Overview

overview

10

Static

static

250684f6de...43.exe

windows7-x64

10

250684f6de...43.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

  • Size

    1009KB

  • Sample

    221128-e3cckaaf7s

  • MD5

    63280dedabfe7caec283920f1b5ee3dd

  • SHA1

    5efc119e54f35770a9dae6997b550982c82cc86b

  • SHA256

    250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

  • SHA512

    45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

  • SSDEEP

    12288:RKfc7b5LkodZkB0YH6lmtSOE2UfQS/x1W5bUPodfCEVYHBF60GRGq4B:RKE7ttoBEmN3a/x1wBYh0I

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files yqyhzxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://65y3g34c4zk3xkh2.onion.cab or http://65y3g34c4zk3xkh2.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://65y3g34c4zk3xkh2.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. IIWDFT-JZHCB6-SGAUJH-PENPL5-2VDDDP-CEAEE6-QJ6D37-WHTV7E JW5MRG-6W54PT-CGVNL6-YZLGCV-UIP6V3-STKOYS-KQRVR2-VZWNML HWW2CP-3KHEVJ-ZCGPW4-BJY5MH-G5BUY6-KVY36F-KY5FST-TGVPWX Follow the instructions on the server.
URLs

http://65y3g34c4zk3xkh2.onion.cab

http://65y3g34c4zk3xkh2.tor2web.org

http://65y3g34c4zk3xkh2.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242 onLoad="window.location='#list';"> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> Open <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://65y3g34c4zk3xkh2.onion.cab'>http://65y3g34c4zk3xkh2.onion.cab</a> or <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://65y3g34c4zk3xkh2.tor2web.org'>http://65y3g34c4zk3xkh2.tor2web.org</a> in your browser. They are public gates to the secret server. <br><br> If you have problems with gates, use direct connection:<br><br> 1. Download Tor Browser from <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://65y3g34c4zk3xkh2.onion'>http://65y3g34c4zk3xkh2.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>IIWDFT-JZHCB6-SGAUJH-PENPL5-2VDDDP-CEAEE6-QJ6D37-WHTV7E JW5MRG-6W54PT-CGVNL6-YZLGCV-UIP6V3-STKOYS-KQRVR2-VZWNML HWW2CP-3KHEVJ-ZCGPW4-BJY5MH-G5BUY6-KVY36F-KY5FST-TGVPWX</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Follow the instructions on the server.<br><br> <a name='list'>The list of your encrypted files:</a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\</td></tr><tr><td>README.TXT</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>Mso Example Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\</td></tr><tr><td>Mso Example Intl Setup File B.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Mso Example Intl Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jre7\bin\server\</td></tr><tr><td>readme.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jre7\lib\</td></tr><tr><td>io.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THANKS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AUTHORS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\</td></tr><tr><td>History.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>NEWS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\</td></tr><tr><td>Thawte Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>Adobe Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>AdobeAUM_rootCert.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdater.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>RestoreCopy.DOC</td><td>C:\Program Files\</td></tr><tr><td>vcredist2010_x64.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>vcredist2010_x86.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>VeriSign_Class_3_Public_Primary_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>SignedManagedObjects.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\</td></tr><tr><td>SignedComponents.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\</td></tr><tr><td>VS_ComponentSigningIntermediate.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>VeriSign_Class_3_Code_Signing_2001-4_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>Management.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>RELAY.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>AccessBridgeCalls.C</td><td>C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\</td></tr><tr><td>viewDblClick.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>autoconfig.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>viewSelectionChanged.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>channel-prefs.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>MENUS.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>ui.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>common.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>Hierarchy.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>controllers.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>SUBMIT.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>ut
URLs

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://65y3g34c4zk3xkh2.onion.cab or http://65y3g34c4zk3xkh2.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://65y3g34c4zk3xkh2.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: File Path
URLs

http://65y3g34c4zk3xkh2.onion.cab

http://65y3g34c4zk3xkh2.tor2web.org

http://65y3g34c4zk3xkh2.onion

Targets

    • Target

      250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

    • Size

      1009KB

    • MD5

      63280dedabfe7caec283920f1b5ee3dd

    • SHA1

      5efc119e54f35770a9dae6997b550982c82cc86b

    • SHA256

      250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

    • SHA512

      45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

    • SSDEEP

      12288:RKfc7b5LkodZkB0YH6lmtSOE2UfQS/x1W5bUPodfCEVYHBF60GRGq4B:RKE7ttoBEmN3a/x1wBYh0I

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks