Overview

overview

10

Static

static

1

RNSM00343.7z

windows7-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00343.7z

  • Size

    1.3MB

  • MD5

    4fe3af6bac579438ff43b2496a83f194

  • SHA1

    5934f6206616690c5857e229d34a1da14c70f7b0

  • SHA256

    173ca0f92742d045715ebb426f110998ab55fe3e8c2694b34dda2024322ad03f

  • SHA512

    9abd4145f4e76a0149d2bc510409146efe22b867f1438672aa97144efee57b33a4ecf64c2b43c57d82728598d2db1f177a2037343c590e20a8e2de0372303fba

  • SSDEEP

    24576:klryBLsPFe31HEXPzUmWzx8fnwzdLQ2jVj0OYha0iLjpDk6uwj4Acfu5vkkvJlyt:VBLwaEXbUHEwVdxjVuy47AvVRcwBk/

Score
10/10
gandcrabnetwirebackdoorbotnetcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwareratspywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1N9dsduqYSk1zVrHVCN5rFFyk15mRyJKgq Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1N9dsduqYSk1zVrHVCN5rFFyk15mRyJKgq Follow the instructions on the server.
Wallets

1N9dsduqYSk1zVrHVCN5rFFyk15mRyJKgq

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\DYEYFMNF-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .DYEYFMNF The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2cd5b16f4409ceb8 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMAjflw9OaPT4UtFhjlEaVbwakdgw20xEAJFolqxJp/6tuWX6lZ4mFEv4VIRjrkNWV75YOcK/ldE9vS4CY8cNxOYkQD/rpQrY0CfRiBYxMwslWSDPMh0dCHmbzY3iM6+Jg4nna4Z2E4XZ1JTh4RiH3MN9SF/gNbNX2bxqC7cgK0uzLb1ownnrpgd3BQ7a19lzTbEno8rFDeKMzm2RCjnI8mp/MaPp2rsYG2m6+yK3rJ+54YYbjnUtqqehFRWs79sUaP3iTlez4pgalzmCHpWJrTdD9l3ZWBfwrH1461Vms/OKc9n9XwAI4uALAYIzxdl9SjJF4W5JrC9J/EX9ar2+kIYvk/JdWdU+l2MK3/c3penaAELVIBw+qBPSUILHsZ2vvAt0+22sxGrdsldkUfDj2NU7R2jt8Rl7WgLigZyIuPD7zM8nf1UTRbLPu1j34xEh3CadgodLSeuwVHnuWJySs6kxWZb6WcZOopyrLUO91kX14mEnTrwrg4RPu/3T3o9Ozu8nCSyZv0vxl8Q5OOZ8TamiHrLPY36EtG4kY9WWxqSz/OInCq2DrNQDNMMHQFx+WDp2zWl5ZUyg3QMjiYsa8YSoCauveSChK4xG5uWZ4g7smX6BuQoFJoqEWSRMdcYrqSXdgJxrKPqG9r2o/Rw4dduRz3Wk3WqrC2C7WOrHk4YUIirTu6i7W4ZWX96xOjY7/dusWeMrSz3TT/rpPj8TppwoXNfiTy1di7HFaVIFT/G1xU0Rv5ONTosGft1wtcKvN7PwefwMtixtK/O3hJMke/FreJEic/+LjeEcg9ORRznfiWrZBgBAH6QPqJyUHLIN/AebJuLlLgH/XnQjaPWS3XHRGSWlctUVfjqZGM0daj6xbcgbCe7YFUvsQLtyLA9EraNHiYjNJm/fhzwvKignRPB4Wz1N43zNPFvPBgEGKrOrdyQ/RmvZAQXk28lsrDTf7QpaU6j/IrwJFBkXdPXMz1EQ9DmTztbMXTomiUMwxjPh+REPRPC5neeznxptX8qy+zCpRqsLgJXgjb9AdoQzFk5rxzyOMIeX27AWSt5SSOh1N1Icys9evomk9ITdPZFCCu+B982c2d/QwfIYrK17gx2q8vKyo2UyiFWWEBDAvU2LHSbAHXSpAKw9QSogT1UqWnxXh5sX5mAlzcNbWI+xkmG8l2KqqMtU4jzyFsK1GzXS5owx7wZy2C0mSgP6e4luiD1p3pqUL4BUWItEDR99W6Tt7Xw1BwR67VV5O+VAhfIvbz2UlAw+hfFjICBRoEWSHUyerrsSl/19n/ukO5Pf7X2JQSKJkTClOyKYkEgwIP+6Fm5ATClyEWKQ0IstpSU1vOU/KPTYCbTUeFjwe6YWnDD0kw4HoBp9qC06ddJd22pvegZ+eikiLgE4NaXh5BkXQKPEi1KZ81lvSg0ymVsCsQgIhRHnrigrhNoHoNafy/YQdtByj/paxXEXKqz5THIDEDm351T4N7omi8Bqd4qYVI1WvZDIZdcz+rxhA4oBxe1+FkIbDnyTSD4f6FLAZFpvr7zVFKDQcc0dQHtD+WrnhTSiywOcZil6mm/9tlR8TijgYFOoenPRLaZhBxr2mCf4o4xUW4+bQqdEtVoAWzzkzZe9lsANWPny9stH0dTWC3Lm/dRYEY/8Lyv1y148uCh8N1uLQMq48eN6YdTcfD8j1uQfVIgPtLA6DfM0Aw15Ri4bKq8yvlUTXB8nw/X+aVL/1Mc2n2Hq2BpG1nAt/VvZwlJ3cp3yt8/068zGG6lweMCdKFyDyAYAnQ0uqXoM+6Y+8x4tUEHOX+SR8d998KM10AVXmJgQEazqMcIv/OisLJoWcSW1RctDAKbvYS2RBfvnnxbxYpbQ/6sJ/s+TePyOG3wOEB8nRQd042vlZaIbQ/CmRBSF7aq8Q1Kycfc6ApkVX/Kk8xVTD8KiFTSSwueNotoQk9qJamz/G9Rl66njIn1i5xIVOzpE54SxMugsV76Y4z01BpKG3UJ8lVldxd2Fdw4g+LwF8oNSkr9vAX1WGJpt0D45GZ8134qfMjAwEITEsCx2YKBCRv1hhSyecE9L61R8/kWPDCraub7W3CTl57oA4h3eQNhjLalYyufeRHdyKvtLLKDmWU8mHsBo4u/O3r21FpnU65YsSvgTgNI1UmEFlcirV3MibPRmIK/2NXZh4aNskeJL4BS/9yLdK0zCVepg8CgdDyTiBdsV87oZoMfXRhOZrQwIOiTw68IIit3jELDTz4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTo9Rr3YZ7nZWvbfZTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bEhkRzB5eL2/2c2F+twGt9YaFqDBi7t/hGDEYsbqScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kwg73ZibpDxFI3vfLM+ar1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8HpwOar+NRZwP9okRV/rusrPFzMH9O3YCh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2cd5b16f4409ceb8

