Overview

overview

10

Static

static

1

RNSM00346.7z

windows7-x64

10

Analysis

  • max time kernel
    211s
  • max time network
    212s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00346.7z

  • Size

    7.8MB

  • MD5

    dfcfe5e31652e77e5ce8e1147352b153

  • SHA1

    72b3a2b3db894426a1a31606a475aede7cbe546a

  • SHA256

    d9ee637eb3e5c900c4997f3d2dbe86883a86fa32064cf9f29d227fca7d9d429d

  • SHA512

    7d1d4693c5f85c354f784814b51ec955a834eba6e0d063138ffbaaf3ac7c7ca9dcc69cf90b1df6cff9edab9505e48f79ab4c05ba39f83da43da526ef92dfeb1f

  • SSDEEP

    196608:YFX30UAEo6Pd5lpAYoP8J9sTVPjz3izEbKPCHuvFFioCHr9nKM:YFX3plGp8J+TNjTizEbKPPTanx

Score
10/10
azorultgandcrabhawkeyejigsawlockylocky_osiristroldeshaspackv2backdoorcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    strongnetwork2020

Extracted

Path

F:\$RECYCLE.BIN\SQAEVMXZ-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SQAEVMXZ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1786662e82c401c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMVk0buegYqDAAmGTQlc4S4OUAj0reD737lc0moJUItInxjdq2EBbkD/pDUP3/0cNBmam3bt0ux7S5Ijc/pPC/aGCsKCmpNzqugizS9aYpUK5n1XPq8Jnbs9E0asZ3Sd1ws7GsERMcV4EzHSxH7MHW/O54S1OHfuHTXHwKq7XsOjoPvsQP9CnIn9zd5BCcg9D1bL4HXv0KLb7akG3L2zRPBilF5u//JG8IlLy5Ra7pJCkToKUvc+Fn+br+z4BhjJOxmKIWAxIzx1Oa38tJvj0yXSDezsT+r4sZOjVSSzIUsEDHX4zSLh3xN5gkRaBNzMrFYipoz14MiQxw+kDGos0j3Dws9guqrR35ZwvPb31gbxiYOIoiueDP8pp8DjhTH32PshGtvImirSt17HaD29VaSpilsetuLD7ov2wqT6MLHXyUTQGOiKV7pt/bA+e9CDKt+DBaVIhTgtmv3PkATNfkdgt7jUJUmWHY5CDGTyTjmnlOD03aZAJJvK2uJS6ntkJgBMZVZpDyAKYYTp+y9scIBHJGJrtOW/9lnXU/IV5WeOR0/68kyfYNIUWoPyLDZzgJsVNU8a+aWlenGTdheaUmF93K+UGzyOBG+P6+OX6N475VnFRT5BXsnxVdYn8SWo/iar47o8/DFr4hRYsC1GlBQAPL8qlsJ2+E5k2DOlcrUJhxo2AsBwvKTXMOFaxr1uSzjYhJUe4Ek0LF/3K7B9oZsPV1nURGUl3nKWtIfGcTZBztM5ZXtkATimfzg26O/Vs+un/LDYvP76XMt4tjNf+1hiMdoYDX9ZZ6QcDXtsCwlfJ8/MPgcO0Ak9GUcMO9wpdZLN8ep9LD3GZOx3PDOceWUr4qpdyN72t6MbLIHfRk8blJztlrq3wfzCmN5Y+Wg9W0amcH7rVE09PWyM5A/xxqD6GZBxVf8TJJVBfF8diaanbcOIX73F5iRBFvyP4bOWrCYVfY/cgmNt2pu71mCAQKvX5QnK4syYJtU2MX8vTPzyFQSrjUCTiTxGvcui70P7Wwn7+2MuXIMAqhqwyS+ydUim0rzDWF5PfJTO1kl4w/LytpQrJpEruoxubYo105naLtSCkXjWmwPQLlE5A0AydafyfDQ6kTBnRTIdPq1wz7NSfvFCENO2S7hVQwchOz4goGA3Ms1y4MU6j+grz29/ZCX1+QSQaawVLE7aaUvb2rzUVnj8iuQppx5NKmE0kklpk0rNqhZpI0+44xaqmiZGzBRL17g0BnO4PMdpgXmPVCHYPcMH7BW37mRSuGvbqhpvev38MR8e5zs6vQJYQCSLpncsORHtDQymQhNHLPtUmkuwl2yE6gsCcpEgtPsC09ynGbGkdnhb2Sj+IqHwSgBRQW/wAPmBSnsMkt54jVj3mLkbUZWsq2wCqSWw0z6E3OGQDNK2hOkGWzHHydCVy48/JK2/XaFWFf++J7OTentZKAMYblGT+pFB3+e4zpe9trzdPFzQZI+ScAX7g7Zr8iuDPcYL8iZoccK0Vupm+rqZydr+GnlF1SJUwGp6rn/n3tkPRiUlRYsMY3PiAjRORD8YMurJ+F8szTTgVBHUCrPQvSQktlUmKESgW0Evrf/LmccU0p93eHq4lITIRjHSTQol3O+wV40uijw/hYx1/sBaVaxyAQKagZHPU1ET0KinXEeLK5J7SwUX0EWk6pL1FPnjQa0Vrx8qFUjHQjUnXfST0IIRILGn3Y0OqVGGx6kI0OC9t5gHFNxl2M7tkdoqqUx+zQq96QDfnUtJgRxLA2ggCcGwDnWZiXqyM45m30fUOlaUXTZDSZ7YROHAucTsBEUinF9KD9G2kiH/2NM5w0Bg5bFBQhaXkiMLAFH5dkhu5EVIH6uhcKhRZcnINvCNeDkSolRqOlyZR44Z/JBzSnhXvgVHEav2o9bMAseQ37sRBRSJ88t9oWK4IBRfJyAIVRKWRoSXy4QzVVXeO2+3Bifrn57ZZMRU5LF3Y0ee93yuDwd7UpKrBYr6Ap1wnqUBLXSomJeRrd9NCG/l+TdAlk1yxIHparJ7eaOZcs0n0qxqhIUqID/CHF2s1ZVKjF4Fmkzks1noCHNaNPPYMwjK1ZSa7yQJLJO0iQtGKLLkEDI2n57cbZbKd8z7xp8bHXWKnjjdeQ9bbjR4+FYbx7Gyg2rOENdnHfJVWUAh8F3/XbalVrRLriB2ZF+wbz4DcQkbGIwWmTMv2/Gg9z0SFoOqlJvIR/g0ZCr8/2GlPLSa8mgoHSO2JeW0A40= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTodRsHYa7ntWs7fcTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4rF1kUDB5uKi/2A2E+tzGtNYblrQBiPtrRHXEYobtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIcJoJFowNooAhPLnKY+DO5bAL6fi2Epg65rKw3oxAhKxQ72ZizpChFP3vXLOOav1xoZR3QcRiOKBTm51iTgAH9imUrfmSz2QU5nmbImlsyw6XINVYbpeDfrfBUcfMBjP35Ni39QQ3bC3aZKEvXtdUj8BYRMbJHzHp0Oar+NRZwP9okRV/rusrPFzMP9PXYFh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/1786662e82c401c

