Overview

overview

10

Static

static

1

RNSM00432.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00432.7z

  • Size

    31.2MB

  • MD5

    be484eefb48a6c7ea47da9807a26f1d9

  • SHA1

    92e843045bc7f796706a5c7c8af65bcc919e01da

  • SHA256

    ba1d49f1423ab5fb6918cb61bf61b5acc50bd1ad99838a3dbba59af99e629e77

  • SHA512

    2ed6f29decd1916963048e57f99c1d5b340a0961b9edcbeab1d6f01fa527a853cac797f457ba92363003ee8392d829a4d5f345b83bba426223250c4eea5547a5

  • SSDEEP

    786432:6513OAEXjyZZp2jHShJxZs81quWVahRSItfZUjWkO3:q3OAGjyZb2jH2JxZ7dsERSEfZ9z

Score
10/10
crimsonratlegionlockerurelasbootkitdiscoveryevasionpersistencepyinstallerransomwareratspywarestealerthemidatrojanvmprotect

Malware Config

Extracted

Family

crimsonrat

C2

167.86.89.53

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Ransom Note
---=== Ranzy Locker 1.1 ===--- Attention! Your network has been locked. Your computers and server are locked now. All encrypted files have extension: .ranzy ---- How to restore my files? ---- All files on each host in your network encrypted with strongest encryption algorithms Backups are deleted or formatted, do not worry, we can help you restore your files Files can be decrypted only with private key - this key stored on our servers You have only one way for return your files back - contact us and receive universal decryption program Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- How to get your files back ---- You have 2 ways for open our website and contact with us: 1. Open via any browser (this way can be blocked so its better to use way 2) a. Open any browser. b. Open our website: https://ranzylock.hk/2X258GEF 2. Open via TOR Browser a. Download TOR Browser here: https://www.torproject.org/download/ b. Open TOR website: http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/2X258GEF !! This page can be open only in TOR Browser. All instructions how to decrypt your files you can find on our website. !! This is only way to get your files back - do not use third-party company or software because you can lose all your files. ---- Data Leak Attention ---- !!! All your sensitive data was downloaded to our servers !!! In case you decide not to contact with us, we publish your sensitive data in our blog or sold !!! Only we can delete your files from our servers !!! Only we can restore all your files without any LOSS ---- Recovery information ---- key: eyJleHQiOiIucmFuenkiLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiNzM2NzUiLCJsYW5nIjoiZW4tVVMAIn0= personal id: 5XWRN16O
URLs

https://ranzylock.hk/2X258GEF

http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/2X258GEF

Extracted

Path

C:\Users\Admin\3D Objects\LOCKY-README.txt

Ransom Note
Please be adviced: All your files, pictures document and data has been encrypted with Military Grade Encryption RSA AES-256. Your information is not lost. But Encrypted. In order for you to restore your files you have to purchase Decrypter. Follow this steps to restore your files. 1* Download the Tor Browser. ( Just type in google "Download Tor" ). 2* Browse to URL : http://pylockyrkumqih5l.onion/index.php 3* Purchase the Decryptor to restore your files. It is very simple. If you don't believe that we can restore your files, then you can restore 1 file of image format for free. Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely. Your unique ID : 0HGTU0H382FT120W CAUTION: Please do not try to modify or delete any encrypted file as it will be hard to restore it. SUPPORT: You can contact support to help decrypt your files for you. Click on support at http://pylockyrkumqih5l.onion/index.php --------BEGIN BIT KEY--------- l9HkbenVeZpuunQ2XEqgMMS29YG8+zot5DGek6L6NKWmRDJcxEVmzZ4y0MQcmQCjc3BPCXEj4+Xm P5qir+QLZQtsQcV7dLWQRTOJ/61Mvo3yxMf8rZLipYy0vIthZoZv3/rMWnEMmL9etbD2kGfbQ8Ju VaeQplsx7d6vbuJUMcXp9qABPHLBvYm4jQENj95AvhHx3SVrbsXNz0/TPhMoGi+NRA3wnYyIaXSH XmHTePnb2IXeGqF5WskzqZBqDxA/iq4k1A3fex4k9c3BoVJ4H18DBgB/G1f+ZlAHannfrF0jxPjn YHsOxGYFtLr7zV9gmwwcl0w4d3Jflw4ebmvNxQ== --------END BIT KEY----------- ------------------------------ BEGIN FRENCH ------------------------------ S'il vous plaît soyez avisé: Tous vos fichiers, images, documents et données ont été cryptés avec Military Grade Encryption RSA AES-256. Vos informations ne sont pas perdues. Mais chiffré. Afin de vous permettre de restaurer vos fichiers, vous devez acheter Decrypter. Suivez ces étapes pour restaurer vos fichiers. 1 * Téléchargez le navigateur Tor. (Il suffit de taper google "Télécharger Tor"). 2 * Aller à l'URL: http://pylockyrkumqih5l.onion/index.php 3 * Achetez le Decryptor pour restaurer vos fichiers. C'est très simple. Si vous ne croyez pas que nous pouvons restaurer vos fichiers, alors vous pouvez restaurer 1 fichier de format d'image gratuitement. Soyez conscient que le temps est compté. Le prix sera doublé toutes les 96 heures, alors utilisez-le à bon escient. Votre ID unique: 0HGTU0H382FT120W MISE EN GARDE: N'essayez pas de modifier ou de supprimer un fichier crypté, car il sera difficile de le restaurer. SOUTIEN: Vous pouvez contacter le support pour aider à déchiffrer vos fichiers pour vous. Cliquez sur support à http://pylockyrkumqih5l.onion/index.php ------------------------------ END FRENCH ------------------------------ ------------------------------ BEGIN ITALIAN ------------------------------ Si prega di essere avvisati: Tutti i tuoi file, immagini, documenti e dati sono stati crittografati con Military Grade Encryption RSA AES-256. Le tue informazioni non sono perse. Ma crittografato. Per poter ripristinare i tuoi file devi acquistare Decrypter. Seguire questa procedura per ripristinare i file. 1 * Scarica il Tor Browser. (Basta digitare su google "Download Tor"). 2 * Passa a URL: http://pylockyrkumqih5l.onion/index.php 3 * Acquista Decryptor per ripristinare i tuoi file. È molto semplice Se non credi che possiamo ripristinare i tuoi file, puoi ripristinare 1 file di formato immagine gratuitamente. Sii consapevole che il tempo stringe. Il prezzo sarà raddoppiato ogni 96 ore, quindi usalo saggiamente. Il tuo ID univoco: 0HGTU0H382FT120W ATTENZIONE: Si prega di non provare a modificare o eliminare alcun file crittografato in quanto sarà difficile ripristinarlo. SUPPORTO: È possibile contattare l'assistenza per decrittografare i file per conto dell'utente. Clicca sul supporto in http://pylockyrkumqih5l.onion/index.php ------------------------------ END ITALIAN ------------------------------ ------------------------------ BEGIN KOREAN ------------------------------ 조언을 받으십시오 : 모든 파일, 사진 문서 및 데이터는 군용 등급 암호화 RSA AES-256으로 암호화되어 있습니다. 귀하의 정보는 손실되지 않습니다. 그러나 암호화. 파일을 복원하려면 Decrypter를 구입해야합니다. 이 단계에 따라 파일을 복원하십시오. 1 * Tor 브라우저를 다운로드하십시오. (구글에 "Tor 다운로드"만 입력하면됩니다.) 2 * URL 찾아보기 : http://pylockyrkumqih5l.onion/index.php 3 * 파일을 복원하려면 Decryptor를 구입하십시오. 그것은 매우 간단합니다. 파일을 복원 할 수 있다고 생각지 않으면 이미지 형식의 파일 1 개를 무료로 복원 할 수 있습니다. 시간이 똑딱 거리고 있다는 것을 알아 두십시오. 가격은 96 시간마다 두 배가되므로 현명하게 사용하십시오. 고유 ID : 0HGTU0H382FT120W 주의: 암호화 된 파일을 수정하거나 삭제하지 마십시오. 복원하기가 어려울 수 있습니다. 지원하다: 지원 센터에 문의하여 파일의 암호를 해독하는 데 도움을받을 수 있습니다. http://pylockyrkumqih5l.onion/index.php에서 지원을 클릭하십시오. ------------------------------ END KOREAN ------------------------------
URLs

http://pylockyrkumqih5l.onion/index.php

http://pylockyrkumqih5l.onion/index.php에서

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Ransom Note
Please be adviced: All your files, pictures document and data has been encrypted with Military Grade Encryption RSA AES-256. Your information is not lost. But Encrypted. In order for you to restore your files you have to purchase Decrypter. Follow this steps to restore your files. 1* Download the Tor Browser. ( Just type in google "Download Tor" ). 2* Browse to URL : http://pylockyrkumqih5l.onion/index.php 3* Purchase the Decryptor to restore your files. It is very simple. If you don't believe that we can restore your files, then you can restore 1 file of image format for free. Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely. Your unique ID : 0HGTU0H382FT120W CAUTION: Please do not try to modify or delete any encrypted file as it will be hard to restore it. SUPPORT: You can contact support to help decrypt your files for you. Click on support at http://pylockyrkumqih5l.onion/index.php --------BEGIN BIT KEY--------- l9HkbenVeZpuunQ2XEqgMMS29YG8+zot5DGek6L6NKWmRDJcxEVmzZ4y0MQcmQCjc3BPCXEj4+Xm P5qir+QLZQtsQcV7dLWQRTOJ/61Mvo3yxMf8rZLipYy0vIthZoZv3/rMWnEMmL9etbD2kGfbQ8Ju VaeQplsx7d6vbuJUMcXp9qABPHLBvYm4jQENj95AvhHx3SVrbsXNz0/TPhMoGi+NRA3wnYyIaXSH XmHTePnb2IXeGqF5WskzqZBqDxA/iq4k1A3fex4k9c3BoVJ4H18DBgB/G1f+ZlAHannfrF0jxPjn YHsOxGYFtLr7zV9gmwwcl0w4d3Jflw4ebmvNxQ== --------END BIT KEY----------- ------------------------------ BEGIN FRENCH ------------------------------ S'il vous plaît soyez avisé: Tous vos fichiers, images, documents et données ont été cryptés avec Military Grade Encryption RSA AES-256. Vos informations ne sont pas perdues. Mais chiffré. Afin de vous permettre de restaurer vos fichiers, vous devez acheter Decrypter. Suivez ces étapes pour restaurer vos fichiers. 1 * Téléchargez le navigateur Tor. (Il suffit de taper google "Télécharger Tor"). 2 * Aller à l'URL: http://pylockyrkumqih5l.onion/index.php 3 * Achetez le Decryptor pour restaurer vos fichiers. C'est très simple. Si vous ne croyez pas que nous pouvons restaurer vos fichiers, alors vous pouvez restaurer 1 fichier de format d'image gratuitement. Soyez conscient que le temps est compté. Le prix sera doublé toutes les 96 heures, alors utilisez-le à bon escient. Votre ID unique: 0HGTU0H382FT120W MISE EN GARDE: N'essayez pas de modifier ou de supprimer un fichier crypté, car il sera difficile de le restaurer. SOUTIEN: Vous pouvez contacter le support pour aider à déchiffrer vos fichiers pour vous. Cliquez sur support à http://pylockyrkumqih5l.onion/index.php ------------------------------ END FRENCH ------------------------------ ------------------------------ BEGIN ITALIAN ------------------------------ Si prega di essere avvisati: Tutti i tuoi file, immagini, documenti e dati sono stati crittografati con Military Grade Encryption RSA AES-256. Le tue informazioni non sono perse. Ma crittografato. Per poter ripristinare i tuoi file devi acquistare Decrypter. Seguire questa procedura per ripristinare i file. 1 * Scarica il Tor Browser. (Basta digitare su google "Download Tor"). 2 * Passa a URL: http://pylockyrkumqih5l.onion/index.php 3 * Acquista Decryptor per ripristinare i tuoi file. È molto semplice Se non credi che possiamo ripristinare i tuoi file, puoi ripristinare 1 file di formato immagine gratuitamente. Sii consapevole che il tempo stringe. Il prezzo sarà raddoppiato ogni 96 ore, quindi usalo saggiamente. Il tuo ID univoco: 0HGTU0H382FT120W ATTENZIONE: Si prega di non provare a modificare o eliminare alcun file crittografato in quanto sarà difficile ripristinarlo. SUPPORTO: È possibile contattare l'assistenza per decrittografare i file per conto dell'utente. Clicca sul supporto in http://pylockyrkumqih5l.onion/index.php ------------------------------ END ITALIAN ------------------------------ ------------------------------ BEGIN KOREAN ------------------------------ 조언을 받으십시오 : 모든 파일, 사진 문서 및 데이터는 군용 등급 암호화 RSA AES-256으로 암호화되어 있습니다. 귀하의 정보는 손실되지 않습니다. 그러나 암호화. 파일을 복원하려면 Decrypter를 구입해야합니다. 이 단계에 따라 파일을 복원하십시오. 1 * Tor 브라우저를 다운로드하십시오. (구글에 "Tor 다운로드"만 입력하면됩니다.) 2 * URL 찾아보기 : http://pylockyrkumqih5l.onion/index.php 3 * 파일을 복원하려면 Decryptor를 구입하십시오. 그것은 매우 간단합니다. 파일을 복원 할 수 있다고 생각지 않으면 이미지 형식의 파일 1 개를 무료로 복원 할 수 있습니다. 시간이 똑딱 거리고 있다는 것을 알아 두십시오. 가격은 96 시간마다 두 배가되므로 현명하게 사용하십시오. 고유 ID : 0HGTU0H382FT120W 주의: 암호화 된 파일을 수정하거나 삭제하지 마십시오. 복원하기가 어려울 수 있습니다. 지원하다: 지원 센터에 문의하여 파일의 암호를 해독하는 데 도움을받을 수 있습니다. http://pylockyrkumqih5l.onion/index.php에서 지원을 클릭하십시오. ------------------------------ END KOREAN ------------------------------
URLs

http://pylockyrkumqih5l.onion/index.php

http://pylockyrkumqih5l.onion/index.php에서

Extracted

Path

C:\Users\Admin\Desktop\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor If you want to restore some of your files for free write to email (contact is at the bottom of the sheet) and attach 4-5 encrypted files. You have to pay $120 in bitcoin to decrypt other files. How to contact us? 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) What if i have already paid? Send your Bitcoin wallet ID to e-mail provided above Our bitcoin address 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Crimsonrat family
    crimsonrat
  • Detected LegionLocker ransomware 1 IoCs

    Sample contains strings associated with the LegionLocker family.

    ransomware
  • LegionLocker

    Ransomware family active in 2021.

    ransomwarelegionlocker
  • Legionlocker family
    legionlocker
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Renames multiple (174) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (442) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 5 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 30 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 48 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 10 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00432.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:848
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2748
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exe
        HEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exe
        3⤵
        • Executes dropped EXE
        PID:1864
      • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe
        HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe
        HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:400
      • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe
        HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe SHADOWCOPY /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3512
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe SHADOWCOPY /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3044
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe SHADOWCOPY /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe SHADOWCOPY /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1716
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe SHADOWCOPY /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3512
      • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe
        HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 876
          4⤵
          • Program crash
          PID:3952
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 884
          4⤵
          • Program crash
          PID:3988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 928
          4⤵
          • Program crash
          PID:3340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 892
          4⤵
          • Program crash
          PID:3536
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1084
          4⤵
          • Program crash
          PID:2812
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1084
          4⤵
          • Program crash
          PID:2028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1604
          4⤵
          • Program crash
          PID:4360
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\cbf50b2d-acf6-4ef9-a42d-eddcebc463d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          4⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:5196
      • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe
        Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1920
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 236
          4⤵
          • Program crash
          PID:3376
      • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe
        Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2052
      • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe
        Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4092
        • C:\Windows\xk.exe
          C:\Windows\xk.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5612
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1720
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5964
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:316
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2992
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:6136
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5304
        • C:\Windows\xk.exe
          C:\Windows\xk.exe
          4⤵
            PID:5904
          • C:\Windows\SysWOW64\IExplorer.exe
            C:\Windows\system32\IExplorer.exe
            4⤵
              PID:1720
            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
              4⤵
                PID:3912
              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
                4⤵
                  PID:5144
                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
                  4⤵
                    PID:3136
                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
                    4⤵
                      PID:5488
                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
                      4⤵
                        PID:2952
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe
                      Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      PID:4592
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe
                      Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      PID:1256
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe
                      Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe
                      3⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: RenamesItself
                      PID:5020
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe
                      Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2444
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 300
                        4⤵
                        • Program crash
                        PID:4328
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                      Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2200
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe
                      Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1088
                      • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe
                        Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops desktop.ini file(s)
                        • System Location Discovery: System Language Discovery
                        PID:2328
                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe
                      Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe
                      3⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      PID:2460
                      • C:\Windows\SysWOW64\shell.exe
                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\huter.exe"
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:5652
                      • C:\Windows\SysWOW64\shell.exe
                        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\sanfdr.bat"
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:3804
                    • C:\Users\Admin\Desktop\00432\VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe
                      VHO-Trojan-Ransom.Win32.Blocker.gen-4ac430ff8dd4211cc2fb01ed6237ff82e22154d9d850ad22873b7369c116bfd8.exe
                      3⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Checks whether UAC is enabled
                      • Writes to the Master Boot Record (MBR)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      PID:2200
                    • C:\Users\Admin\Desktop\00432\VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe
                      VHO-Trojan-Ransom.Win32.Convagent.gen-202f521c78510833261f2eaedf1123f00703860b750557a6bf6dd6667df5633c.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:5332
                    • C:\Users\Admin\Desktop\00432\VHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exe
                      VHO-Trojan-Ransom.Win32.Spora.gen-6d66474214a20386592dfae2e70c6f672b8d408464b995be61765cec7598c12b.exe
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:5568
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 1920
                  1⤵
                    PID:5084
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2256 -ip 2256
                    1⤵
                      PID:2952
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:2172
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:2952
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2256 -ip 2256
                      1⤵
                        PID:3536
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2256 -ip 2256
                        1⤵
                          PID:1008
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2444 -ip 2444
                          1⤵
                            PID:4340
                          • C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                            "C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe" C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                            1⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1848
                            • C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                              "C:\Users\Admin\Desktop\00432\trojan-ransom.win32.darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe" C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                              2⤵
                              • Executes dropped EXE
                              PID:1720
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2256 -ip 2256
                            1⤵
                              PID:2736
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2256 -ip 2256
                              1⤵
                                PID:4360
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:848
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2256 -ip 2256
                                1⤵
                                  PID:1500
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2256 -ip 2256
                                  1⤵
                                    PID:2728
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5332 -ip 5332
                                    1⤵
                                      PID:5240
                                    • C:\Windows\system32\sihost.exe
                                      sihost.exe
                                      1⤵
                                        PID:5556
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        1⤵
                                          PID:5856
                                        • C:\Windows\system32\sihost.exe
                                          sihost.exe
                                          1⤵
                                            PID:6008
                                          • C:\Windows\system32\sihost.exe
                                            sihost.exe
                                            1⤵
                                              PID:2760
                                            • C:\Windows\system32\sihost.exe
                                              sihost.exe
                                              1⤵
                                                PID:5328
                                              • C:\Windows\system32\sihost.exe
                                                sihost.exe
                                                1⤵
                                                  PID:1068
                                                • C:\Windows\System32\smss.exe
                                                  \SystemRoot\System32\smss.exe 000000c8 00000084
                                                  1⤵
                                                    PID:5568
                                                  • C:\Windows\System32\smss.exe
                                                    \SystemRoot\System32\smss.exe 000000f8 00000084
                                                    1⤵
                                                      PID:5964

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Reconnaissance

                                                    Resource Development

                                                    Initial Access

                                                    Execution

                                                    Persistence

                                                    Boot or Logon Autostart Execution

                                                    2
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Winlogon Helper DLL

                                                    1
                                                    T1547.004

                                                    Event Triggered Execution

                                                    1
                                                    T1546

                                                    Change Default File Association

                                                    1
                                                    T1546.001

                                                    Pre-OS Boot

                                                    1
                                                    T1542

                                                    Bootkit

                                                    1
                                                    T1542.003

                                                    Privilege Escalation

                                                    Boot or Logon Autostart Execution

                                                    2
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Winlogon Helper DLL

                                                    1
                                                    T1547.004

                                                    Event Triggered Execution

                                                    1
                                                    T1546

                                                    Change Default File Association

                                                    1
                                                    T1546.001

                                                    Defense Evasion

                                                    File and Directory Permissions Modification

                                                    1
                                                    T1222

                                                    Hide Artifacts

                                                    2
                                                    T1564

                                                    Hidden Files and Directories

                                                    2
                                                    T1564.001

                                                    Modify Registry

                                                    6
                                                    T1112

                                                    Pre-OS Boot

                                                    1
                                                    T1542

                                                    Bootkit

                                                    1
                                                    T1542.003

                                                    Virtualization/Sandbox Evasion

                                                    2
                                                    T1497

                                                    Credential Access

                                                    Credentials from Password Stores

                                                    1
                                                    T1555

                                                    Credentials from Web Browsers

                                                    1
                                                    T1555.003

                                                    Unsecured Credentials

                                                    1
                                                    T1552

                                                    Credentials In Files

                                                    1
                                                    T1552.001

                                                    Discovery

                                                    Peripheral Device Discovery

                                                    2
                                                    T1120

                                                    Query Registry

                                                    6
                                                    T1012

                                                    System Information Discovery

                                                    6
                                                    T1082

                                                    System Location Discovery

                                                    1
                                                    T1614

                                                    System Language Discovery

                                                    1
                                                    T1614.001

                                                    Virtualization/Sandbox Evasion

                                                    2
                                                    T1497

                                                    Lateral Movement

                                                    Collection

                                                    Data from Local System

                                                    1
                                                    T1005

                                                    Command and Control

                                                    Exfiltration

                                                    Impact

                                                    Inhibit System Recovery

                                                    1
                                                    T1490

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Logs\OrevNsc.log
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      1ac38ef82ed0ab223e7bac149819f0e6

                                                      SHA1

                                                      e50665f30cd4188c8853fab528fc27b8d8365101

                                                      SHA256

                                                      b1c41c8024fc39d61af09ce0a6410453d0ea562628801f114b89674ac6d1f007

                                                      SHA512

                                                      ec5c9fd37ee71a90935cb7c27bde96783f9aa750d377cac5d41c87f098ac4a2f3442e0a8a788d97a1f979641016c0d6e2d27e22908492e8cf9531d00b4761952

                                                      Download Submit

                                                    • C:\Logs\OrevNsc.log
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      40c480610ee5176f172a9789b798bdb9

                                                      SHA1

                                                      004d0645c88e8bbc9ebd019287a6006109703b30

                                                      SHA256

                                                      4219b8e3ccd0fd12ea9868207b3cda075e1fbcf2f30bc719af966fc3afa6ed6b

                                                      SHA512

                                                      f6ac5b4e2d84ca5e97240727db2744c0f49df8ee0f6bdb4247a97aced01693da7525bfaf56786b48c69c1a793d47536ffb1640a16973177408c4322493d84dcb

                                                      Download Submit

                                                    • C:\Users\Admin\3D Objects\LOCKY-README.txt
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      0f6301b58593493a78ddef92985b0e97

                                                      SHA1

                                                      c4db40b8a3e15858a9a86a8927de10dfbdc907a7

                                                      SHA256

                                                      bacaa6753225fbdca83072c1988c34393d7f63d8872e8592fa93214cd90c78d9

                                                      SHA512

                                                      13cf2eeaed53cc3f29c223b0b4a702744f5e206b5b7b1b4798a675cff7dead03e81d3d35886a1d3fe93c8f1be092944d90762656fa9c69fe3ab4263566c1ed13

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                      Filesize

                                                      64KB

                                                      MD5

                                                      d2fb266b97caff2086bf0fa74eddb6b2

                                                      SHA1

                                                      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                                                      SHA256

                                                      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                                                      SHA512

                                                      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                      Filesize

                                                      4B

                                                      MD5

                                                      f49655f856acb8884cc0ace29216f511

                                                      SHA1

                                                      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                      SHA256

                                                      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                      SHA512

                                                      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                      Filesize

                                                      944B

                                                      MD5

                                                      6bd369f7c74a28194c991ed1404da30f

                                                      SHA1

                                                      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                                                      SHA256

                                                      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                                                      SHA512

                                                      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old.lockedfile
                                                      Filesize

                                                      8B

                                                      MD5

                                                      a411785b59052a6a640c1d7ea92cef56

                                                      SHA1

                                                      0e15cff171cfb5a396b1a9920f7c381e27629d1e

                                                      SHA256

                                                      6ea87249bdbae977e123cdba26d2b94a65d14acb8015a6a7b0ad6d74a8ebe8b0

                                                      SHA512

                                                      3162400372d9949e3952f366c31bc85ef68fefb3b08216356b21dec1d7e37f8f336a889901a9cda3d2c67011c8c56ed1b6bc5f24eb47a6d4683b5083935ee06d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      b8ff29e260e42524626a89983db309ab

