Overview

overview

10

Static

static

1

11090879de...61.exe

windows7-x64

10

11090879de...61.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

  • Size

    762KB

  • Sample

    221124-ex4jvsca2w

  • MD5

    00e90026198266ac834b0dbcd9c4f838

  • SHA1

    803603c0610b6e726edb201cb1fef3ad472a9afe

  • SHA256

    11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

  • SHA512

    2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9

  • SSDEEP

    12288:aMmXLbRD6RGU2sTRL9JoCBGYLVvdq0xW1zoojZuKCPKSCOrPDQcciv9CUIyywCYp:tmXLbB6RG4TRXoCBGYLxxxW1soFurPK6

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7138621.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. PHMJTO-6WTIFO-RACALI-D2U4KD-A5M5PN-JGHM3H-QBNDW6-U5VQZJ WFOKTM-3I7I6S-54PDQS-3CUU2D-2OPQMR-U6PKTS-GYKKXF-XLN3EN HBWNCL-OOSR46-EZIO2B-DRYEH6-HQRJOU-JGMIJJ-S4XNGG-LARFAP 5. Follow the instructions on the server.
URLs

http://kurrmpfx6kgmsopm.onion

Extracted

Path

C:\Users\Admin\Documents\zlwdkgg.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <head><body bgcolor=#424242> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> 1. Go to site <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. Press 'DOWNLOAD Tor Browser Bundle', install and run it.<br> 3. Now you have Tor Browser. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://kurrmpfx6kgmsopm.onion'>http://kurrmpfx6kgmsopm.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> 4. Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>PHMJTO-6WTIFO-RACALI-D2U4KD-A5M5PN-JGHM3H-QBNDW6-U5VQZJ WFOKTM-3I7I6S-54PDQS-3CUU2D-2OPQMR-U6PKTS-GYKKXF-XLN3EN HBWNCL-OOSR46-EZIO2B-DRYEH6-HQRJOU-JGMIJJ-S4XNGG-LARFAP</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> 5. Follow the instructions on the server.<br><br> The list of your encrypted files:<br><a name='list'></a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>Xusage.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\</td></tr><tr><td>readme.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>License.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>io.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\</td></tr><tr><td>sr-spl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>Mso Example Setup File A.txt</td><td>C:\Program Files\Microsoft Office\Office14\</td></tr><tr><td>Mso Example Intl Setup File A.txt</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Mso Example Intl Setup File B.txt</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jre7\bin\server\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jre7\lib\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AUTHORS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\</td></tr><tr><td>History.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>NEWS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>StepUnblock.txt</td><td>C:\Program Files\</td></tr><tr><td>OutBackup.xls</td><td>C:\Program Files\</td></tr><tr><td>FindNew.xlsb</td><td>C:\Program Files\</td></tr><tr><td>README.TXT</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>THANKS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>Thawte Root Certificate.cer</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>Adobe Root Certificate.cer</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>AdobeAUM_rootCert.cer</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdate.cer</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdater.cer</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\</td></tr><tr><td>MS.JPG</td><td>C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\</td></tr><tr><td>MS.EPS</td><td>C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jre7\lib\deploy\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\</td></tr><tr><td>Words.pdf</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\</td></tr><tr><td>DismountRevoke.zip</td><td>C:\Program Files\</td></tr><tr><td>DisableConvert.jpg</td><td>C:\Program Files\</td></tr><tr><td>J0099185.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099154.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099161.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341634.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341534.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099189.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341645.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099155.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099188.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0321179.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099157.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341328.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0309480.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341344.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0289430.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099152.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0337280.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341636.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099156.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0175428.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099160.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341654.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341653.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0287643.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341499.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>VeriSign_Class_3_Public_Primary_CA.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>SignedManagedObjects.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\</td></tr><tr><td>SignedComponents.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\</td></tr><tr><td>VS_ComponentSigningIntermediate.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>VeriSign_Class_3_Code_Signing_2001-4_CA.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>Management.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>RELAY.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLN.XLS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.XLS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PH02412K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>PH01239K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>PH01213K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>PH01221K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0302953.JPG</td><td>C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\</td></tr><tr><td>NotifierDisableDownArrow.jpg</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\</td></tr><tr><td>NotifierCloseButton.jpg</td><td>C:\Program F
URLs

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Documents\ystryfa.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <head><body bgcolor=#424242> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> 1. Go to site <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. Press 'DOWNLOAD Tor Browser Bundle', install and run it.<br> 3. Now you have Tor Browser. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://kurrmpfx6kgmsopm.onion'>http://kurrmpfx6kgmsopm.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> 4. Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>7MBCPP-LUDFRV-5BMSQ4-PMCIUC-ABK253-IV3C5S-37Y5EO-EL4QYQ 3WYKGD-K2LYP6-VR3AG4-B74EBT-ZLZS6Y-HSCQZB-IK7W5D-UWBAXD P72YQU-TZFCYT-W2QOUF-A3WMWN-BBO5XL-IWA5MP-NDEEDH-OVWRGW</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> 5. Follow the instructions on the server.<br><br> The list of your encrypted files:<br><a name='list'></a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>readme.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>License.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>io.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ug.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>History.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>AddSend.rtf</td><td>C:\Program Files\</td></tr><tr><td>ConvertFromProtect.ods</td><td>C:\Program Files\</td></tr><tr><td>InitializeOut.eps</td><td>C:\Program Files\</td></tr><tr><td>BackupRequest.jpeg</td><td>C:\Program Files\</td></tr><tr><td>ExpandDeny.odp</td><td>C:\Program Files\</td></tr><tr><td>chrome.7z</td><td>C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\</td></tr><tr><td>chrome_shutdown_ms.txt</td><td>C:\Users\Admin\AppData\Local\Google\Chrome\User Data\</td></tr><tr><td>osver.txt</td><td>C:\ProgramData\Microsoft\Diagnosis\</td></tr><tr><td>ClientOSub2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WacLangPack2019Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientSub2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientARMRefer2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>ClientARMRefer_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\</td></tr><tr><td>excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\</td></tr><tr><td>Excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\</td></tr><tr><td>WacLangPackEula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientVolumeLicense_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>notice.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ClientLangPack2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\</td></tr><tr><td>ClientLangPack_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelMessageDismissal.txt</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>Products.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\</td></tr><tr><td>ClientVolumeLicense2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>README_en_US.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\</td></tr><tr><td>card_expiration_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jre1.8.0_66\bin\server\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\</td></tr><tr><td>autofill_labeling_features.txt</td><td>C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\MLModels\</td></tr><tr><td>autofill_labeling_features.txt</td><td>C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\</td></tr><tr><td>autofill_labeling_features.txt</td><td>C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\MLModels\</td></tr><tr><td>WordNet_license.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\</td></tr><tr><td>LICENSE.txt</td><td>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\</td></tr><tr><td>added.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\</td></tr><tr><td>README_th_en_CA_v2.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\</td></tr><tr><td>README_en_GB.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\</td></tr><tr><td>Added.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\</td></tr><tr><td>card_security_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>AccessMessageDismissal.txt</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>README.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>changelog.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\</td></tr><tr><td>autofill_labeling_features_email.txt</td><td>C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\MLModels\</td></tr><tr><td>autofill_labeling_features_email.txt</td><td>C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\</td></tr><tr><td>autofill_labeling_features_email.txt</td><td>C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\MLModels\</td></tr><tr><td>added.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\</td></tr><tr><td>NOTICE.TXT</td><td>C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.165.21\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jre1.8.0_66\lib\</td></tr><tr><td>UKRAINE.TXT</td><td>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\</td></tr><tr><td>card_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>affDescription.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>LyncVDI_Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>THANKS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ssn_high_group_info.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>ThirdPartyNotices.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\MSIPC\</td></tr><tr><td>brndlog.txt</td><td>C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\</td></tr><tr><td>LyncBasic_Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>TPN.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\</td></tr><tr><td>AccessRuntime_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>AccessRuntime2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SkypeForBusinessVDI2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SkypeForBusinessBasic2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>CP1253.TXT</td><td>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\</td></tr><tr><td>CP1251.TXT</td><td>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\</td></tr><tr><td>CP1258.TXT</td><td>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\</td></tr><tr><td>CP1257.TXT</td><td>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\wi
URLs

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Documents\DecryptAllFiles 240714250.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. 7MBCPP-LUDFRV-5BMSQ4-PMCIUC-ABK253-IV3C5S-37Y5EO-EL4QYQ 3WYKGD-K2LYP6-VR3AG4-B74EBT-ZLZS6Y-HSCQZB-IK7W5D-UWBAXD P72YQU-TZFCYT-W2QOUF-A3WMWN-BBO5XL-IWA5MP-NDEEDH-OVWRGW 5. Follow the instructions on the server.
URLs

http://kurrmpfx6kgmsopm.onion

Targets

    • Target

      11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

    • Size

      762KB

    • MD5

      00e90026198266ac834b0dbcd9c4f838

    • SHA1

      803603c0610b6e726edb201cb1fef3ad472a9afe

    • SHA256

      11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

    • SHA512

      2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9

    • SSDEEP

      12288:aMmXLbRD6RGU2sTRL9JoCBGYLVvdq0xW1zoojZuKCPKSCOrPDQcciv9CUIyywCYp:tmXLbB6RG4TRXoCBGYLxxxW1soFurPK6

    Score
    10/10
    ransomwarespywarestealerpersistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks