48b2d206eb6b4d2e08e7a088d09d40ef7cd2075fcaf84470d70c9b6769c7e99e

Sharing

Copy URL

Twitter E-mail

General

Target

XP Pack for 10 - 2013Windows8.1.zip
Size

57.6MB
Sample

221224-xstg7sae22
MD5

9626c0f7310723f26efef5270bf7ba9a
SHA1

5e16842d07316e3626d8a04486a421113e621004
SHA256

48b2d206eb6b4d2e08e7a088d09d40ef7cd2075fcaf84470d70c9b6769c7e99e
SHA512

6498677cabefa417e11d7f97f459077ea3509f5d07893598ed14fed467edcec633ff9ca3bdc47d72cbfe428af4bfabd34ce5b08b8f67b50113a52f8b988f9367
SSDEEP

1572864:uDYQ5+S0nzKbo4H4zfPJxeMpanJEEJXljj72xjc:uPAnv4Y9XouEJlaxjc

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files (x86)\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 3.92 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a powerful tool allowing you to manage and control archive files. Console RAR supports archives only in RAR format, the names of which usually have a ".rar" extension. ZIP and other formats are not supported. Windows users may install GUI RAR version - WinRAR, which is able to process many more archive types. RAR features include: * Highly sophisticated, original compression algorithm * Special compression algorithms optimized for text, audio, graphics data, 32 and 64-bit Intel executables * Better compression than similar tools, using 'solid' archiving * Authenticity verification (registered version only) * Self-extracting archives and volumes (SFX) * Ability to recover physically damaged archives * Locking, password, file order list, file security & more ... Configuration file ~~~~~~~~~~~~~~~~~~ RAR for Unix reads configuration information from the file .rarrc in the user's home directory (stored in HOME environment variable) or in /etc directory. RAR for Windows reads configuration information from the file rar.ini, placed in the same directory as the rar.exe file. This file may contain the following string: switches=any RAR switches, separated by spaces For example: switches=-m5 -s Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in UNIX following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 KB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If the switch -ilog is specified in the command line or configuration file, RAR will write informational messages, concerning errors encountered while processing archives, into a log file. Read switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command line options (commands and switches) provide control of creating and managing archives with RAR. The command is a string (or a single letter) which commands RAR to perform a corresponding action. Switches are designed to modify the way RAR performs the action. Other parameters are archive name and files to be archived into or extracted from the archive. Listfiles are plain text files that contain names of files to process. File names should start at the first column. It is possible to put comments to the listfile after // characters. For example, you may create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). Win32 console RAR uses OEM (DOS) encoding in list files. You may specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files In a UNIX environment you need to quote wildcards to avoid them being expanded by shell. For example, this command will extract *.asm files from RAR archives in current path: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing backslashes, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes file masks or trailing backslashes, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 62000 bytes Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy cf Add files comment. File comments are displayed when the 'v' command is given. File comment length is limited to 32767 bytes. Example: rar cf bigarch *.txt ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -av, -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. Please note if the processing of this command results in removing all the files from the archive, the empty archive would removed. e Extract files to current directory. f Freshen files in archive. Updates those files changed since they were packed to the archive. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, Unicode and OEM character tables (Win32 only); If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. Any command which intends to change the archive will be ignored. Example: rar k final.rar l[t,b] List contents of archive [technical]. Files are listed as with the 'v' command with the exception of the file path. i.e. only the file name is displayed. Optional technical information (host OS, solid flag and old version flag) is displayed when 't' modifier is used. Modifier 'b' forces RAR to output only bare file names without any additional information. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. You may use this command together with -inul switch to disable all RAR messages and print only file data. It may be important when you need to send a file to stdout for use in pipes. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If the archive contains a recovery record and if the portion of the damaged data is continuous and less than N*512 bytes, where N is number of recovery sectors placed into the archive, the chance of successful archive reconstruction is very high. When this stage has been completed, a new archive will be created, called fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If a broken archive does not contain a recovery record or if the archive is not completely recovered due to major damage, a second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail the CRC validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. When the second stage is completed, the reconstructed archive will be saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. RAR/DOS32 version uses _recover.rar and _reconst.rar instead of names mentioned aboves. While the recovery is in progress, RAR may prompt the user for assistance when a suspicious file is detected. Suspicious entry Name: <possibly filename> Size: <size> Packed: <compressed size> Add it: Yes/No/All Answer 'y' to add this entry to the file rebuilt.arcname.rar. Example: rar r buggy.rar rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing volume as the archive name, for example, 'rar rc backup.part03.rar' Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations like changing file extensions. For example: rar rn data.rar *.txt *.bak will rename all *.txt files to *.bak. RAR does not check if the destination file name is already present in the archive, so you need to be careful to avoid duplicated names. It is especially important when using wildcards. Such a command is potentially dangerous, because a wrong wildcard may corrupt all archived names. rr[N] Add data recovery record. Optionally, redundant information (recovery record) may be added to an archive. This will cause a small increase of the archive size and helps to recover archived files in case of floppy disk failure or data losses of any other kind. A recovery record contains up to 524288 recovery sectors. The number of sectors may be specified directly in the 'rr' command (N = 1, 2 .. 524288) or, if it is not specified by the user, it will be selected automatically according to the archive size: a size of the recovery information will be about 1% of the total archive size, usually allowing the recovery of up to 0.6% of the total archive size of continuously damaged data. It is also possible to specify the recovery record size in percent to the archive size. Just append the percent character to the command parameter. For example: rar rr3% arcname Note that if you run this command from .bat or .cmd file, you need to use rr3%% instead of rr3%, because the command processor treats the single '%' character as the start of a batch file parameter. You may also use 'p' instead of '%', so 'rr3p' will work too. If data is damaged continuously, then each rr-sector helps to recover 512 bytes of damaged informatio

Emails

[email protected]

Targets

- Target
  
  10 to XP Remake/Branding/Basebrd/basebrd.dll
- Size
  
  451KB
- MD5
  
  3305b59bc0cb31b56c3c68eaf9bc1f24
- SHA1
  
  c10e6782c00f384dfaf557c58c7e33f332f6c622
- SHA256
  
  dbbc6b1f72a5f80b33a88445a836ea3449ec885ad33b5b6ef4a9fee12ecd958e
- SHA512
  
  5cd184ed2e1002a6fe208d68b5f9e2fe79c38460d2f40f0003399d40daf29fd047d7eb08ef68eb3daba89182e97c48d2f127f717a21dc43abae6d867413d14cc
- SSDEEP
  
  1536:reJ8tKICm/h+yetKICm/h+yjtKICm/h+y3Qs5gPFqN:reGKIPZ+yKKIPZ+y5KIPZ+y3TaNqN
Score

3^/10
behavioral1
- Target
  
  10 to XP Remake/Branding/Basebrd/basebrd.dll.backup
- Size
  
  451KB
- MD5
  
  3305b59bc0cb31b56c3c68eaf9bc1f24
- SHA1
  
  c10e6782c00f384dfaf557c58c7e33f332f6c622
- SHA256
  
  dbbc6b1f72a5f80b33a88445a836ea3449ec885ad33b5b6ef4a9fee12ecd958e
- SHA512
  
  5cd184ed2e1002a6fe208d68b5f9e2fe79c38460d2f40f0003399d40daf29fd047d7eb08ef68eb3daba89182e97c48d2f127f717a21dc43abae6d867413d14cc
- SSDEEP
  
  1536:reJ8tKICm/h+yetKICm/h+yjtKICm/h+y3Qs5gPFqN:reGKIPZ+yKKIPZ+y5KIPZ+y3TaNqN
Score

3^/10
behavioral2
- Target
  
  10 to XP Remake/Branding/Basebrd/en-US/basebrd.dll.mui
- Size
  
  4KB
- MD5
  
  2e71b0baaecf6ae879ecb2e9fe7c8046
- SHA1
  
  94066c3560386d0e95a788b42838526f5be274bb
- SHA256
  
  ea988e5d7a28971452b05f96f72f7e7ab0aff49892455f394b0c8dbc49a950c6
- SHA512
  
  94b19b32dbc6581e7ad05935dfdda4e759e9c65e132a8081370b0f3030ad5e49734259ede705c93cbc059afd46f7d71040d66fa08239c91070634182b9027d18
Score

1^/10
behavioral3
- Target
  
  10 to XP Remake/Branding/Shellbrd/shellbrd.dll
- Size
  
  1.0MB
- MD5
  
  a89117015b60ddbe00570f22ad385e9b
- SHA1
  
  82148df99e9feab2b48e72bd0e3290cecf049ba4
- SHA256
  
  9037a5f4f8e791fc4a45d3fb075d4c100d97ab0fdb866ea43f4f553129b984de
- SHA512
  
  5d1b72d92aef0f38e6973f424aebce487e5ae62daa5b87caf60c9135aeb3dd5eac91bbf008892c04c8079e6eab453b113f5bcfc3e258d19b378ac8f171e42788
- SSDEEP
  
  3072:y5KIPZ+y28bLKIPZ+yqKIPZ+yfgksbe0vutcNb1fY7a6uuAjot:NIx+n8qIx+uIx+M3sbekIb
Score

1^/10
behavioral4
- Target
  
  10 to XP Remake/Branding/Shellbrd/shellbrd.dll.backup
- Size
  
  1.3MB
- MD5
  
  f5a4f0b7ab897a6f7857ca14bc952695
- SHA1
  
  7364c4b9eb5e5e13ffb8620e48f3b4a66d2a762a
- SHA256
  
  bc4a3ff5f95de62925383b05cdd53845d5bf8a1ef5947dbfc442a391eadd55e6
- SHA512
  
  e7a6432bc395357fa8c63d757eb304b7278ce060e433bf80681b6a0144ed9489ea34a9cd45d8479d680d5a12ca25f05624fde9ceadfa6a85c20fe84ae01d6753
- SSDEEP
  
  1536:oa3WrLEe1n1ZOrUajk+stgbeTejSzSfk3mjQHe0buI98sW+i8btajjt4n8kuMqfz:dyxgksbe0SutcNb1fY6a6uuAj
Score

1^/10
behavioral5
- Target
  
  10 to XP Remake/Build In Windows XP Apps/calc.exe
- Size
  
  112KB
- MD5
  
  829e4805b0e12b383ee09abdc9e2dc3c
- SHA1
  
  5a272b7441328e09704b6d7eabdbd51b8858fde4
- SHA256
  
  37121ecb7c1e112b735bd21b0dfe3e526352ecb98c434c5f40e6a2a582380cdd
- SHA512
  
  356fe701e6788c9e4988ee5338c09170311c2013d6b72d7756b7ada5cda44114945f964668feb440d262fb1c0f9ca180549aafd532d169ceeadf435b9899c8f6
- SSDEEP
  
  1536:JEl14rQcWAkN7GAlqbkfAGQGV8aMbrNyrf1w+noPvLV6eBsCXKc:JYmZWXyaiedMbrN6pnoXL1BsC
Score

1^/10
behavioral6
- Target
  
  10 to XP Remake/Build In Windows XP Apps/cmd.exe
- Size
  
  380KB
- MD5
  
  6d778e0f95447e6546553eeea709d03c
- SHA1
  
  811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
- SHA256
  
  62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4
- SHA512
  
  a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffaca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f
- SSDEEP
  
  3072:PhRx1q315oF8opcnD1hOOrWGzN2lcR2u8JnxIJU+e3sFFCcll3H3rH3XD7Inm+Fj:VUF5oXpcFb5DRsNxIJU
Score

1^/10
behavioral7
- Target
  
  10 to XP Remake/Build In Windows XP Apps/mspaint.exe
- Size
  
  335KB
- MD5
  
  949bc05cef66bcd68eb23f08eb4c2dff
- SHA1
  
  b3af3c83b5b1d0f382ee469ac96e8ecbc3a21be5
- SHA256
  
  4a8b0fd56eef260471a1284161ecbba3bb0cdd8b240b932a94b85077ae8c2f43
- SHA512
  
  f671fffa172940157d331c4a1d83d1f530abb67642becc5722f5a0d80e75291e9e457a6a39f22b301a1d65f4dce86a34b625a25ab48230634c39ac9f3eacdb5e
- SSDEEP
  