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    New Money

  • keylogger_dir

    C:\Users\Admin\AppData\Roaming\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (299) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (435) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00343.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2400
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2952
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
      HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:3056
    • C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
      HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1424
    • C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
      Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of FindShellTrayWindow
      PID:3064
    • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
      Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
        C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Users\Admin\AppData\Roaming\bqdhgan.exe
          C:\Users\Admin\AppData\Roaming\bqdhgan.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Users\Admin\AppData\Roaming\bqdhgan.exe
            C:\Users\Admin\AppData\Roaming\bqdhgan.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Sets desktop wallpaper using registry
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\System32\vssadmin.exe
              "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
              6⤵
              • Interacts with shadow copies
              PID:2228
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1N9dsduqYSk1zVrHVCN5rFFyk15mRyJKgq
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:2124
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2816
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\00343\TROJAN~2.EXE >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1676
    • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
      Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 116
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1564
    • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
      Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:696
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HELP_RESTORE_FILES.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2704
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2084
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x508
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\HELP_RESTORE_FILES.txt
    Filesize

    1KB

    MD5

    4f27999363123f86ba9fb08a1ae38c7a

    SHA1

    c609cab697a2c3548037b8b268522fd3d8fdd285

    SHA256

    af656447ded964e4c45602c1f60fc11572c82a7549ffe19ce8db5e50fa3e2ce0

    SHA512

    c7a5baefbfabf6d59cbb37706756388032377a11a81d9250a5b7d0f05d108f7ab35574bd96309466ab166b0c032d8471744ca1ea2e5324be67b2480617e34802

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\HELP_RESTORE_FILES.txt
    Filesize

    1KB

    MD5

    967cc7812f640502b823c190c85d9043

    SHA1

    0450c572de11873709f262e2eddbf26f16be1059

    SHA256

    898eb523165f96fa2df6467fa687da264a8a7a7945d177287f4a55cbda3ff1c3

    SHA512

    6b182ef2e82319337d71b3f2d42607971d42843cd25fc5b9c8f16f315777becd5de054c25dcf8a161df4637801f7b8dd3932fbff052ef16ee3b0a5019be4dcc4

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
    Filesize

    1KB

    MD5

    e4c60e9e806a4b8a659fc02b2b679356

    SHA1

    01b9831dfde476a186130e86f10e693280c863fb

    SHA256

    315a0faec125b16842eca93001a60d5d5ad23838b8a047e45ae6d5e6ea9ac4fe

    SHA512

    fcd2235c22f99105d2aba494a36a55a305d761088af6291cba07610a4cc6c23ade5500cce97160a2242f472ab9235a49d83cef007aab8d5ee5e8910833765ebb

    Download Submit

  • C:\Program Files\CheckpointReset.aif.ecc
    Filesize

    100KB

    MD5

    df72ac2132edbe2ba8a59563288b2073

    SHA1

    0b78e42e35f0e683ff9ab4984d21655fe18d7e74

    SHA256

    45d66fac203e3038c0a0a9057743969a9c5452a623d2f837536b10d865fd6cf1

    SHA512

    f2c69601aae99c9eab0aa10261c97a6f91ee3c987fc466d0f070dd2895f4745042e4ba8eabbf2c52ced7ec496bfe3e9419c86e16dab58185047256ab85cec8a4

    Download Submit

  • C:\Program Files\ConvertRemove.avi.ecc
    Filesize

    204KB

    MD5

    4f4d49b78a64326b3534c6f6f72679ce

    SHA1

    dd2be44d6dc74dbb929493130e9333713fd925e8

    SHA256

    8e11aee35d7e1eecb4d0b3df38d5f3ba9aa3d85dcfa72857c982576c1523f6c0

    SHA512

    742a1b37d44c01c02bd77a1703178feba94a6d0ea0a7e9609fc6c550773e8795fcc4a9a1d073091927ad44bdeef4c9fb65ea82afa802239940b4988925624a54

    Download Submit

  • C:\Program Files\DismountSwitch.M2T.ecc
    Filesize

    114KB

    MD5

    232348c8375bcd5bc3625f7687a92701

    SHA1

    f0f44ce1648337f7b3e5a71ce17f1549bf3471eb

    SHA256

    992226e4c6dd36a279e765b52f2facd818f5514338eb1a382aabb9d47a082651

    SHA512

    4739ac8dfd64b4da71aefc3276b2bda117ceca146881a79c7d774182f123e615ff78e7188bc929e11cddde4e559296a51d6ee6c119323dea3af36ecef00e8007

    Download Submit

  • C:\Program Files\ExitReset.eps.ecc
    Filesize

    199KB

    MD5

    28ec1b70659d9b9e90d3ded7baa37495

    SHA1

    8800d60aaa7d33be74932835ca2c560e0a0e29b0

    SHA256

    d100dcc9d5c9f078b3812ab3b921bcd5c20a419067564921b3fe8ffe646df212

    SHA512

    75ac348aeff4aab8b171960630e141e29e55134f3375b5ac427e0396cda1fa334740f533723892c19533c465dbd622d22940aaf77255d1e31392fa56fba7a142

    Download Submit

  • C:\Program Files\FormatRestore.mov.ecc
    Filesize

    208KB

    MD5

    a4c087affd57197df36ea07cbec7725d

    SHA1

    9f4e77fbddbc9a5aa0d70ec57a7b690b474715df

    SHA256

    9b8dd5d613512730b887bff9655ceef6541aeb7033b145f871087ccba3966772

    SHA512

    74a735b9ce1926146c2087dc045bacc0fb8105e83b435a4eabd316cc07da095f03f6d58f87ebeb07af68a0b1633bf39508187fd163e7a6a34c3131d42f339f6a

    Download Submit

  • C:\Program Files\FormatUnregister.wmv.ecc
    Filesize

    161KB

    MD5

    3af2a37b98432facd3444c513fa7fa7d

    SHA1

    089a17905cac44d3ae71c06842cfbeea83ce2bde

    SHA256

    ababa94681f91548b20e6cb3f333b6e5412609f9303c061cf5498a995acc56ce

    SHA512

    bf445835ec7944467130cedf4d4a528d507e02d4d946e04579e2a2a4df7c85715d045117e0a8c04a8e8b101ea4068a5d3c7c62e124f0f202be5c8a4ff04eac76

    Download Submit

  • C:\Program Files\PingClose.m4a.dyeyfmnf
    Filesize

    194KB

    MD5

    bf2381fe95cf44032751cf8d92388a2b

    SHA1

    1eefe968f57321bb6d0609b6947fa691abcb7818

    SHA256

    0b866f77f9c6e59e89c863d7fc8be5282bc8a65005abee94add50fca1123bb9e

    SHA512

    95a2b5392c9f5a651c3353a84617b6aafbcc22a6740e3dcbf025c265b8bcb6c6da2a1c5af1e2033ad5cdd95ba380798d3a023ca26c6fcef66d0daa98cddbb09f

    Download Submit

  • C:\Program Files\ResumeLimit.raw.dyeyfmnf
    Filesize

    128KB

    MD5

    52b4a861e17ccb97f99ee5226c44c8b8

    SHA1

    205db453061e7878b5db0922f386f5013bd3716d

    SHA256

    504e45eb1426d09e0e557c70288bbeb7bee58004ba54eb66da9ea0aff1423631

    SHA512

    b3316249909178f058a1201d85625b989fa440be5fb2f49e51f5b55afbec9fef2ba53604dbc92f7b375d4841d0b33978883bbb0d213095d76565d3e0de0d466f

    Download Submit

  • C:\Program Files\SelectCompress.zip.dyeyfmnf
    Filesize

    166KB

    MD5

    2ec0000ad61d8a86caeeb06fc707ba7e

    SHA1

    e812a8d7550a11538dd92cf8001be3930ff07f78

    SHA256

    547b242c30bec3abe7ee328c9aa404714deff63c053335b121162af14e9d1908

    SHA512

    37c8d55d5cac8fb0f2f56c1e07aae4e8c82470aa43e2a860d13fb4bed2b0db7fd29d10f790244ebee335a5863f1c7c8540ddf0538e0d936dc0922156bfaa6eae

    Download Submit

  • C:\Program Files\SetOut.dwg.dyeyfmnf
    Filesize

    147KB

    MD5

    8e7f9b4e56c361da0fe043cfde36cd99

    SHA1

    926530ba6c683b449b8cc01f312cc7aea969ca80

    SHA256

    6df8fec69633b1caaac38980cb6ecd9d9c5e4e704ddaaa0a5c3bfd1d8fa2ed4d

    SHA512

    e4917b73411e8623ba504176c59b1b2fd273ee9c055d034dd2607560e1032e063833323cb1bdf0595855fb54f72a13919edd99e444c8d21a4aa60587c4cd52c0

    Download Submit

  • C:\Program Files\SubmitDisconnect.docx.dyeyfmnf
    Filesize

    180KB

    MD5

    1716230df2184b26bb7e99434b7a33ff

    SHA1

    60fe3383f710fbb07a880f4ff8d857187ed9dcf7

    SHA256

    6c959e21abbc4415fe1564d7141921c6115eba3bb47449e99994aa6bfe053543

    SHA512

    1999d3bcdf3d942ca22d970a970d2882fac883b580c559c40d1858319cb70b9316326b0ec246f094b950330d2b2e7f11b4c29128ae1bcf4126f29a6464630135

    Download Submit

  • C:\Program Files\WatchDebug.mov.dyeyfmnf
    Filesize

    123KB

    MD5

    2ebfefae94f0da0c6305f62fc511dc05

    SHA1

    54fcb561c98f63899411505048cc410c279a14fc

    SHA256

    460758f80fab747b02e9707167abd1f09e96a59ec13f5ec7d22ab3e93457f453

    SHA512

    f94b4641fd2ad27209825a7b2e992111bd7ae512972810a7e607feeeadca67872b25c1747bc539c7a1e52dec48dc490d148a5cfa6e3a7bcd8353e2283b30cca2

    Download Submit

  • C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    d359765c9e2b8d95278ed914f9087b61

    SHA1

    2d2f95c8be128e4e2b50acfd27ec250cfd78d605

    SHA256

    08a698cd4c3d8480e5ee46756b7f8428dcd375a130945f542e471930fa33877e

    SHA512

    b940b03cf606e133f1e8213a69babaff93930a7eaf02293e46aef5f8b03d4c61f2872917cfbb09aec02ba6790b3dd72d5bff3478959687b3a583ead869d36e12

    Download Submit

  • C:\Recovery\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    81948025ba0dc27075c2799790c8634a

    SHA1

    500766e1e8ef9bc5cb28c515b0949a8bbb25bb96

    SHA256

    0871ee3674ef356da267e7659fddea5a911812791d00e18b0d9d17caf63d8bf8

    SHA512

    cc7ca313f75a087bb19df3bec626239e349ccc61fbd11b67c4274cb9c619d000af6ae39ca0309e128b96431cfd602b18c686ac2751578a17acf7bcb136b283d5

    Download Submit

  • C:\Users\Admin\AppData\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    2fc094e9309c028001aec6957aa10da1

    SHA1

    1c6fd459f984f7181b34bbd0cd4a79b703ab386e

    SHA256

    0190dbf9e4125b6a6e829c8516c8c00738a2c63eb1cc121f08407606c308c44c

    SHA512

    c8dc801d1aa96b4afd18f6da9def1e718caad62a3ef40232d622f6bedae17d7c357f8b8cc4970f0b7ee00a6793af377e8b0d749c56a1bd38d0d867a4dc3ae08f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    2a70668f6cc8eba2fb3061a1cffaee07

    SHA1

    697baacf481407da38898ca606003fbe54184757

    SHA256

    3e49b6ffbf47211b4a35ea322a96a081a32fa935c854f7b0a4942a42c37feff3

    SHA512

    09bff548f582686f406f6d54dae24b1a7587c163de38e090decae2da6cd5313344030684ac69709c82e2b9546ce9ca299681b3d262ce891370f5933d678e8d62

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    51729a24fd36f970536676f710c08d25

    SHA1

    f761b6abbd3953ce4a95b91c12f4ba4fbd49317f

    SHA256

    4c0b87a61417d6ced4a9cf01fec0f839c1c84e33f08615f779c0cd9b604959c7

    SHA512

    f4b6cdacab11aaaae772e65670309f378609b1d94546020023e49e2099e38afbe18154784d180f1932b3374918b621fcc8f95811a43394a3b6eb12c0e13100f7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    49de457b101795ed5ef20beb747bbbdb

    SHA1

    c5376efd1e7d1f399000fe07956f7193efe08626

    SHA256

    32e78307d1a2324ffb81a0e06ac5506b855890e2e19f9fa35aae51a3a4a6654e

    SHA512

    7b55469b5c8677974da2b2baddfb82053cbeb14a9e88fd30a50b5dee80823367b3269d0ba6b17f71bb6fabe288d628dd46d5c656f9b8881b8b83024293db5560