                                                      SHA1

                                                      034367be36fb0d719f1986166312da6c58377691

                                                      SHA256

                                                      f4ba77ce71d55b23765288aaa35df7085036243d31ea51208a5cf7e6178598d1

                                                      SHA512

                                                      95acf729c38fda89e9211c3885ff3d45d8b965a9c5477da00613015b65203e34d5987a1fb6fecf4fc4035960d5d639bf98aca4d9b0df992579b23f0fceb64d40

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
                                                      Filesize

                                                      332KB

                                                      MD5

                                                      1df0cc6af96d03eb9ec8576dbe9f00f5

                                                      SHA1

                                                      484c74492afcdd60d02f482423714d13e098615b

                                                      SHA256

                                                      472ba7c83ba9e9f3f8a2c7236d876973f02a9b90957ee8f33013d92114a8d19a

                                                      SHA512

                                                      2d9813aa4a93d620991e49c3885c5127c388e8fd3c63347a5af72156c17d058d019dc4976ae98c889a5f0edbaefcfdf1e90bde56688f40495b77a454469484b9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\Crypto\Cipher\_raw_ecb.pyd
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      64bbef1d07b86c20c72afb68342816ef

                                                      SHA1

                                                      ba67ba676bb20f0412c39c98b94be19c205ac598

                                                      SHA256

                                                      ddef92baac329cfac9ffda9e714dee82447a0eec87a9ddbc507a0005f2d813df

                                                      SHA512

                                                      96c15c0aaf4acd3d641245caf6a091f48a547f064d92073f9fe9d8963a2b98b590e9b4f76b01291c119ad1061c7392c41ad359eeec31196a449a77b49d771132

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\Pylocky_Code_Debug.exe.manifest
                                                      Filesize

                                                      1022B

                                                      MD5

                                                      d80618c8979264d132d76474180554bb

                                                      SHA1

                                                      2657add78d90b07ef6fae7ecf04a3c1b25c50549

                                                      SHA256

                                                      49279b8f083eaf184319375e1b4a349d903b2ae0a4cc795a805550fd82c502e3

                                                      SHA512

                                                      fd0daff1fbe0f01f9055f820030d4e910c74911caa1dc4c205f3249eb12d887f5961706b976089215fa4b7427b63cb5e1bec164e27795294e51ae3d66570cbf8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\_ctypes.pyd
                                                      Filesize

                                                      90KB

                                                      MD5

                                                      6daf8b55801a602f84d7d568a142459c

                                                      SHA1

                                                      57a80ca9621b282727d45caa5ae1c5e3c7e93f60

                                                      SHA256

                                                      66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88

                                                      SHA512

                                                      abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\_hashlib.pyd
                                                      Filesize

                                                      1.1MB

                                                      MD5

                                                      55a29ec9721c509a5b20d1a037726cfa

                                                      SHA1

                                                      eaba230581d7b46f316d6603ea15c1e3c9740d04

                                                      SHA256

                                                      dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce

                                                      SHA512

                                                      e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\python27.dll
                                                      Filesize

                                                      2.5MB

                                                      MD5

                                                      9e9e57b47f4f840dddc938db54841d86

                                                      SHA1

                                                      1ed0be9c0dadcf602136c81097da6fda9e07dbbc

                                                      SHA256

                                                      608feafc63a0d1b38772e275c9e6d3b8a5b03efc0a27eb397107db0a6d079c50

                                                      SHA512

                                                      1a0dab38ebf4d995bcda3bdf0453c85d524cc1fff1c1b92160794d7c2f98f53088ba15c4b00b35d06e0be82a4bfa6d92cd4f09dec4ec98d615a82d5ffd5cb6c2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\pywintypes27.dll
                                                      Filesize

                                                      108KB

                                                      MD5

                                                      c7d86a10bfcd65e49a109125d4ebc8d9

                                                      SHA1

                                                      5b571dc6a703a7235e8919f69c2a7a5005ccd876

                                                      SHA256

                                                      c4db872ff7d301186516882ea06422aee29e1c11b44a4d382addd5b801207818

                                                      SHA512

                                                      b7563b4d27713ec4308c24a0b15c02fb16e184b98bb73a4616792508f4ba57fe237186595b55e3fa476d6959388edd8678ea516ce620ee90c909a7b988d8b908

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10882\win32api.pyd
                                                      Filesize

                                                      98KB

                                                      MD5

                                                      c8311157b239363a500513b04d1f6817

                                                      SHA1

                                                      791d08f71c39bb01536f5e442f07ac7a0416b8a7

                                                      SHA256

                                                      7de358652c1732caf72f968a664301e256aae281003ddcb0f5ecef4b13101009

                                                      SHA512

                                                      ab9dadd65c582f2b12af49448fa4f5a96da00abcc257722331ac7e9cad2e2770fdb7a0f2db32c113f2df33e6c84c8c0d594a36f1fb4f3a9ccdb8f3dc1ddfbdbf

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10~1\Crypto\Cipher\_raw_cbc.pyd
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      d30e9bc025e945891f107f04bcae994b

                                                      SHA1

                                                      0820942ff36a3706424c51bbf8c938caa8f32e72

                                                      SHA256

                                                      3ce91b610359b7c754682477a64c0e65e343fbbb7edaaffa90da6de0f80abf9f

                                                      SHA512

                                                      91f328b85d5712e3d6bbb01605f82b2fa75d393795a062eb6f8cf1686d6c55a283c4bf715415dcce8806f4bccfb0487e3bf0fecf5f8938223fbeae2f36ad3738

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10~1\bz2.pyd
                                                      Filesize

                                                      69KB

                                                      MD5

                                                      813c016e2898c6a2c1825b586de0ae61

                                                      SHA1

                                                      7113efcccb6ab047cdfdb65ba4241980c88196f4

                                                      SHA256

                                                      693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724

                                                      SHA512

                                                      dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI10~1\pythoncom27.dll
                                                      Filesize

                                                      388KB

                                                      MD5

                                                      bafe1a2db7031dd88803341887712cc5

                                                      SHA1

                                                      39daa19fc8c0b4301edb0c9fd3c3bc8abfea147f

                                                      SHA256

                                                      074f23f9710bbcf1447763829c0e3d16afa5502efc6f784077cf334f28ceffb7

                                                      SHA512

                                                      98395582c72e406254ade6a3b06cddecdce3b38a3a03aa9eb0bb6f81d6ac690beded7b88c4f2e5787d5aa062913080915e7e49198753cc851e8e4ef55432a9df