  6144:m4RREcMZ5vVCiiKrao9afJu3YYtWGaVoRiS6hxH5AgyOv:nbuvVCiisao9Ii3aViKHB
Score

4^/10
behavioral8
- Target
  
  10 to XP Remake/Build In Windows XP Apps/notepad.exe
- Size
  
  67KB
- MD5
  
  5e28284f9b5f9097640d58a73d38ad4c
- SHA1
  
  7a90f8b051bc82cc9cadbcc9ba345ced02891a6c
- SHA256
  
  865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5
- SHA512
  
  cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934
- SSDEEP
  
  1536:bwOnbNQKLjWDyy1o5I0foMJUEbooPRrKKReFX3:RNQKPWDyDI0fFJltZrpReFX3
Score

1^/10
behavioral9
- Target
  
  10 to XP Remake/Build In Windows XP Apps/sndrec32.exe
- Size
  
  128KB
- MD5
  
  b22332758a8293c14db318748a928cc4
- SHA1
  
  e640d15c35808c6ae2ecb01e4645d98c9587b97a
- SHA256
  
  a6f625c636025c3c15a117e8c5e85e05671d5a433ba56827221351f908a44007
- SHA512
  
  2984387deae21d737a77faace9e39647f4c8360d5f1decf9b9644c8c6044440ca1dd0e0ad25eac873d5cd25b8a716af89cafb5c6541163324893c66928b9b679
- SSDEEP
  
  3072:gKL/Rr46odCwyomuaegFM6T4x4iycuCbzI33zt:g426oIFo4hoI3Z
Score

1^/10
behavioral10
- Target
  
  10 to XP Remake/Build In Windows XP Apps/taskmgr.exe
- Size
  
  132KB
- MD5
  
  2cd1c3506a85b38e2d17e61aded175c4
- SHA1
  
  811d06dc5c7b530a5f0bd07c50607e402da43d59
- SHA256
  
  f899e8c466b518346d47c7cd56f6d4ae3eed38369b8e38b6badf0227b93e7f82
- SHA512
  
  ee63dcaaf8504cc757ac66d40de23ddee0679cc7f7fd49e95f89fc2904f7df2c39a7dbbda4846537d3ebee34e24599e068f25d6c363a2a86e85512673d9edfea
- SSDEEP
  
  3072:gkh3VK2abS5VHwO8KdKiZuNuEJ+4PmuN1IS:1VQO8uZUE4M
Score

1^/10
behavioral11
- Target
  
  10 to XP Remake/Build In Windows XP Apps/wordpad.exe
- Size
  
  209KB
- MD5
  
  f4bf3b83f909440724a358665867d6c8
- SHA1
  
  5761ceac09b37e4da545d720a850a5694b59095a
- SHA256
  
  c0343d0642c6f5efad0d74ea3c6a14b96b209d2413f060039f0874aaf998c7a4
- SHA512
  
  e9e75c50d68a59205defa730217cc7b5b2786e52006926398c592a9a08e22214847077fd7425ed49b05fdeeb08eca422fb6d9ac28e3cbf67a8922caaaab69fe8
- SSDEEP
  
  3072:MtVQtcY+9jCQC/zgdAvP+ttjCyJyza+ptBr6IwBHRhnNxDmNN8+/:vcN9GQKvPKjyfptBr6fHRFmNN5
Score

1^/10
behavioral12
- Target
  
  10 to XP Remake/QueroToolbarInstaller_x64.exe
- Size
  
  753KB
- MD5
  
  f8510f2b732ca1beed195e82ab3140b2
- SHA1
  
  cc39ad73116df36180641b540dcd2d6e07d6be8c
- SHA256
  
  2d676fa3ffcf4e134af199c346903fc2f4b8ddba55bd3d9440208c32c8074876
- SHA512
  
  c28f7e5f3fd8e72b1b6d7407a3b88b5108fe52a558d9d33cdcd6913aeb4f20f8dc6ea71d6771e854d1307b3786af7517eddd4d15530453d9b831272fea0a1006
- SSDEEP
  