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    780e96a9e216b12df3d9fc41c6c3c5de

    SHA1

    4be5ad70dfb2a794d21b490a0e8cd7d63877f2c7

    SHA256

    88c5ca57faedef01e10a4c919b8ab81d995bb4524ead024464c14990cfa9b64f

    SHA512

    1e5a5d96495a6fc18856fd26b62d0280766af4d0ffb8fe7637f62c6a35ac4553e3bc54f136fffd3d8d149e9a62e90682d751ca86e71b4fadf4b914377bf171b7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f500271b51a0267c9cea330b6b7ab9e7

    SHA1

    df339ee6b5a3262b51165d33cb02aa7c0bb90330

    SHA256

    d1f6684dc216ab3993f927edcd880ce1dcf6eb48b9d385f9200786b68be0c3e3

    SHA512

    e7e5ac47d00b905e5d9866bdfcc30523c090071b2911420b1f7c6fcb254840aa63109f7b94aa44c692e6defd91f27c2f24fbea317866709a64c6e119cd2ca9d6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6f1d073f0f09948a4080c0c5553eac40

    SHA1

    16c17554083e026fe22761bc8ce078111af2cbb6

    SHA256

    2a830129dee0d669c096b8804c0ae8ca0b0d49c5e0b85708724f8d800691bae7

    SHA512

    88b82a7b2a8b7b2d6584af7dc77ed8c4053f645d6e2e61a1dce3b3585f5434cd2e2207bc727259e83b0cd088fd5725f2f4439a16a925a1df15701f78477116b8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    920fcee256b07b7c910aa39f571e2585

    SHA1

    3e74a4f23a74199f1a16164fa41bad16735ddef6

    SHA256

    fe4e8a45c9b1f8537b5e65b055aa27d54f148144e19b7f6f9e0f52e052a94b23

    SHA512

    2fcd43f7da4fdb2ed1feb5d9f8ffef9d43f40261588d058c8f8e7e60f433fec5922d65fa3609c365f98e02e9901d1f2a6554e1ec911cd0b5829af09c1ee9154b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d619e038ca43050f8667909bfccfe443

    SHA1

    093ead664f64d8281c8457bda83b3eb97251648f

    SHA256

    daa517207cdbb47e7569a479e6355b36c705a4f64f747055161a222c05932fe2

    SHA512

    6b6bbcd2c2b799d6a1043bbc5185f2adfd462e7c10e3c7841df6545224c1a2707c51210daae69464fd9ddf8b38864784f77cf5134352d2d52f89e006b7c887a5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f4e37fb7076b7ea0fc1f96f151db4c45

    SHA1

    c68b5b563b66db536359583b3d90042a418eda40

    SHA256

    12c2ff83f6d0ccf49c75ff9818f509b64c14731ea828a675740fc611582917c4

    SHA512

    7740ac7cad84fcf6b93a0062782f89a5d03829446b3bd7419ffc2ddc0bfb6f97b3f189abaf160eb96d80c4b22a78d5b131c6ac668d3eb87809bdecdf95616cfc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    ac7131d72d304c62c1539ff17817c9fa

    SHA1

    7563bf18ee7acf8ec83f59855494012bd24c1500

    SHA256

    21d4ca494e0b9604b32c9c2a08361111c6c27f51ae2645e481ed7cc8bd62e287

    SHA512

    070f932d1c3fe633da53213d4f7a4c099b0f254e3b1f09731074177ba6823491c2e42ceabf716bbcbccc0f303e83a10a03bd438ef5274d345b745d8a09160e07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab56A9.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar56AC.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\key.dat
    Filesize

    1KB

    MD5

    480da7382c47bd6f4d41d80f11ce2d01

    SHA1

    3cfdf6b4b277ba455b349b976b8a2b6ba68879b2

    SHA256

    7bfcabf3fd1cfb69d4a8b7ef453ddcb8fa31655ca0ffc9fb26fc60d089ee5cd0

    SHA512

    702d764256775500ab416ea5a29175d56836bd726e6a414d990ea9a92d35efe166b448fca0d6506757bace091b645e9d8cb91e4154244bb1ac552556627acfd8

    Download Submit

  • C:\Users\Admin\Contacts\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    bcec440af38433db7827c42a208de9c8

    SHA1

    e645432680445178f3d21dc411213e7beef3eb6e

    SHA256

    64b2ba76131aea34a40f25a211ee8c28a1b20ea60b9bf462bc53956d911b4da9

    SHA512

    28704b817e1b7e6a07e243665a06515c3b77e06c037fc875f16903a749d99a2509a94e83927e27850a84d2161e9f398b5bbe3945d520eb7ff35bef8dd7ba97de

    Download Submit

  • C:\Users\Admin\Desktop\00343\DO_NOT_DELETE.xtc
    Filesize

    556B

    MD5

    7a69352cb1b550ff1febaa10805143fb

    SHA1

    8ed64855e5090002bcdc979e6d8c4785faf2c978

    SHA256

    ba0ac5c3317aaf44d121e3d09b70d79d9ca246bc9966694126156b586d8bfb0e

    SHA512

    e46f2dd59715948fe49ea82b83c4a7adf683913f7976310e113a2012a6fd47b67cfbe404f078b47800bea754fb2f5974b4488924094c8f4cb6784aa39a2db0b5

    Download Submit

  • C:\Users\Admin\Desktop\00343\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    32768b6489c26a45a3a17e235a17f40f

    SHA1

    574f5fe4e109475e9573a74702ced00bd0e68339

    SHA256

    888dbe8d2b600e685989c5401ec9d6d2a0dcce20447f686b92f09ee2a316578a

    SHA512

    d9667fde1e0f63b72f55e525edff8c592118a0072d930f673b7153384be0666a2ec45e37e8d23ebba516b5fd5bc4047b2b46ab0dfb54ceaacc950d2ce4f51f14

    Download Submit

  • C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
    Filesize

    258KB

    MD5

    0a20ff394f286a6aaae2347df50074c6

    SHA1

    8734bc341b95255b8b927fdd8f0015bb24602cb6

    SHA256

    c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca

    SHA512

    1dea58773387ad540bf6f2453dff07ac9dbd77455294a309b4dcd1b3a064311ad0dd361ca32282bdd0ca7dab9d1d65359516f4ce8df557ff99745666c9c6b768

    Download Submit

  • C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
    Filesize

    652KB

    MD5

    c3682297d1ea552008780bf09c25170b

    SHA1

    9cd31edb83e500ddd4baa5b88e0a08cf2bb2d762

    SHA256

    b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13

    SHA512

    6276df414771e23d564c9bd273c706e14643099fb0801dcc82de4c54353eedc4cb170cff8f8e78b201512a6ea9f2fcbeb00776ca9ccf70bbb7606b56367c9274

    Download Submit

  • C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
    Filesize

    476KB

    MD5

    b066f6b9d71f198cb851eba5aa19f8af

    SHA1

    fe1072d6f69e8f817940d05f76272c7498c2de46

    SHA256

    e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69

    SHA512

    4a90e4378272e8ab2865c020cf2b3b390a2a8753289da8f1925383be56a42878cfe6f3bae34b7cafe1412b05bee63b8e05c675ca64e7ee44389580dff24a7d77

    Download Submit

  • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
    Filesize

    261KB

    MD5

    6d3d62a4cff19b4f2cc7ce9027c33be8

    SHA1

    e906fa3d51e86a61741b3499145a114e9bfb7c56

    SHA256

    afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18

    SHA512

    973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

    Download Submit

  • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
    Filesize

    268KB

    MD5

    4ef5f0a660c9ae3e32eb109e1e7bfa30

    SHA1

    b02b7fde30930161726fdd7e872da43b271f2c3b

    SHA256

    db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef

    SHA512

    6a49b7d2c46e072f329f75b0ab74e011aee16cd35ba9a83734294fcbb3ad73539a8545f27695d58aa9d9150114c8f344a3b193b2e6005edb3085eba0906e9a81

    Download Submit

  • C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
    Filesize

    594KB

    MD5

    bdc7130f8edce09b538b6ec22ea7a1aa

    SHA1

    254bc06fcd8d5929a9cec304cec82951ba46f1a0

    SHA256

    a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2

    SHA512

    d054c46c77566fa22ad4e8bfa9585be860873f838da32a2e7ce2d44ac1d85941fe1e3e02920b544f653b5939b802e40407c5f0c27de58a73d94e392ad7058cc5

    Download Submit

  • C:\Users\Admin\Desktop\CheckpointRemove.zip.dyeyfmnf
    Filesize

    949KB

    MD5

    73bdba903f6a2c0253f2073fc710720e

    SHA1

    e500256875c3168979a6076acd962821bc07bcb6

    SHA256

    60e1c38e0643f3bc2d99d0a028bf4f853b29493b0d0a874ebbbb846638cf0e11

    SHA512

    486a4df2d40d16a97f2450c47234adf1bfb3405760b4602c4caaae97ef084529d72b2b8adf856c8fefac2bd80e88d1961827493599304da52bd427edc47ac704

    Download Submit

  • C:\Users\Admin\Desktop\GetClose.xlsx.dyeyfmnf
    Filesize

    14KB

    MD5

    2e2f7046deacfe52615a0b37604281dd

    SHA1

    a43e4bde79955df0d7fac4a6db988a9995cfd08d

    SHA256

    b127178e2f5104ea47e4ba3f2535859a1ed43be67de34f8aa0d70e370a9c2600

    SHA512

    b128a82e4e0c2d4dd98ac6abed788e080f4cbbadd24dd07d0389c796e90dfadea63a764f4d86a4a5277fc6c3a5165a1d32c246bb8bb3c1029ff51f1259959ec7

    Download Submit

  • C:\Users\Admin\Desktop\InvokeEnable.docx.dyeyfmnf
    Filesize

    16KB

    MD5

    21fb19a4d1aa47e1cbd0cb800c23543e

    SHA1

    06858d2eb7d1a0165fd27ff1fde5a342516fcaf1

    SHA256

    93932ab0e0e29cde57b2b140cd528db99095912aa9d0b68d43eb73ec778bfe25

    SHA512

    adce946de88667c8b040ff8fdde0e1cc4a1276fd0d660eb003bac2716b2a7747a418a183225aec12cb3154bf2230596debf06f4d87bc7b765113ebae81580b34

    Download Submit

  • C:\Users\Admin\Desktop\InvokeWatch.svgz.dyeyfmnf
    Filesize

    684KB

    MD5

    895ffbdec213bbe77519b5cb1cc46344

    SHA1

    52c00c170e7797d6f0af9cb3de5bc11f4ae6ef62

    SHA256

    19fe952e01b8c638e5400ba8e73248da9c18b81cb5f65d72940707dbc41a2373

    SHA512

    b9c793133ec8d802da27abe90314f8aa1291c1cefb1731cd8f46913482857eec4a95b69bd45c21ae45a7fd2b468aca8b775577defe5a12abdd4e14d44e46ae48

    Download Submit

  • C:\Users\Admin\Desktop\ReceiveSelect.mp4.dyeyfmnf
    Filesize

    1.2MB

    MD5

    2f88520f2558068d475a38ce5ddf1bee

    SHA1

    7f740f28c597f45738215a776c31e7e4f326a6af

    SHA256

    4620ea8e92da844d7442ff2b0053279e1539934304ca90b855a1ec83b22bfd68

    SHA512

    f48831cbfead922fd78e3bb2bf003f62636b1dca10e53a4a3b7ab2d372490208b78071f29289676e1307dc0c653379512bf00f850aa9a78119d55e379e13651b

    Download Submit

  • C:\Users\Admin\Desktop\UnblockRedo.crw.dyeyfmnf
    Filesize

    1.8MB

    MD5

    8f0c9dae8e64fe32e2529145c4835062

    SHA1

    37cf06ddc2c4f8d19786de32d0ddad72e8479f1e

    SHA256

    568bbfbeed9ca35e0da9ba63ad00705cad3986dd8f567b4a1091278796379009

    SHA512

    13a1cb356da3ce4b6cbc2fcc2c801592c57c4c3ea1b0e30e506873253fd9b94b5e87573e2d40643471d4e5a532b88cbadf40a54795fe16aaf1d94702cdade9b7

    Download Submit

  • C:\Users\Admin\Desktop\WaitReceive.mp4.dyeyfmnf
    Filesize

    463KB

    MD5

    c4f8d968b0b1e43c0c5db96ee28614fd

    SHA1

    39639a762bb56091347911ef62c6793d49028542

    SHA256

    c04009ea16d9fc6eb72d4813fb869a37ff3dea0b18b2d8479c3903ee62392064

    SHA512

    93fe5f718285f1171dcf21bc6734c2d8d96af62e849298bfd2daf81b16215ee572b0df148ce02b8553a3715e2a159f5ef0a94a013da7ae8725646117199910aa

    Download Submit

  • C:\Users\Admin\Desktop\WriteSearch.mp4.dyeyfmnf
    Filesize

    640KB

    MD5

    a3f6a04257c90732ccebb32e88fb3835

    SHA1

    eb6b0491f9916c97cea2c01194e0285c5afd0d06

    SHA256

    bfb164232f8fb648c6bace71739597d8c1f179a795476fd8d4661308ad11cd09

    SHA512

    bd8b83164a835f6ecaea09cc7cdb6ce7312acc9a05c8613b5677081f1c482908fc728753206c939202b6756b2ef02951c50b18c8210720be0956c1d45800268d

    Download Submit

  • C:\Users\Admin\Documents\AssertDeny.xlsx.dyeyfmnf
    Filesize

    10KB

    MD5

    8f998db19b6c19187b6b0cd73096bf35

    SHA1

    1c89571e88841acc50f27a318aaf1efd2acfdea0

    SHA256

    a507da7fe1de2230d41248945ffbfaf5e5d8a670e3dfb75563f8c891d9cfe9ee

    SHA512

    c27b54caba08687f250d9468f12a44b79d049e00157cc01be3d21d244702932fb155cc8def143499c903b49f43e14f6b7ec598e755f639305c535d1b2accbc30

    Download Submit

  • C:\Users\Admin\Documents\ConfirmMove.xlsx.dyeyfmnf
    Filesize

    16KB

    MD5

    23163b20fa42dbfcf0528261e0704ddc

    SHA1

    9266965c7e289d41f91c7c4bae3e20f038e55ec1

    SHA256

    a72fcd83c46e547bdc01a883596b1c52ab2d5c40ba22f1868f3758ee8350618f

    SHA512

    0053d487b1aef259fde117e773b99bf8e19b4ce3196630dfa6165070a3dc1cb5aeeb2df0096a548c5e35f3c3c54f163b42bdd5d4c1d80345fe370a18eaeda0d6