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcgekg1n.jd0.ps1
                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\huter.exe
                                                      Filesize

                                                      89KB

                                                      MD5

                                                      79df34c3f1e479d6ba436b3a8dc593ca

                                                      SHA1

                                                      b3ce27bb8261f20806b2f4a68fe1cbdb57719635

                                                      SHA256

                                                      1599e6892eab1915b6967ee24d5b37c4cad14cb291d725f8dc5986003c6d776b

                                                      SHA512

                                                      a6b97f08334adc66e4220433def6f3951181b105faa2d825fdb56bf3b2bca4ef3feca4b711b9b635c4a261f6e4fdcd262dd7ffbabdf70d36772ec831e39f53a4

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2305a47a8d828f936f9d43f2807193e56d823c2cb35fe31984d54078f5f0b1f6.exe
                                                      Filesize

                                                      1.4MB

                                                      MD5

                                                      63af2cd5308dbba560add5b9c181a300

                                                      SHA1

                                                      671802c44d8e889f4647f80b07784778fbdd8818

                                                      SHA256

                                                      2305a47a8d828f936f9d43f2807193e56d823c2cb35fe31984d54078f5f0b1f6

                                                      SHA512

                                                      e55c6cf3053cfa102dd6011ce8876492bdfc0d2b294d2b4ab111f7134e865800ff77373587745417b8a65ce2811aeaf9e69a4c8bb219f726679dd42e37ad00d8

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.Foreign.gen-538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89.exe
                                                      Filesize

                                                      10.2MB

                                                      MD5

                                                      ecc8484da9a95060e49169cda83227b1

                                                      SHA1

                                                      a6689067904a3cd992efa151ba2bff1a63e27d3e

                                                      SHA256

                                                      538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89

                                                      SHA512

                                                      119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.MSIL.GenericCryptor.gen-dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973.exe
                                                      Filesize

                                                      69KB

                                                      MD5

                                                      c7eb863fdc994eec0bfa260d3da433aa

                                                      SHA1

                                                      eba182f7cd9fa9b4c4bd513d78d7b71bdfbb36e1

                                                      SHA256

                                                      dc01a9daa0faa2f736420308b5eb907f3ef69b4486ed840315ad8825aae0c973

                                                      SHA512

                                                      3b615790ee762c4bff2ecab984d1c09ef8211db929bdda87db4957be7ebfccbddcb588654ac1ee7a3ffbc780ba18f6bc83716eafafb1c62f3a7aa096577a0f3a

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Gen.vho-522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9.exe
                                                      Filesize

                                                      2.5MB

                                                      MD5

                                                      4367dd86a7b732a836216bb9e539511a

                                                      SHA1

                                                      ac976eb60e523de0a2355b45a8ee7bad80361df9

                                                      SHA256

                                                      522df9ded0f80f949cbf289271bbfc85c975f5a02f8d660557999a7362d5cad9

                                                      SHA512

                                                      1fb3185f32dd0b59c267cbe66f12cdb9ea5bcb8b6feeddefba81c22ed192fbc23bb6be1f4588de0986dcb2fe760ba4c5e6db3e14a87349451aa7c13198f5e822

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Generic-a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5.exe
                                                      Filesize

                                                      138KB

                                                      MD5

                                                      a5a79b0e689bb77cf69b2a9eac9870da

                                                      SHA1

                                                      46c1e6b3e0c1fc29d6e85d37218480248df5a738

                                                      SHA256

                                                      a6ecf451846d006f37ecd2f882ba15272bcc204430551f36ebab1ee1483dd6e5

                                                      SHA512

                                                      e19ab7bc322d294d745d57e7488831e513f449bbd67406ab55fadcbe707a7213167b9225abad73a2edf54281edf9b82b22ecb1a8e4ee12c9a48f5dc8d5a2c95e

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\HEUR-Trojan-Ransom.Win32.Stop.gen-b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891.exe
                                                      Filesize

                                                      870KB

                                                      MD5

                                                      801baebfd615d2e60cf2bd13ff1c4564

                                                      SHA1

                                                      1c8a61e8a30fecb46c8818290b4e36e3fa76b1c6

                                                      SHA256

                                                      b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891

                                                      SHA512

                                                      e22853621527b3cdb1dd88df4c2367faaab614a6694add5a097f3b425209285bfee20ba3240e185b644cd45a322e8b1c1f8c22149311717786b61a137400c9c3

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.iwia-21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f.exe
                                                      Filesize

                                                      511KB

                                                      MD5

                                                      0af75cf21d876d192ebc9feea5133db5

                                                      SHA1

                                                      f3e0d8a7bda373ac82a8ad2a8286a1aceda3351f

                                                      SHA256

                                                      21c066173b4f0addc251fdb8c0ff0db8c03a75687c484587295810499fa81d3f

                                                      SHA512

                                                      a1f2940a37caed3a884d09c01e28fb2cd9d21652aa7b544c5c82f7b75cbaa8114963c53608f4f147c2c73abb20b2df9505e2b2826769ca30d83619a21c3dec03

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.jjgl-a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb.exe
                                                      Filesize

                                                      5.5MB

                                                      MD5

                                                      dc52ae607e2edaa0fe70a9fca624a531

                                                      SHA1

                                                      9aae3411a81ab2fc08cc3c998dd0ec412bd8289c

                                                      SHA256

                                                      a1d5d5d250959e5537ffb9504ac734310e752ab49e232e7b5d858ea9788157fb

                                                      SHA512

                                                      ebe582e40a5e8980d016eaa20a379fc4fe2e537216d5809a0bc34a50cce7086147abe0ed6a65725acf47e48ff92e7766734ccb17f493940f19f38ec9651dc1f2

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.kpuo-d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055.exe
                                                      Filesize

                                                      319KB

                                                      MD5

                                                      c3cfc8eb42199c7c107b756573d0fb3d

                                                      SHA1

                                                      4952d71033a5a1f7baf17a458cc734f1147fddad

                                                      SHA256

                                                      d0739e195078e6507cd099a7cf7dd3bdc7e1893ad4f37b584d9a2b2b97599055

                                                      SHA512

                                                      8cd8ed6b2179c2bb3e68b0e106ba47dd32d57a54db95878d2eb4d727c86ca92fff74eb792e1d5383ba3965aa872a65c56878fc0b16c9acfd2623b13194a17b74