Extracted

Family

azorult

C2

http://admin.svapofit.com/azs/index.php

Extracted

Family

azorult

C2

http://allods-down.site/yumi/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw
  • Jigsaw family
    jigsaw
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Locky family
    locky
  • Locky_osiris family
    locky_osiris
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Renames multiple (2032) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (294) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (93) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 19 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 6 IoCs
  • Executes dropped EXE 20 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 10 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 47 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 17 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00346.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3060
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2560
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0.exe
      HEUR-Trojan-Ransom.MSIL.Crypmod.gen-fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Crypmod.gen-fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0.exe" "C:\Users\Admin\Downloads\syncserver.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Downloads\syncserver.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2120
        • C:\Users\Admin\Downloads\syncserver.exe
          "C:\Users\Admin\Downloads\syncserver.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2720
          • C:\Users\Admin\Downloads\syncserver.exe
            "C:\Users\Admin\Downloads\syncserver.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: SetClipboardViewer
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:1572
    • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.MSIL.Gen.gen-52fb5d2e5555c38c4d0dd1bec893423761ed56ef1edcd3fddffd58cd507d7def.exe
      HEUR-Trojan-Ransom.MSIL.Gen.gen-52fb5d2e5555c38c4d0dd1bec893423761ed56ef1edcd3fddffd58cd507d7def.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
        "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.MSIL.Gen.gen-52fb5d2e5555c38c4d0dd1bec893423761ed56ef1edcd3fddffd58cd507d7def.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2472
    • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.Crusis.gen-8f26f91d2e4adb37d9c20e4bb09c8a896a15339e6021d289f4785696cc0c6e27.exe
      HEUR-Trojan-Ransom.Win32.Crusis.gen-8f26f91d2e4adb37d9c20e4bb09c8a896a15339e6021d289f4785696cc0c6e27.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:1488
    • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-93258bd4b3ff675544ab3d79ecd6bd12c1beca4f0e391e18d03889128c7b7a9d.exe
      HEUR-Trojan-Ransom.Win32.GandCrypt.gen-93258bd4b3ff675544ab3d79ecd6bd12c1beca4f0e391e18d03889128c7b7a9d.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1128
    • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.Generic-4ba1d31cfb6702102989e75875b25aa3ff4797ebc51e4af6e5b919211b34d79a.exe
      HEUR-Trojan-Ransom.Win32.Generic-4ba1d31cfb6702102989e75875b25aa3ff4797ebc51e4af6e5b919211b34d79a.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:1380
    • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2479a66e032a41060c43bf7c08d05f48d8cffb3231b6e183a1e25ccfccb06b7d.exe
      HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2479a66e032a41060c43bf7c08d05f48d8cffb3231b6e183a1e25ccfccb06b7d.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:1252
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Blocker.ldlo-b49b9a4bcfc90200223c824e09bf9b27b5de055da0c32932214f7d11632b1804.exe
      Trojan-Ransom.Win32.Blocker.ldlo-b49b9a4bcfc90200223c824e09bf9b27b5de055da0c32932214f7d11632b1804.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2856
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Blocker.lkvy-8afceb94b78a3baff39e70881e640cef8e4fb7bb519d80d84e633661b518fdfe.exe
      Trojan-Ransom.Win32.Blocker.lkvy-8afceb94b78a3baff39e70881e640cef8e4fb7bb519d80d84e633661b518fdfe.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Blocker.lkvy-8afceb94b78a3baff39e70881e640cef8e4fb7bb519d80d84e633661b518fdfe.exe
        rojan-Ransom.Win32.Blocker.lkvy-8afceb94b78a3baff39e70881e640cef8e4fb7bb519d80d84e633661b518fdfe.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        PID:804
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1792
          • C:\Users\Admin\AppData\Roaming\Windows Update.exe
            C:\Users\Admin\AppData\Roaming\Windows Update.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of UnmapMainImage
            PID:1012
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
              6⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:2240
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:788
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Crypmod.aasc-03fd8db4a2bd1902142b78e1987df2be4cab4464a3741548b24a0737ed9396c3.exe
      Trojan-Ransom.Win32.Crypmod.aasc-03fd8db4a2bd1902142b78e1987df2be4cab4464a3741548b24a0737ed9396c3.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Foreign.oavk-9f7bf6787312458d7eadbe93d7b855dcbefd525247925efc522a75ef2ad72713.exe
      Trojan-Ransom.Win32.Foreign.oavk-9f7bf6787312458d7eadbe93d7b855dcbefd525247925efc522a75ef2ad72713.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1712
      • C:\Users\Admin\AppData\Roaming\014f411da4023b0b3ad528fdd7fa014a\jucheck.exe
        C:\Users\Admin\AppData\Roaming\014f411da4023b0b3ad528fdd7fa014a\jucheck.exe 3ba74b916e40329c3b4b5addc75b250006a61046ceb85c08e65e8a8425fd6e486879f3ad344c38f5da3c6d1ac1266c92a2b3b8547df92cc1f246600ed1d0b77f85ab45731ba638113b6af17a56473e55bdaf6084dde40cb20daf82a2a9a84790a0c7ac2eae508a2a69d3f18e80b027a89a65847ad26d4e952b884738d9ad1f0d5747
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:316
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Foreign.obfe-b40e9ac06a608e8652f3252ebbd0884bd114ca7c42d8ab2d0a258200e528e65d.exe
      Trojan-Ransom.Win32.Foreign.obfe-b40e9ac06a608e8652f3252ebbd0884bd114ca7c42d8ab2d0a258200e528e65d.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:664
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Locky.xmz-f38b5b1d00196f68a51aaf3d6b560e5d171b871c0fd492fade02091e247fd3cd.exe
      Trojan-Ransom.Win32.Locky.xmz-f38b5b1d00196f68a51aaf3d6b560e5d171b871c0fd492fade02091e247fd3cd.exe
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1612
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys40D7.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:156
    • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Shade.pdb-94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878.exe
      Trojan-Ransom.Win32.Shade.pdb-94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2524
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SQAEVMXZ-DECRYPT.txt
    1⤵
      PID:2640
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2428
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1244
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00346.7z"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1152