    Download Submit

  • C:\Users\Admin\Documents\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    50d091ae26be4319e8712c99b966a876

    SHA1

    41a68290e6e25627800cb61fe06545bf933b9b69

    SHA256

    8e2005e16540e30d9876ea7314acbb6a34c98003151c81dcc47829a5b73f3174

    SHA512

    87a3c2cf32787b09d18cd64b0e6c50ce86c8bf6f68423415f68c91e3e0eaa6b211869f82f33bad6eb3f63986f34d7e3f6a8a9365cb553bd8b5c9c3ca819e55f4

    Download Submit

  • C:\Users\Admin\Documents\DismountDisconnect.docx.dyeyfmnf
    Filesize

    20KB

    MD5

    c8cbde298298978627bed799b0f9e7c6

    SHA1

    2334f0bf061cec9cec2ff26bb6a23c1390a107a8

    SHA256

    d490e14f4ac17af9615db14dc4a37e6973fd0a553b71aaed90cad2aac1049678

    SHA512

    54975feef6ebb221ebf7a796c74f50d1d03dc133634bf4438dd66a317ad859f15956af7730e149d8cf1279d6911abb312ba71c01be4168fdf0c54a24671045ec

    Download Submit

  • C:\Users\Admin\Documents\ImportBackup.pptm.dyeyfmnf
    Filesize

    494KB

    MD5

    a24de58249de87f7a60118ee7cf7355a

    SHA1

    d6f8d955c1d73aa74f740638452531bd533cd3d4

    SHA256

    bd7356447194aad54ea5310d1597e217899288d61228b6167a118d71a6d05a58

    SHA512

    44e767294ed0b32ab8a8db9d44a69ea517604689aad73ee37cd6c7fa2fff357bf39c2232a09aad71dc9edb7ff030b88718172570c88aed9ffc37dc7a76f2823e

    Download Submit

  • C:\Users\Admin\Documents\ProtectConfirm.xlsm.dyeyfmnf
    Filesize

    669KB

    MD5

    71b7cea122dd389cac2845bcc84b9f08

    SHA1

    966df0beb7a1314dd2ac1c23d370fb7844a6c9f3

    SHA256

    0200780cae4797ea983aa0cee666378a6d912e3e32cccf86f6d1f9d52f90a6bd

    SHA512

    baffdcee95ff37128c2b4a1963578ed9eb75c988ad8f09c6ec2013c123676a103fa9bc66cc069ece4b920e92f8913df4edfb83afe8309b383afd9b2351b34ff3

    Download Submit

  • C:\Users\Admin\Documents\RECOVERY_KEY.TXT
    Filesize

    232B

    MD5

    c57085bdf49f036337f379ca97fe61f5

    SHA1

    d3842e758d3d2e312531c63e5c357773704a5ecd

    SHA256

    ab439a7d46f62fa1152614f50e27cb106f67bd0c1edea9e1bbe61d82f5147fd6

    SHA512

    e0d620045df0c7a6acd6b8a03724d1ddb9c1d6008d81ead96efdba7175285a0c72a6cd72d4319798dde56c78a1f71571920ca7faee94aeeead31f0e9d5ef57df

    Download Submit

  • C:\Users\Admin\Documents\ReadLimit.docm.dyeyfmnf
    Filesize

    542KB

    MD5

    6c2a863d2355baf68507dc82cdf6879e

    SHA1

    9f6db3fd4c148876d7218ab807c2de505054ba0d

    SHA256

    589bd7d23de5a8f4b2aaac61360da028dda14826292f5836a9426bd4c83613ee

    SHA512

    d3865bc1d61dbeee0f26379b73685d9bfa9a9bedbfcc6e9ec476567b85684e780de0c2a08db5cc176abe60a8e8024a35167eba2e59cbc087f743f2085c1812c5

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\DYEYFMNF-DECRYPT.txt
    Filesize

    8KB

    MD5

    367e7d0c9ba9133fd44b9097ef82e024

    SHA1

    1394d3c8958e13ee76d4f068bfa5c556b591833b

    SHA256

    de12844f1115a2f7f2646e163aa3d1030478abca6b5b59b18fb05849553901f5

    SHA512

    e644f2a06a1cb24bbb660f67cf3c3f7507e6d9a553b829ab02d41179a1cbeb2331f10007fe5b8af186455039a482b88cd97d0f02f5900aa5555d25b3e9f43a16

    Download Submit

  • memory/664-40-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1424-296-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1572-294-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/1572-3211-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2044-41-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2044-33-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-31-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-38-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-29-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-27-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-35-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2044-49-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2164-67-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2528-69-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2528-638-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2528-71-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2528-75-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2528-3206-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2528-3200-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2952-12-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2952-13-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/3056-3210-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3064-42-0x0000000000050000-0x00000000000CE000-memory.dmp

    Filesize

    504KB

    Download