937

          SHA512

          8d0377dc4938bfc7b291af4b62d8398975176e732aeb4fed400e4c6ecb2bb398a65aa3a60135864e8867defd11aa753e602d52275fac669e801d9107fa78edd4

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk
          MD5

          be96320ca5a5a8f59a1dfee89e38f48f

          SHA1

          45322b03fe27f085af081b7cbc775ce40a2f5306

          SHA256

          782157a48c63f8f94c9a5d94930154e7ae7d108c9ae332c83545906d26e26fcb

          SHA512

          04b2731267d5d38873fd8b3d76f7a3e87de135ff6177d9866be972b1b3a2e3a635ec81d8539302652d660e3e19e5cf446ca7d77e782971d559f4bbe1c880281b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          MD5

          29f3992f5b736f4796747e2437db1455

          SHA1

          ce2ea958b6e5e582c1d8ea2706779d9043e79415

          SHA256

          eb371d87cce75a4721e2b98813f55a456d0cc51ec2ba5b71ea5e92686e3128dc

          SHA512

          8ca15269d0239184f2b12c24dd66c2ccd991db586d7b421b25ff41daca0b9c8a7776fd36b2746b7668eb27fd0e29c5d1214fe9945697a93a6b69344180c43dba

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
          MD5

          a4c21ea85a9644f3a242162edf0af2fa

          SHA1

          66c9add6a0fa9fdf73f74c913dca80ce7908cce2

          SHA256

          4d649d393ac635edbe27c229491e32f3f3e19cb03fa5833b159a168ad915a0de

          SHA512

          6f1563309ee0a9b4ea97767449ea11754f27c3fc1dbf5d94ee691461b62ed598c7ae2a356ab2a1d4048682a0da2c21c43c36552cd594494d6bebc1254be1602a

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
          MD5

          b7b8d8cc95bada01b98441251f88dcf4

          SHA1

          eb1e99ea487a7553474cf05bbb64010a27cd0e75

          SHA256

          1a3ae88eb88d48e8baf3caa792d7d41538ccfd7bc8d48cf86920b6952247373c

          SHA512

          19c6865ba3de6206debd10f3a7815ba4c07d5e35aefccd3a47a4dba5b8ca2dfd195827bc27a21a8d74504f486c1797485a3eb29e6e237a4d9623f781c2b31022

          Download Submit
        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
          MD5

          9d8c4bfbd009c4d6001e2125abaa8b02

          SHA1

          cd040558172b5fca5b200447a281843956243741

          SHA256

          a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

          SHA512

          c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

          Download Submit
        • \Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • \Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • \Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe
          MD5

          c4472cd02b1396ca49935f029db6a8ec

          SHA1

          fa4891fc8416a191d255fc186ef534d022d665e2

          SHA256

          392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270

          SHA512

          4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5

          Download Submit
        • memory/284-85-0x0000000000000000-mapping.dmp
          Download
        • memory/596-90-0x0000000000000000-mapping.dmp
          Download
        • memory/968-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1280-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1544-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1604-67-0x0000000000000000-mapping.dmp
          Download
        • memory/1660-60-0x00000000752F1000-0x00000000752F3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1680-76-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1680-75-0x0000000000000000-mapping.dmp
          Download
        • memory/1688-83-0x0000000000000000-mapping.dmp
          Download
        • memory/1708-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1752-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1808-69-0x0000000000000000-mapping.dmp
          Download
        • memory/2252-92-0x0000000000000000-mapping.dmp
          Download
        • memory/2288-93-0x0000000000000000-mapping.dmp
          Download
        • memory/2332-94-0x0000000000000000-mapping.dmp
          Download