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      5
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials from Password Stores

      2
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Windows Credential Manager

      1
      T1555.004

      Unsecured Credentials

      6
      T1552

      Credentials In Files

      5
      T1552.001

      Credentials in Registry

      1
      T1552.002

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      6
      T1012

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Data from Local System

      5
      T1005

      Email Collection

      2
      T1114

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      1
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini
        Filesize

        1.2MB

        MD5

        ab6b62dae9d3087a2e1d96727874e97b

        SHA1

        2e1acb399dfa309b1c94a74bb2c779c2d0c3778e

        SHA256

        b5adfe01237b808c1e68aa196c2aec9f77c9211fcf15be59cf6d67bc1af58a0e

        SHA512

        ae507cc5a2921510ffeb152e6e2e91ddf53d2c06c5014326641e1b4b611e4812090ea26c5fb22e548a70c87d92e9676f91edbbd8f0deb4deee912df662355773

        Download Submit

      • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.exe
        Filesize

        1.2MB

        MD5

        b37f537c07ffb61acf595d34bc6f52a7

        SHA1

        e6290923ce7878fed8bb119b676901fcb9442ee8

        SHA256

        894425d2a75b5bf688d74aefb7e09189a9375776fcf19d8d3216c72477009d1d

        SHA512

        fa38ab4676b172cd9909b40a55e23f8adb513d0f86172ff55c6ab4843e8505fdde51cdfe6fec0fae5212649fdb2fd138725a557722efddcb402c7dcc9eaaa812

        Download Submit

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
        Filesize

        1.2MB

        MD5

        4568be6e2a29c991d2a65ba5bac07258

        SHA1

        a4f43adc6e99ebf1d30667ca912264e4bf0b8f15

        SHA256

        bf5ec7eafee4f5b3594e43c740cf2d90d63f2e48a62b74af5bfce9c71df42ca6

        SHA512

        9eaf19aefcd75ee45f317d745e67a846a47b5e594ff6bc804c62332e5aadb61bc58517ba96350f04c7fc7c2184a15a4f59974c02e5d77f7e9b80fe5293a9c678

        Download Submit

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
        Filesize

        1.2MB

        MD5

        9833c5cecebcb5ee86ab09aae83f3219

        SHA1

        eb6bdb3ec8d51b3bd26bab2d848bd75391dc28d0

        SHA256

        a0434468d3a65fc64b9a4ede0fa2ed94d32499efb18dca8e9ac9f794879b2ee7

        SHA512

        497a20fc3b02ab91dbd3bb271a67e76d59d89a6f77b374b10d0e30d4bc02ea4c60612f8e70b4c2e370ceb6698bb1ae7f04e829ab60e5336bcded044920ef9ab7

        Download Submit

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
        Filesize

        1.2MB

        MD5

        0420d608cc8ee8ee5f35df3767d53889

        SHA1

        59d15e6f8eaca6b09ab0519c3971f216703c69d0

        SHA256

        fb53d03c899cd57d333cbad7b173969df96017e5a969c88a2e4416584a4f186c

        SHA512

        0191ccc052a85beca754fdd185352fade71378731c7a4741eb8d311ffdd63691e30b78bcd2affec2625298bb067894a2c38c1ffc051930a1107d695a0bcafdb7

        Download Submit

      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
        Filesize

        1.2MB

        MD5

        4dae4a5c177ea63fcfb67dba42454c57

        SHA1

        4d545d4a0955fb96a4446fa1b3516cef8cffbc78

        SHA256

        1c5d484e23f073463299e2da8f34783413e733f0e40c335b886227c116156876

        SHA512

        49ab9b22b5f0bca6fcf95f8862c49ef954fdb204420659a06c5c4a5d6a8fe26268a9816316b132d5dfe889adbf824e3073ec25b038207b7ea2def221c83ec97f

        Download Submit

      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
        Filesize

        1.2MB

        MD5

        8ee96586fd86c4ef563209722dc5139f

        SHA1

        2f97bf0df377d0d524b09dbaaecb7ba3a8cfd227

        SHA256

        581d88fd442bed4ab8b43e1296b8f259947f383d6f39010f0b95572b6f0fe4b1

        SHA512

        9561877d73985fc91d7cd9ae1cffc8ff12652c167a9be90addc8a54b7542c3cd7d2213c5616f458e217fba585a11ec6c99b22edc3d6df5136fe21687f7c1ee6c

        Download Submit

      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.fun
        Filesize

        1.2MB

        MD5

        8d2deaa202e5497894c12eadc1dee395

        SHA1

        c271e97814a19dd36916e433d56d48c5b56fd3d8

        SHA256

        a7ce22f258cd2d7b7e1c816f2e75f583da979a30381f984faac2a34203a9d4d2

        SHA512

        4724500883713ab2545963284e211823e3485f4dccb894cd8d6ee2d49d5fceb29e6ab96847554358acaef07a89523916d6f1b239d6236460d96357430644d3ca

        Download Submit

      • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
        Filesize

        1.2MB

        MD5

        00a406661a76cf074da91eaf360565f5

        SHA1

        fab8686a391f63a650fdccf807af867e069be2f9

        SHA256

        6a5f825076182021a5289635988a82691e7685c329dd117bf941c11920451a07

        SHA512

        0dc67d6ede3ce11eb3025b4ad2f9b5919dbdf654ef89dab52157ec2d623e6d7de47268c43c03ccbb0b2bd09429e85bfc950fcd8d7c4804b166380034d6928481

        Download Submit

      • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
        Filesize

        1.2MB

        MD5

        6c7d1b3ecdcb2dcb7a2667690dcd37eb

        SHA1

        81705a3c567b04e0ffce0fb3cce92d054677c9d0

        SHA256

        12ccbcd41308a9896b49ac4cbf68cf4d54aa3a02c95ecd71b8b0de9ac53d28e1

        SHA512

        4a9788396375690f62cca741d67c825a60a88d827ab7ab94038a598493e47e0e44e3f1194993bd9bf4e0d008695ffc66c4e9dbf10e96b2df0a2dbe2847930161

        Download Submit

      • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
        Filesize

        1.2MB

        MD5

        0d1aedb30a7a3bbf85d70f95a42ce310

        SHA1

        bb823db9dba69ded5ad73e8f45efd8e49a3eafc7

        SHA256

        44fef6ee8e48a4175b275f64752afed71ceab8d61827f73e4a37b0b3ee085da3

        SHA512

        8d7573bf0c698fc0483fda8d8ec97fbfc854fc127481824c4eeed243fb39af9a9e6dec08e5e2e210336599436576aba2e8f7d71da53ff86bd85ec547e3cc90a7

        Download Submit

      • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
        Filesize

        1.2MB

        MD5

        6459fe86dfaabaa2439ae894d2aa71aa

        SHA1

        d2e0f812fa3182d1a81b8852249d0b533173be48

        SHA256

        20e3ff277c2243cdbe68bb11a08225ce3ef2736dfe7de3cf4ad0dcad9e5ed4de

        SHA512

        bb0e08f7988aec5a47d68f704148f2f2f70d9bbaba36fb3abe58ba367519b644ba9080a6a8b60771851b1c1ad5a0c77401d64852e8e3d891c344640e0fb2c499

        Download Submit

      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
        Filesize

        1.2MB

        MD5

        2236198281068333007018cb0cc3c1cf

        SHA1

        4142bca8b12c80a7c305f3ce26a2a14b1a09b71d

        SHA256

        c5bd5c4394565b4eff3b2b1744b5262ac1c6fe42e28e857121b3ef4b80825411

        SHA512

        21c9c50a3d5d0ab535e0500bd7687d61bbf2f8dc47c200ba8cb753fe89ae0b81b7b8f1103ab5217e3968f9a92fd918c4fc76791af80039791cd3dd2a238557f5

        Download Submit

      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
        Filesize

        1.2MB

        MD5

        dbe71334232588e1b2f14ec3e5342d3d

        SHA1

        924ab18109ed0ae46d96ae3d693d5679c028ed2b

        SHA256

        63324bc6d583c6dea22e714b8ad09dd1f7bbb18e9cf6e118c28643008a5babed

        SHA512

        d7ebfd0c25228006ddc674f9cc776d3cdf5f7a1497825fbad77de3176fada1ecbd126d5d9d1a133f6c9dede7d7628ace04ce0507547811d1ec824792c069892a

        Download Submit

      • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
        Filesize

        1.2MB

        MD5

        2c3bddf69eea02c2606ecfeb122b7b06

        SHA1

        6aa5b92a69aedce8d676b5907701d7a2f2a5fa8a

        SHA256

        8aa244a9a63c272474067f6e12e82a185ad90525a04064535da07162062d3fc8

        SHA512

        ff3a94cbebd4041cc112c00ce2377f94f6dff4d5043cecc58373e2611fa7c10e100f3dcc5d3db994c61cc64c82c29f54a3571f90bbf52bdb8741b94335d6a1e4

        Download Submit

      • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
        Filesize

        1.2MB

        MD5

        1de6434b2ae16e7d05f00636a88b89d3

        SHA1

        226ea21a00639c2d508cbaf10d9831bf1d06f7fb

        SHA256

        2a821096c7e9df159ce8ad81b05b50e03a7ef4984756e5912f9db91a5d2ff101

        SHA512

        0bd5763036bab6711e17f8e780b5f9afb48c5cca0123d6aba9a088b07cefe7e3110b059bbf4588d93065fc01ad5c991ade325ca7275d4c3c9fa812ea5362bd58

        Download Submit

      • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
        Filesize

        1.2MB

        MD5

        f012cf15cd6427f145c7751fa47253bf

        SHA1

        67b88371e249a2cc816535de2a19c1674b4290fa

        SHA256

        9fff26a0fbd6bd77810512efc00fc42d8a495fb87d3d197936a2bd8c66bb0b00

        SHA512

        561b1d211b52f1ad353621c2f78cc768668956f512e4e62c50cb927268da7bc8babfe47fc034ff893ef7df8f8ab3c29901bcfbb480e359486e3dbd8e6515cd84

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun
        Filesize

        160B

        MD5

        000e8c41d4a15fb34d0be0dbb56e3778

        SHA1

        00c4eae64ee6239d7c65d819c6ce1ac329224f8c

        SHA256

        8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

        SHA512

        775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

        Download Submit

      • C:\Program Files\SQAEVMXZ-DECRYPT.txt.fun
        Filesize

        8KB

        MD5

        fff1e5c46b63c63a995e3ebce83a7f9d

        SHA1

        49ba6edd6c44f35b111b8afa23c0d3e9e06dec05

        SHA256

        2b6bdea97faf89460895d382ce2157c8e7c72a277729048485a9cf6732b07289

        SHA512

        d94781cf7d42c581fb8826da69e0163435a132479454fceba207fc6a5aab118e3e6bfda755a431d54103718355e4f5ab279cd5a5d2727cb2f6795dae280d9d5b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
        Filesize

        914B

        MD5

        e4a68ac854ac5242460afd72481b2a44

        SHA1

        df3c24f9bfd666761b268073fe06d1cc8d4f82a4

        SHA256

        cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

        SHA512

        5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
        Filesize

        252B

        MD5

        1a29a38b422edb8d2d6c809bf393e522

        SHA1

        244a958fa669edb77086c1a9a3abae2dd8183479

        SHA256

        f288960c51b3f16ec9ae2ebf3708342a50c4f4ca3650bf4df2839748a878b89f

        SHA512

        e9609033f888aae96c80aacbcd13622d224847d92daaed30bd912d819109923aef2ce8bc220da912f2d9809ff927f8c410cad049d67c87402458cf50bd5522f3

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a0c8f16302243e2ef0180acbe2c8a54d

        SHA1

        39b06640a0c13aeae672b857fa028d311ae83115

        SHA256

        506aa32cf943ac33ff06b5686196a87cb245e1105438a7bf6101bff11d144d00

        SHA512

        95b1611d0f8e1261b27b3041c71f204bf0b741ed9f8bb09a8640b03a7751b3b01ce143988cc12759abf964c00d1ba0799d81a2c6a85989c9b5967c19c7e14d4c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        017457dde67af384c1a34585cfaa46db

        SHA1

        000adb16b140289a3d55d40e8f3924e97de8f76b

        SHA256

        a9a42329df98ab703d5b70ef753afd42832ab0b1042058468a76adc54e7ed592

        SHA512

        3fa1b6b225e54a0fa48a4accc54c283afbdd5c3be434f464e057b16a98ca6392145046fbe5bb53018ea56af7c2a06cb9c070a743ed031778bab4bcc3c5761b09

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        6716d77d5198fe909440ad2777e9aade

        SHA1

        177610fd65cb4a0d9b2187c920fec2026eaf8127

        SHA256

        521bfd3b37fb7804c33c1a7588827c8bef5cbfe78fb9de929d3cf838d07b0de2

        SHA512

        88a06637c246c9dcb69930d4b4c647eb15aa672f4441e72e14430d3f494f2a11ca221b7f953160da947cd68c3d3db0fbe9e7aa11b335d440e2555899f2fd063d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8e0dd2c9b04e12da90e3ee5b76f89ea4

        SHA1

        2379dd1d8e989321d21053167c1d8dafcabe27dc

        SHA256

        38e7d61882c3e34f3ebf85fa679a2b79e6ff6c824406a5cd9211ea92c2fc0f95

        SHA512

        59065eba2fd7afc1401f4317621721475aa51580da157fb2e7d82c556936d36d26574fd46438a865a76c06b8a2fc86842054aeedb5057140c992d40921099e36

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e81bb632a124e41f1de7b1758d879c82

        SHA1

        8454af5c646f4b2225b860d4fb66de6d59660e85

        SHA256

        2eae30f34cc5c108e76a085ff05370400738b9a54d8896aa948ba19b0c495e86

        SHA512

        424fadc09c3d5a0b2792abd53748a1d804966ea412a6400abe23974e1bdab65c292afc6af5016c20b3636303bc9bf42f4180260241527f5e58102e3a63b15a00

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        de200c305eef4005092c8fcce39eadbf

        SHA1

        db4578158096b78533889677c09b8b056d46db32

        SHA256

        7a39574aaad59770c84ce48aaa4d3c8d443766332cb9dfe9c739667688c2899e

        SHA512

        1e548da4cddcc6fbb7392b5a2fedb742f9483ab7e499f4ffef593497a2eaa98bca4b0d9f95ea724dd51d5a26269e18680126cf19fdf15fbd7cb1a04880a7fc5b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        5b6146bc3fb905931287d04799f3acda

        SHA1

        c9baae08f5840949049ef778c6064430ae8694e9

        SHA256

        ad9e87ac926290b86e3bace8ba4a257f0398801689ae0ae945012339ef8e2688

        SHA512

        c3a85722b2713613fc551e2b013d0a24ec5747ec025d320409af9c1eb649bbeae4c66f7dd7064cc830a52a1afbff63776da84fabb9ec1af6c3a393144422996f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        bd5bb0f770130559912e495454a269e6

        SHA1

        97a08e56da8bb64810d6c77578e515853f77df64

        SHA256

        e3438a7390163f63e102e11948bfa35f69b467a2af982ecd3f0f6a4ee1a061c6

        SHA512

        74774fc7e71520b5a776b14c00f007906ed33ab13c01d30e9635f4253f66fa901e56840c14b0323e49ee4453c7369a2ac7f42ff534cd87aa2d9825a9e608dd79

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        894a87846ee6c2f5c4406a628458c91b

        SHA1

        7edcdc54e305bf5560d374d1f08163df83ddec4e

        SHA256

        a20d35d7e0e9d4f1c3fd068e5184838280a0dc912380f8db2b0ea68a29e7148b

        SHA512

        7cc2e21a7efc9ac2e2fd99f1e21c6f137bfa88d1aedf60cc4d4327aa042f043226612617617a34c01929c7d4008a5d175f1e17713c082c6c671997d6c9dac28f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        792127cc26ba1c4018e890781ada3a03

        SHA1

        ffc8bf935a7e05e0a5af0538a3ceb9a3318a8f0b

        SHA256

        e25990ffaebac7c722ab47d284952a21151b93a1510f03ba8ad6da83fc56a0e5

        SHA512

        10363567729f6c5c8e1902bbe2a191376a58493cef33efc17d68bf3d46b47d79a6eba26866b7fd2114cd644a734a1cb160bb808e20841a02bf042c3d53e0e681

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8f847c39f3d12ccf55b5c6911ec8f0d3

        SHA1

        e22cd71b9cc8189c2fce935c72a34661db9efc48

        SHA256

        66088305355cd8ac03f286ece2fd401f80386a3fa64bea0390f78f9893053b6f

        SHA512

        e67513c7a0b50500a8fb034b204982053eb1ea2a8ddf0db229d7a2baba4d26aa4b2d727a4795f721fec4b3d9d8e7c92d4f9d70837392f0bffb4ef2579b76fca6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        79f223f6d6ed6f19420f7a05068eabf1

        SHA1

        c363e7c55794c739ac76244baea53990d4d2cb36

        SHA256

        ca7fabfe010cfe05cccdde637cb6b993129a3f23ae43297de5899259e8766771

        SHA512

        b5f41a6061084cd175557184e9200fc0a71f9e05d0b3f68d1743000a895685fc7a40216da0257fecccb3c1098e289fbc52fa244c3573db1e8e480079d1c63d68

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        15704fd9daa0a7ca37868af4246514d5

        SHA1

        b20d197d7a1b8a21816e80faba3684551a2ea2ad

        SHA256

        74cf4af313bfed74b5712b33b716334c284814fc0d549daa95305b93fccab366

        SHA512

        14a428b59c53959e7dc1e5ac5c445974e503b7229ec1eff363ccc412190ab11fa9814bdd767f3a65fde704a5e3c76cc663d3224bc98126c9cb4401b62c8a87cf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e9e751d3f8316551ab6281a68242ce42

        SHA1

        eb4eefa11864f19a4dce03d52fea8020e55a1eab

        SHA256

        32ecd5dfa9be703877ecfe8d60e0bb7ab9a1a47f06a684601b93b6112e190197

        SHA512

        2429fabd7b600ec95795298047bb4337fe280ba9a229cd8d2c5981b8be57259dfba3b49cb7210e272c9ea47e2e59fe416d697475a053bc75076b9f93ace63123

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        217f5bfa446a0159c15abc07e4ad11d5

        SHA1

        526e8cf54db2c323c3f1686d45d4de8e99e969b2

        SHA256

        d7b98fec1729bc91e3a0e6dd83d9e3970ec2a01ac39fb841d6adc5fbe1471d49

        SHA512

        0ccc6fcde672ab1e74d1dacaebb6c7c1b4a23c35565883b312b22d09cdc71ebaa1d04b2a38eedbb8d2dc5f5dd939797dfaddd2a0af57b38e44b8867aefe8ec1d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        30446215088d9ed38e9fdb84d8b14b53

        SHA1

        0f1aa3987a9a66592a14c3680c1fa64de2cb539d

        SHA256

        cfb8364bea7c487965e18b00615029a3938cf495102dfb2abe14f4f675361014

        SHA512

        426c83fbe15d5ebb85457fb3a89a22c3268fb5658d8a0ff69c4cc20bdd93c3608f06943d53dc492d41027cd2ee5bd0dc6bf777f82ffd01db997fdd445792a780

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e6ab7f6b7de6f9428a42898dd12495a8

        SHA1

        d0ba6abef47ce31525b0ab39e864c0e0422db015

        SHA256

        ee16d874273c82d3d1e683fccafa1a4c54690177456bf4183304515fcdb0725c

        SHA512

        47c74f436f25b2a26a3558682f174f9cb70232581f191dbe6b6e2f14b818f5bbc41421b553d37f7ca871c730876370e9f42731eea2a3d34bf24fc59c99e38ad1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d7e3fe0c91743566b89ab9d7da9b27d6

        SHA1

        ab2d708185310129cf0dcf0caf59d99fd4032f62

        SHA256

        5e4ae9972784452bf688fe99b0e7bf95f6f7752743ad8d5e5c6c2de1c76c6163

        SHA512

        1bc578e6687a391b905936c14e37bcbedd9a88ca10884581a73d56eadaa60041a8755c2c9bc11c8f95e3d3cf5f37435080272afd8f5ba7ee9652da9958e0e4f2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        06132778d4f85237e38c2a1ab4104986

        SHA1

        d6e3bafe2d479af2584f137b42d37326c8d6011c

        SHA256

        d8f490db56f55d4dacd8f8718f8089e7e17bd6752bfd9fe56026bfcbed6e120e

        SHA512

        53018767eddfec8458fe4b28417ccfe29c0924c9004aaac36a50d1444772d829579e2d99e333bc85116b4a9e558a19d9c8748e9313f5902c212d2b127d1eb0ab

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        67cc2cb57d7e357daa30158c342cce50

        SHA1

        9d6b4a3935b76d0965425c3e62ff15e93e581289

        SHA256

        dddfbdf90f4eb1fc5f0ba2007961881e8c3c4e3f6516fd1715bd00ed45ed255d

        SHA512

        319beedc6bf3a4b59a3fc23d55bc0e05422cb09bca91194a22b3beb48462454cd070038e37cea6534225feace0b42d4dde777c1056fc96b4756c2bce1ad562b8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        6d917b32875d7d6e7a9690f87193070e

        SHA1

        06439dbe85a8bf04e03150e0b4e6d0f216bb3fc1

        SHA256

        897f517f71ea512df6fceb0d90e2a884b95e086eef02dae61992336cb9723d60

        SHA512

        e16418bd667c7ef4616a2285f137143d091f2f2575781916ebae92d76bcdd9e7f9daa86ce29df9b8bb2dcd6bb1987ba82881cb78c7c7d63bab630139b182b049

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\container.dat.fun
        Filesize

        16B

        MD5

        cfdae8214d34112dbee6587664059558

        SHA1

        f649f45d08c46572a9a50476478ddaef7e964353

        SHA256

        33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

        SHA512

        c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabB1A5.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarB531.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
        Filesize

        1KB

        MD5

        24fd592890faf88e38137c08493f7ba1

        SHA1

        53529883b3ce3e054311e310111376dacc2436d0

        SHA256

        e4460e7c7e6841380d5fce8ca86705a7ff7fccde911f646535c1fd95ce80cfc5

        SHA512

        a182427bc17bca2212b6a022028e7b3340f485697943cf196dc6549c07efa65d1041df24c113e0d631b87fc8c7166de3af83775887fa6c47d4c02722d88dd869

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
        Filesize

        1KB

        MD5

        9162e8adfd9648aca1fafce0475ce68e

        SHA1

        722aba4ba0276d19bd77d48214ca5371dc990f3d

        SHA256

        0346f299ab909bdb8630ec751780dfcbf8df70b524a87c37aa591b8199e803cc

        SHA512

        10f7040e29f566b0b31355bbfbdf98bb39e00ccc570ef9a43ff6e30bda4fcf4fb5675a7f2eeafc0124cf2ec8e68fec3acf59a036a7c873d4c629b4f48545c423

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
        Filesize

        1KB

        MD5

        c823b083af6c002e948ef9d82fb26632

        SHA1

        23283cbbc71571c84a5e8cee659a1851cca08cbb

        SHA256

        3bde30db17d9e21ec422c4bc9c0172235f9eab7e2a9d38d5cd58875fa9cee85f

        SHA512

        e6c939f6bf31e8760730c1c7c12a2c8fa6632a7585fdfde00578d3c5ac766445593b70d4e3d267c7899832355716b9e3ea2d9caba1f3538cea617fae0185cf77

        Download Submit

      • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0.exe
        Filesize

        1012KB

        MD5

        11a218065f8a3fdc547ec25b79e56177

        SHA1

        31dcbef73197d04a99bf1358e09c6c809ab4c298

        SHA256

        fa4e1cb3e41e49004906adc5e9a22c484d18439fd84611d72f5c4fcac445f1c0

        SHA512

        6ef2ed805a138c84b3d51c7f79f7c8d867c4813ddd6e2a799f8644cd786a24cef045b4220de28ab8474386e4ca38434a084dafc8be27425e1abb2fbe107f78de

        Download Submit

      • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.MSIL.Gen.gen-52fb5d2e5555c38c4d0dd1bec893423761ed56ef1edcd3fddffd58cd507d7def.exe
        Filesize

        60KB

        MD5

        a4bb3a5cb6835c089d769100d5461662

        SHA1

        1b9859cc946da91a0414894cf80d123bbecdb231

        SHA256

        52fb5d2e5555c38c4d0dd1bec893423761ed56ef1edcd3fddffd58cd507d7def

        SHA512

        61e91d0acc6862654d0d7ea4f1275bfa3a00027615c6551eaf11c448bf9eab83525ddf0e3c3e4987a3f10ea23447e2766f4dcb68294058593238ec65939765f5

        Download Submit

      • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.Crusis.gen-8f26f91d2e4adb37d9c20e4bb09c8a896a15339e6021d289f4785696cc0c6e27.exe
        Filesize