  12288:CQiGHf0j4r4glCaDu0BXVaRr1Xtcr0LRqXWH2rWOnVQhHRylKhC2Iqjzva6WXd5+:CQi+f7rnnzjap1+YLRmcEVQRysItq
Score

8^/10
- Executes dropped EXE
behavioral13
- Target
  
  10 to XP Remake/Windows XP Extras/7tt_setup_4.4.6.exe
- Size
  
  1.1MB
- MD5
  
  32b64a4b7b98715189f26b2e86b9cfd3
- SHA1
  
  70ff8b33e6f3f52f8435e4409fcb62083ec3b5e2
- SHA256
  
  d774139ea16500dd0ba456d28504d0388195c15293fb9b497c020a842dfbd1fc
- SHA512
  
  962bb31890e572615d9a654559de61b25253478746cb710bc9c3eb3ef1e62f1f644c21ee807fb89799e815ba5b1a2400990c9e242cd5f6d1903f1a6f3e142bd4
- SSDEEP
  
  24576:p/iEIPIygYpRsCzfUmUvAhekQNJe9K8N/i91WmosLugFT8:Ri7sifDUvAhekOg9/iimocVT8
Score

7^/10
- Loads dropped DLL
behavioral14
- Target
  
  10 to XP Remake/Windows XP Extras/NavBar Remover (By anixx).exe
- Size
  
  1.1MB
- MD5
  
  c05c0f4601e7fbbcc9d83f4bcc870635
- SHA1
  
  87914b21dea156ecc974fead040dcff17f7392ca
- SHA256
  
  b743bd5aae5de13aceb8b17673b2558ed4cba96aa42ccc64858118c5dfb29266
- SHA512
  
  c918a67ac40336e6baa6f7e5252b0afbf2150144e297cc9e83a8d388b0dbd59e1a9458f3aa2818b42acedb212ff25af09e20493c1f9000d4c720e0a5f3bc2554
- SSDEEP
  
  24576:Df4RpknVIEM+TynERzhwExMEswIYzbwg38Ujf:D4RpknVISyEoEswpzbwtS
Score

1^/10
behavioral15
- Target
  
  10 to XP Remake/Windows XP Extras/NetAnimate.exe
- Size
  
  1.9MB
- MD5
  
  578963a32f57e7c3739f54509ac00391
- SHA1
  
  c3d53ad923aaa59aeba413f6282c4485b3a4cf72
- SHA256
  
  8887c65d181ab1f76366f85224439699adedf685435c03382af24dbdea302c31
- SHA512
  
  5fbd7d014c5f9dcd7283a55f01687424e78ad25fbfbb183ac60e4a329251673622ced217af828954e7ab4843a382208e633280fd8cccafa6c1dabf6f84028c8c
- SSDEEP
  
  24576:H3yaWmMz0dKKV35+pDkJMfY6FyWg9z0VRGoXYkLzIGrqyvwm4tSRsLC4qj4e9Nf2:COOEKKypDkKx/OqvLzIGrqyCCjTNfy7
Score

8^/10
- Executes dropped EXE
behavioral16
- Target
  
  10 to XP Remake/Windows XP Extras/Windows Media Player 8 Setup.exe
- Size
  
  7.3MB
- MD5
  
  ee20babb93d624e49cba33380f00cec5
- SHA1
  
  2d4860199a06bdb345d359bde7e64ec0077b12ce
- SHA256
  
  4266eddfb935b65ae58c7709683367010d316b038c7e4d9067849e3b4f559d5b
- SHA512
  
  918b9c9dc2bb2a1004bff4a54d9e06a503c3652405e2d4ad528333136c036574c2f651c47788275340396eb8d60ff19a74df40c63492e98420589abb47102a66
- SSDEEP
  
  196608:URBvb3KThVHpQWj03bwQNTqhjnNgUJw8qGwNte7:UR93KT3HqN3bw7Rdi8VwW
Score

3^/10
behavioral17
- Target
  
  10 to XP Remake/Windows XP Icons/WinXP Iconpack By 2013Windows8.1.exe
- Size
  
  11.5MB
- MD5
  
  442318353ec1d640f6b5e4b9bac87d3b
- SHA1
  
  8aac35fda5b8f37432c6742df6a77dd87bc62d90
- SHA256
  
  5b515c7b2de619f7f82311d8617ebef70f1fc2f42a84cc7e0f0519c90a6e1619
- SHA512
  
  69e91bf435d114fe5cf1f5cf765caf4a61de03232b2c30dfc902476c831aa47c954c9da4551a7ab4c7d1ae0ef63d56f54cfdde2aac2086309deb1c6fd03a3177
- SSDEEP
  
  196608:L6jQBY69YztQAdaCuoi2XxlN59cti0mktWjDlqF6WEwT4RpAAAD3OU9a5hvkpzf:LzBY2ekC/ialjlLYW/gsWdBq512zf
Score

8^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral18
- Target
  
  10 to XP Remake/Windows XP Start Menu (Only Windows 10)/ClassicShell/XP Blue BBT revB.skin
- Size
  
  1.6MB
- MD5
  
  66f10b664d0e0d21ee9f594271ebac64
- SHA1
  
  f560e83b685e227e2771ec3708c26d0f42345503
- SHA256
  
  cae71d607c5028cb2ddf38bd3658b943e9c6c3bb15bbd2902da83c931734283f
- SHA512
  
  8c5d105eddfbf9bcbc424a9c6541bf90197193d0fc62b2b7bb306b2fb3149be2dc28b7004fa726917fd579a214de755cba98912609efc3c8e684e81a3da7bc97
- SSDEEP
  
  6144:azqhm2m/ZdddfomHZdddfAmGzqPbV+Xh0IG9b:a4LW0GcjoVdB9b
Score

1^/10
behavioral19
- Target
  
  10 to XP Remake/Windows XP Start Menu (Only Windows 10)/ClassicShell/classicshell.exe
- Size
  
  6.9MB
- MD5
  
  230d1965a035bc4c894941caa3d19a32
- SHA1
  
  317604eba6e94e8777741d577b0ef160a0af3258
- SHA256
  
  942c7ee37303c962628555e196eb35f4465bb45d204600dd2518dd20ddebe5e2
- SHA512
  
  00ac51bdf37bde44668e5cf20854f67df1b222959f8876e2fc3d05814cdb7b11c728411e5ce04187c7fb9c7939cab56cffaa3a8f02bf0a17437dcf7af51755a4
- SSDEEP
  
  196608:1fCy8wAafvB9W95jcOqihiDXHzk2w5gzOAiZiU8sXo:Uy8wAafEjnqzkt//s
Score

8^/10
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral20
- Target
  
  10 to XP Remake/Winrar If you Dont have one.exe
- Size
  
  2.1MB
- MD5
  
  da62e4eb80994c60ea5436484cc636b1
- SHA1
  
  d0ae97c19c64ad4b3735b7fe9917604801d50d84
- SHA256
  
  6f4cf30bbc9e78713a715111742b69c4bac543bda780ece9548df1864309d33e
- SHA512
  
  a78a8175dd8697e72ad3fe98d46baf71108e87146ff435286ebfdd94bbf370334df9153b657e53e3d6065f2775a033d7e202b6bb2562c741cba301bd301b6fb7
- SSDEEP
  
  49152:q92vKFcXtYB2efHnvP/vOkd/IIAT1P76x8T512J4nsDZCj9B9f93:q9JB2QPf5dQIgT68TP2JysY9f93
Score

10^/10

discovery persistence ransomware
- Modifies system executable filetype association
  persistence
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral21

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Executes dropped EXE

Executes dropped EXE

UPX packed file

Checks computer location settings

Blocklisted process makes network request

Enumerates connected drives

Modifies system executable filetype association

Executes dropped EXE

Registers COM server for autorun

Checks computer location settings

Checks installed software on the system

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21