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.nakz-f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2.exe
                                                      Filesize

                                                      640KB

                                                      MD5

                                                      4a5d200f90233825d13cbfa353e12191

                                                      SHA1

                                                      288f0e2d566ff87a65595adc2e4db83b5726ba4a

                                                      SHA256

                                                      f3c2772576750e6b9f5f4e74167d6300082372f1abf858c2dcaf33d2d99e6fe2

                                                      SHA512

                                                      fe26c907a314d98f1b486e4499b7fcf849e0dd17e1072f82c46ad559bc9eda5fb714e3eb5d4acb3d0ba7ceb89408fc4464dc38c9469b346941accd3a02a53a72

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Blocker.napd-028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2.exe
                                                      Filesize

                                                      316KB

                                                      MD5

                                                      d56166e3e18c032a94f88b1178078a0e

                                                      SHA1

                                                      4308372b50daef490c0205a29481cfa9d690fbd2

                                                      SHA256

                                                      028cd72b30bc840405f00187c99045fd4ecbf9b2dbb1d365f5bac227614147d2

                                                      SHA512

                                                      2e36bddeafd294a2c938e06af305e98a786324ecdd80af47265f882262355510de5f81413d13780f5dc184a77aa51b049d1059c959520e42bacd5b895e8beebe

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Crypmodng.lf-b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed.exe
                                                      Filesize

                                                      3.0MB

                                                      MD5

                                                      2395c6f71d7470a5c855b3533ff1a597

                                                      SHA1

                                                      52ce032449dc90e967760cd11d7a9a281a5a8d18

                                                      SHA256

                                                      b4f9bf7078efed284561ab4c4a67474b187e34f920b0cbe0214a3b467f8d81ed

                                                      SHA512

                                                      1c249b8e4e8c6a5bacc9e176c1b7af581afb2ffe567f2a15f785cab6993cbd7cf00268a032da89b163614938b9c2a2898148f71d66265e0523a5f394cb56254f

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Cryptor.eek-8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7.exe
                                                      Filesize

                                                      5.3MB

                                                      MD5

                                                      717e10d02fae3ce3afe1d66981aeec1b

                                                      SHA1

                                                      73a66d432fd7bd6c8670f4d19da7ce26d63d9111

                                                      SHA256

                                                      8e91cd3a65188dd5a60527d8af541237d364484b4ad1e8eeffa93db6402918e7

                                                      SHA512

                                                      2c92440a834547a9a8787bce3a689e1a5ad5f64a3ec8c4b79586b438efd9e0ebaf3184c74b5abae5e3a7dae6db81b1a0f78eac3318dea6c41f65b667cc182d01

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Darkside.af-bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8.exe
                                                      Filesize

                                                      470KB

                                                      MD5

                                                      ba83f22e4a32663a4aad9c6e532104ae

                                                      SHA1

                                                      1f8c8864a18264eb84fb1feba6dd620b7a17c333

                                                      SHA256

                                                      bec319df9d915b37f1a9713b5ad6bad63582474fa968177fbf0bb45926b8a8c8

                                                      SHA512

                                                      846520d0c6f4d362db87cfb002b24055ca6103178c6afac3aa8b75f0cb8c767394e892da74c1c43eac8ca584da87b2be864ca7859463d8de4e967c5b113040aa

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.Encoder.mfd-670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688.exe
                                                      Filesize

                                                      7.1MB

                                                      MD5

                                                      4cded1d7ee1b430cd4d89557e8c2e3b3

                                                      SHA1

                                                      a9a88c014ef30295944486fc582f549e4d73e104

                                                      SHA256

                                                      670393677d08d180240b00ce24f8755f31a61536aedc5712f251932aefd7e688

                                                      SHA512

                                                      743f2edc5574681bab59dfd39ad6b20be53ad8149a16a84ee73169275b9b0d824b6cbaec2dfc1a9db48ecedec8e50b7c18513f7345857e6952d7203e959c1319

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win32.GenericCryptor.czo-43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a.exe
                                                      Filesize

                                                      89KB

                                                      MD5

                                                      f2ba9f28bb49437dc44bc83efa969c53

                                                      SHA1

                                                      dd0c2309460f19cd1eae3a9d03f78ed2387c77bc

                                                      SHA256

                                                      43497d5d133ad2f7d040bd775e4ae18c017f4946b00b827161ba51b2c158287a

                                                      SHA512

                                                      d2acc2bb09b5ecf7aac52202982e7cf8151fd5ee3937c7cc84a0224fbda758c04c9484869be14b0aee257e1882f40d8b1859a73848ea7c1adf765648bc83f137

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\00432\Trojan-Ransom.Win64.Agent.dhx-fc06ec0272e384e8bc295d6f4b1c86d7ec9fcee704476663566e78b47b05263a.exe
                                                      Filesize

                                                      2.3MB

                                                      MD5

                                                      03a630206c581d4f2038df04a8d08d64

                                                      SHA1

                                                      4a5fc77fed52f4bc777c74e92d735bf3e625cae4

                                                      SHA256

                                                      fc06ec0272e384e8bc295d6f4b1c86d7ec9fcee704476663566e78b47b05263a

                                                      SHA512

                                                      4e41974303246214fda3d0b4cbaf50edfd1534245ed70d9550b54659198e390c3309fa2348c3c1363851447bfd15e7a782d4d63f6c028f5a1045f80415405004

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\LegionReadMe.txt
                                                      Filesize

                                                      722B

                                                      MD5

                                                      0f35ec03671ffcd3cee879e5f217badd

                                                      SHA1

                                                      5979f22300d21ffc3cf8ddf28b5dde64471b271f

                                                      SHA256

                                                      c2742893ca6be23880321184d0bf29d2e318f6193288a287913c78f4b15dc90a

                                                      SHA512

                                                      7c710d10fc6c19e3c9df3a4add4079369f26fa50bac18d252f5a7ac3f1fa79d453d7b7535f8abf76ef610db4e9aa37181bbf0ea21e6ec159d4097a655e3bf1b6

                                                      Download Submit

                                                    • C:\Users\Admin\Desktop\readme.txt
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      134b17d6ccc5158cc32c664b5f4245c5

                                                      SHA1

                                                      404d65e237f053b0b03812b5330aa37156d35090

                                                      SHA256

                                                      70d5ef14555f6f634df47258c652532ccc483a61631b7a40f89acaad7738e304

                                                      SHA512

                                                      6cd12ea10ce3cfab5b9be294bc2a7c1b13e85997bdae006955b0eef43ab1d70c3ecd9c7b5791ea2227456c02c3dcf684efa19a0358b7d0bfd337e611d8900fc8

                                                      Download Submit

                                                    • C:\Users\Admin\Documents\OneNote Notebooks\readme.txt
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      5ea651427fd4122d1505a833aa88bf63

                                                      SHA1

                                                      981a211f729a68cb37a72ebe7694a515f1fdd8bb

                                                      SHA256

                                                      c8b17ac4956a905368f4e8d817d02adb9e0d1ccb92d22042ee982bc8eee3b4b7

                                                      SHA512

                                                      eac20febf1dc4c6dedf665567dbd3bdc49556e7c88c04b98b80b638b82996ec4c0f136850ce1ca4369e13cf8097467d2f5157cb7695cec9ac41b8892a2444225

                                                      Download Submit

                                                    • C:\XK\Folder.htt
                                                      Filesize

                                                      640B

                                                      MD5

                                                      5d142e7978321fde49abd9a068b64d97

                                                      SHA1

                                                      70020fcf7f3d6dafb6c8cd7a55395196a487bef4

                                                      SHA256

                                                      fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

                                                      SHA512

                                                      2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

                                                      Download Submit

                                                    • C:\desktop.ini
                                                      Filesize

                                                      217B

                                                      MD5

                                                      c00d8433fe598abff197e690231531e0

                                                      SHA1

                                                      4f6b87a4327ff5343e9e87275d505b9f145a7e42

                                                      SHA256

                                                      52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

                                                      SHA512

                                                      a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

                                                      Download Submit

                                                    • memory/1652-160-0x0000000000210000-0x0000000000228000-memory.dmp

                                                      Filesize

                                                      96KB

                                                      Download

                                                    • memory/1864-159-0x000000001C660000-0x000000001CB2E000-memory.dmp

                                                      Filesize

                                                      4.8MB

                                                      Download

                                                    • memory/1864-163-0x000000001CBD0000-0x000000001CC6C000-memory.dmp

                                                      Filesize

                                                      624KB

                                                      Download

                                                    • memory/1864-165-0x000000001C150000-0x000000001C158000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/2052-202-0x0000000002400000-0x000000000244A000-memory.dmp

                                                      Filesize

                                                      296KB

                                                      Download

                                                    • memory/2052-205-0x000000001EA10000-0x000000001EA32000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/2052-189-0x0000000010000000-0x0000000010008000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/2052-193-0x0000000002390000-0x00000000023FB000-memory.dmp

                                                      Filesize

                                                      428KB

                                                      Download

                                                    • memory/2052-196-0x00000000007E0000-0x00000000007EC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/2052-199-0x0000000002760000-0x0000000002815000-memory.dmp

                                                      Filesize

                                                      724KB

                                                      Download

                                                    • memory/2052-213-0x000000001E8C0000-0x000000001E8DC000-memory.dmp

                                                      Filesize

                                                      112KB

                                                      Download

                                                    • memory/2052-178-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

                                                      Filesize

                                                      120KB

                                                      Download

                                                    • memory/2052-173-0x000000001E000000-0x000000001E239000-memory.dmp

                                                      Filesize

                                                      2.2MB

                                                      Download

                                                    • memory/2052-181-0x000000001E920000-0x000000001E92E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/2052-185-0x000000001EA40000-0x000000001EA6C000-memory.dmp

                                                      Filesize

                                                      176KB

                                                      Download

                                                    • memory/2052-209-0x000000001E9B0000-0x000000001E9B9000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/2200-1410-0x0000000000400000-0x0000000000B43000-memory.dmp

                                                      Filesize

                                                      7.3MB

                                                      Download

                                                    • memory/2200-1655-0x0000000000400000-0x0000000000B43000-memory.dmp

                                                      Filesize

                                                      7.3MB

                                                      Download

                                                    • memory/2460-1345-0x0000000000400000-0x0000000000436000-memory.dmp

                                                      Filesize

                                                      216KB

                                                      Download

                                                    • memory/2460-439-0x0000000000400000-0x0000000000436000-memory.dmp

                                                      Filesize

                                                      216KB

                                                      Download

                                                    • memory/3368-79-0x0000019CF8DA0000-0x0000019CF8DE4000-memory.dmp

                                                      Filesize

                                                      272KB

                                                      Download

                                                    • memory/3368-69-0x0000019CF8D00000-0x0000019CF8D22000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/3368-82-0x0000019CF8DF0000-0x0000019CF8E0E000-memory.dmp

                                                      Filesize

                                                      120KB

                                                      Download

                                                    • memory/3368-80-0x0000019CF9D70000-0x0000019CF9DE6000-memory.dmp

                                                      Filesize

                                                      472KB

                                                      Download

                                                    • memory/4856-42-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-47-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-49-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-48-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-51-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-52-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-40-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-41-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-46-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/4856-50-0x00000271C3740000-0x00000271C3741000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/5020-1491-0x0000000000D60000-0x0000000001580000-memory.dmp

                                                      Filesize

                                                      8.1MB

                                                      Download

                                                    • memory/5020-281-0x0000000005B90000-0x0000000005C22000-memory.dmp

                                                      Filesize

                                                      584KB

                                                      Download

                                                    • memory/5020-277-0x0000000000D60000-0x0000000001580000-memory.dmp

                                                      Filesize

                                                      8.1MB

                                                      Download

                                                    • memory/5020-282-0x0000000005D30000-0x0000000005D3A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/5020-280-0x00000000060A0000-0x0000000006644000-memory.dmp

                                                      Filesize

                                                      5.6MB

                                                      Download

                                                    • memory/5020-3051-0x0000000000D60000-0x0000000001580000-memory.dmp

                                                      Filesize

                                                      8.1MB

                                                      Download

                                                    • memory/5020-272-0x0000000000D60000-0x0000000001580000-memory.dmp

                                                      Filesize

                                                      8.1MB

                                                      Download

                                                    • memory/5020-275-0x0000000000D60000-0x0000000001580000-memory.dmp

                                                      Filesize

                                                      8.1MB

                                                      Download

                                                    • memory/5568-1499-0x0000000000400000-0x000000000040D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/5568-2910-0x0000000000400000-0x000000000040D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/5568-2859-0x0000000000400000-0x000000000040D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download