        4.3MB

        MD5

        70c00b229ef625c6823fb7e499350b65

        SHA1

        adcde6250040d3d713f770c2c9fd39c767cfc71d

        SHA256

        8f26f91d2e4adb37d9c20e4bb09c8a896a15339e6021d289f4785696cc0c6e27

        SHA512

        c6bbbbfee20e00ae048edad5187a34088079b9acf7c694ecf3f3ebba8eea93be44409ad9879e2f07c7b8b49c818d9c828bc29a419101fb8ebda01e91072e46a3

        Download Submit

      • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-93258bd4b3ff675544ab3d79ecd6bd12c1beca4f0e391e18d03889128c7b7a9d.exe
        Filesize

        220KB

        MD5

        ed9d937ce471f3a3bb3e3062928be067

        SHA1

        135e613ad1a7ca3609e2fc2557a3b2b3d8249e4d

        SHA256

        93258bd4b3ff675544ab3d79ecd6bd12c1beca4f0e391e18d03889128c7b7a9d

        SHA512

        1fdff227a43a35625bf7103611b8079326561f87d4691d7fbed1711cb9979171b14e017d5d7c42f45b237219b6af58014fc64bbd03a62ff4067ce56373a9b19c

        Download Submit

      • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.Generic-4ba1d31cfb6702102989e75875b25aa3ff4797ebc51e4af6e5b919211b34d79a.exe
        Filesize

        805KB

        MD5

        0bb275161909d13e4523ea8904a5f74e

        SHA1

        be6069f6a2d90ffe5b942216c22c62dd15cd70a7

        SHA256

        4ba1d31cfb6702102989e75875b25aa3ff4797ebc51e4af6e5b919211b34d79a

        SHA512

        d6bed9ffdd013d8336bfd467f8fece47ab19d2c783b2a46efdf926a206768f9e50592307058a42c62ee895aecb706fbc5364b728162d4d75e0dbc30dba2d0df7

        Download Submit

      • C:\Users\Admin\Desktop\00346\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2479a66e032a41060c43bf7c08d05f48d8cffb3231b6e183a1e25ccfccb06b7d.exe
        Filesize

        1.2MB

        MD5

        1be46c5fa0adc1e5877ee1653a86c99a

        SHA1

        8c9c60f258b794fe5fa3a14f464f7ef300ba53ce

        SHA256

        2479a66e032a41060c43bf7c08d05f48d8cffb3231b6e183a1e25ccfccb06b7d

        SHA512

        f78839a99582a705ccb15bcab9a693884f7bd20f2fa90224ed111f530b67b22c3ca581fd232d4d5dd992b1fddbaa684abfea5955a2d2d6aaca27ca054a663ead

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Blocker.ldlo-b49b9a4bcfc90200223c824e09bf9b27b5de055da0c32932214f7d11632b1804.exe
        Filesize

        193KB

        MD5

        ccc2fb58facdad1bb81383b4a10c3fcc

        SHA1

        5b6a28a16e9f0af64e2960cc21634b6b72f4b44d

        SHA256

        b49b9a4bcfc90200223c824e09bf9b27b5de055da0c32932214f7d11632b1804

        SHA512

        d8f25df923b2c5420e41470ad44b2c8f2916155ad9cb4add097cfbb13136fe274390cb702a85aa7cbfe9af3bc47afdbfb61c5b11c3fbaaa55c4c212551f54bb4

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Blocker.lkvy-8afceb94b78a3baff39e70881e640cef8e4fb7bb519d80d84e633661b518fdfe.exe
        Filesize

        841KB

        MD5

        24ed4bda7fb0c595c974cc4e317d61df

        SHA1

        8cf99b0a3ec7e2a882767f87a71e4132116ba192

        SHA256

        8afceb94b78a3baff39e70881e640cef8e4fb7bb519d80d84e633661b518fdfe

        SHA512

        e3fa2975fc7869537a760a7fbf9d78b006a42de6532f02b8e35602bd19603c94c3a1902eae1dde463ca6783662c8d3f478da64f759c43e17fce30c76fcde05dc

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Crypmod.aasc-03fd8db4a2bd1902142b78e1987df2be4cab4464a3741548b24a0737ed9396c3.exe
        Filesize

        525KB

        MD5

        4c6eb07f34609b1a0c88035ec120da79

        SHA1

        fc00bead37f088ab0a89431bcabc30aa8cc6f524

        SHA256

        03fd8db4a2bd1902142b78e1987df2be4cab4464a3741548b24a0737ed9396c3

        SHA512

        6f6df98916aa8afc8bb545368c4a8e5658ee3b47fe9f130dcb0da4eb715b951e79c42b01beb61fed7830c765c422597d136f1c69150836592884da0e92198df5

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Foreign.oavk-9f7bf6787312458d7eadbe93d7b855dcbefd525247925efc522a75ef2ad72713.exe
        Filesize

        486KB

        MD5

        b5bce6777b2dc6220de6c31a84f97499

        SHA1

        469d0e52a5e9a4132ae08cbb394e5da51bee46c8

        SHA256

        9f7bf6787312458d7eadbe93d7b855dcbefd525247925efc522a75ef2ad72713

        SHA512

        0f0c037f73e106c2fb70b7759bacc77b7fa6d721a3221015e354724c34ddb1b6c87aab4849a26c6a97a9b55f789acb906726b2c0941c20e8b6e9509b39dd1af8

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Foreign.obfe-b40e9ac06a608e8652f3252ebbd0884bd114ca7c42d8ab2d0a258200e528e65d.exe
        Filesize

        936KB

        MD5

        b209a4295cf28df19312ba52fee2e6ba

        SHA1

        4dc4fbc83b29eebdcf7fed768b12cf50b0bd0e87

        SHA256

        b40e9ac06a608e8652f3252ebbd0884bd114ca7c42d8ab2d0a258200e528e65d

        SHA512

        808de7eb55d076b77b2fd8e2a12837565c9c46445f04d33529ae24f14946320ce279b3935fdacb0695c61b2ac94bc392e27064709680f8cd1bd9b0d5fb990f2a

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Locky.xmz-f38b5b1d00196f68a51aaf3d6b560e5d171b871c0fd492fade02091e247fd3cd.exe
        Filesize

        372KB

        MD5

        94b0db77adf3fa8663f757bcceba3039

        SHA1

        5d9f0098afd602deac99e815e4211007cccde9ed

        SHA256

        f38b5b1d00196f68a51aaf3d6b560e5d171b871c0fd492fade02091e247fd3cd

        SHA512

        7b38c87fe820bdfe86bd15697f87995d6229d61c31ab1eac5ed0b29d74f618b8104c16cabc0e8147dc7c2b7bfb71b9be0a054ed70d60129a0a012d6c9a659d0c

        Download Submit

      • C:\Users\Admin\Desktop\00346\Trojan-Ransom.Win32.Shade.pdb-94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878.exe
        Filesize

        1.4MB

        MD5

        d478fd0974ab0ce6ea0fed098a15130f

        SHA1

        825b0ff9867924a83a4a19718032c60762dc1631

        SHA256

        94e39e9710ab725aefe4d7dffe3b93e447210e3b322666b9c8d42b3622094878

        SHA512

        2d88853bf7cc42afe7951c7d29261d879fef5486148ed43545c12fae09edfcb7d51d5a37e4ee03a4e5c18852bc643c38b99e430c8f9c544c7fc5ce38284ba372

        Download Submit

      • C:\Users\Public\Videos\Sample Videos\OSIRIS-bcb3.htm
        Filesize

        8KB

        MD5

        6f3b4e9d75a0cb5213a986f81a112885

        SHA1

        4d04e13e620c781490e37502e0d10f8de4d7c857

        SHA256

        349271610ffe5743f57aa5c464ba0e32acc69fdef238fa8f55f889c9a5dc3d98

        SHA512

        5c37c774520ba9e9ee5a061582e00fb67005f0b022c4a63d348317913b33f5cb806d3a6308074d0b2d6137eaa2d621da2fa83d39723e3579450b8ae5db560bbb

        Download Submit

      • C:\Windows\SysWOW64\notepad.exe.exe
        Filesize

        1.3MB

        MD5

        8367c028549d7927facb1aa3de95a2e9

        SHA1

        0221e9c68edf6645f9de3e7ca59ade2bc719e913

        SHA256

        030b2d2283d479ba49b726755cc5c45d36a0781e71ff0daadcb66d49a246ca7d

        SHA512

        34c435b396efb55a13f1fd6351a159cc71360c21d79efe777a15f90d37d2dc3156c434d2de40cec9cd65f7cf7754e56e57a50c7a904f517a3798940b7989128e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini
        Filesize

        1.2MB

        MD5

        a75ffc3e0a5359ce96d11e16d2910638

        SHA1

        42cdc65a0f1f9ad4ebfed0e2b796bbbdef3d88b9

        SHA256

        af273af96fc4fe2c97b183e66af4426b59ef350b4288ceb6c1e59c3c67fc7329

        SHA512

        23957de52429ef8d225e9e81a275d49ff9c8eea3b0fcdfb5a3d6c04cb15681b0b5fe2e4531bda5d0e2886c4df14d44646ff2d1340bcd4c6ae67dc8c2b8803ad9

        Download Submit

      • F:\$RECYCLE.BIN\SQAEVMXZ-DECRYPT.txt
        Filesize

        8KB

        MD5

        8f2d2c378b8124e8d1c27afba729fff2

        SHA1

        bbbffec23cb25df30b54440fcc1286d2e5d1ba5d

        SHA256

        6e30a84a60dda51d0b427a571e4588e10e0f85af89dd0e052fe8bf4dad1c8307

        SHA512

        1e90f67bbb521d835123c82391a4560adb6b587fb447701cc1c4de06492bd34ff7a23c24e3cfd96839d86c47e60db94cb5d0af0924007a36bfb6c59a6553e95b

        Download Submit

      • F:\AUTORUN.INF
        Filesize

        145B

        MD5

        ca13857b2fd3895a39f09d9dde3cca97

        SHA1

        8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

        SHA256

        cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

        SHA512

        55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        Download Submit

      • memory/316-4205-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/804-1556-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/804-1542-0x0000000000480000-0x0000000000510000-memory.dmp

        Filesize

        576KB

        Download

      • memory/804-1538-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/1012-4193-0x00000000026A0000-0x0000000002730000-memory.dmp

        Filesize

        576KB

        Download

      • memory/1012-4192-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/1012-4188-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/1128-460-0x0000000000400000-0x000000000091F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/1252-563-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-1988-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-1744-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-1163-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-1559-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-239-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-4204-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1252-3638-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1368-78-0x0000000000130000-0x0000000000234000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1368-143-0x00000000002D0000-0x00000000002F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1380-613-0x0000000000400000-0x00000000004CF000-memory.dmp

        Filesize

        828KB

        Download

      • memory/1380-562-0x0000000000400000-0x00000000004CF000-memory.dmp

        Filesize

        828KB

        Download

      • memory/1380-238-0x0000000000400000-0x00000000004CF000-memory.dmp

        Filesize

        828KB

        Download

      • memory/1488-237-0x0000000000400000-0x0000000000E80000-memory.dmp

        Filesize

        10.5MB

        Download

      • memory/1488-57-0x0000000000400000-0x0000000000E80000-memory.dmp

        Filesize

        10.5MB

        Download

      • memory/1572-4869-0x00000000003F0000-0x00000000003FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1572-4811-0x0000000000080000-0x00000000000BA000-memory.dmp

        Filesize

        232KB

        Download

      • memory/1612-1579-0x0000000003E50000-0x0000000003E77000-memory.dmp

        Filesize

        156KB

        Download

      • memory/1612-1578-0x0000000003E50000-0x0000000003E77000-memory.dmp

        Filesize

        156KB

        Download

      • memory/1612-1582-0x0000000003E50000-0x0000000003E77000-memory.dmp

        Filesize

        156KB

        Download

      • memory/1612-1190-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1612-1736-0x0000000003E50000-0x0000000003E77000-memory.dmp

        Filesize

        156KB

        Download

      • memory/1612-1741-0x00000000042C0000-0x00000000042C2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1612-889-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1712-3630-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1712-3635-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/2428-1742-0x00000000001F0000-0x00000000001F2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2440-241-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2440-1560-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2440-134-0x0000000000400000-0x0000000000488000-memory.dmp

        Filesize

        544KB

        Download

      • memory/2524-74-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-79-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-3036-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-77-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-75-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-73-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2524-72-0x0000000000400000-0x0000000000607000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2560-411-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1067-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1747-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1575-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-26-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1537-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1536-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1531-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1528-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1527-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-546-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-410-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-547-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1069-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1070-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1680-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-1066-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-888-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-877-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-868-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-866-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-619-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-615-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-614-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-601-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-27-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2560-28-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2720-3529-0x0000000000260000-0x0000000000364000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2856-447-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/2856-240-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download