Overview

overview

10

Static

static

1

RNSM00317.7z

windows7-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00317.7z

  • Size

    4.5MB

  • MD5

    1f0a3c0d633cffdec981a36b868af1ab

  • SHA1

    d04f70e113bdfe863c2658d6ad4c1ddf5412ecfa

  • SHA256

    e4517fe3680c52565d854d2242d9ba7eddf25a80509eed18525ec428364761b9

  • SHA512

    156b8bade296be4f6653f6f13bac1ddc0b5280c0092b09743ad5d4a460060b8e4cf198fcb5fe1e77af1962f46f8ea7caf1afb3fdc63fb9700027d6a004d50710

  • SSDEEP

    98304:J0V1RCjxkSb5i7yKRQc/W3yT8m6rpGDx3pz0Z9qOcU0SzlqgMAVEStZ0:SEtkSc7h/GsNxM0gMXStZ0

Score
10/10
adwindformbookgandcrablokibotxtremeratdabackdoorcollectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

da

Decoy

citybudgettree.tech

anamikabaruah.com

woorobo.com

physics.center

formerworld.com

mckpr.info

rexo17.download

butthole.online

999-dvd.com

mykinwallet.com

energiin.info

stoneboris.win

tlbfp.loan

kinder-laender-zukunft.com

alinebaca-lep.com

veretium.com

villa17home.com

6m1six.loan

dichvupccc.com

affiliatelecture.com

Extracted

Path

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438706 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\jre\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438708 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files\VideoLAN\VLC\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438709 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files\VideoLAN\VLC\plugins\access\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438710 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438711 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438713 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438714 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\!HELP_YOUR_FILES.HTML

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style><script type='text/javascript'>function init() {var xtime;document.getElementById('fe_text').innerHTML = '00:00:00';xtime = Math.floor(1731438715 + (12 * 60 * 60) - (Date.now() / 1000));window.setTimeout('update_timestamp(' + xtime + ')', 1000);}function component(x, y, z) {var res; if (z == 1) res = Math.floor(x / y);else res = Math.floor(x / y) % z;if (res < 10) res = '0' + res;return res;}function update_timestamp(tstamp) {if (tstamp < 1) {document.getElementById('fe_text').innerHTML = '00:00:00'; }else {var hours = component(tstamp, 60 * 60, 1),minutes = component(tstamp, 60, 60),seconds = component(tstamp, 1, 60);document.getElementById('fe_text').innerHTML = hours + ':' + minutes + ':' + seconds;tstamp -= 1;window.setTimeout('update_timestamp(' + tstamp + ')', 1000);}}</script></head><body onload='init();'><div align='center'><table width='700' height='100' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/><br/><br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br/><br/></td></tr><tr><td width='7' nowrap='nowrap' align='left'>Open&nbsp;</td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7'></td><td width='93' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.2 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>05CE14BD2FF240836A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>
Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Family

xtremerat

C2

enrichosie.sytes.net

Extracted

Family

lokibot

C2

http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Adwind family
    adwind
  • Class file contains resources related to AdWind 1 IoCs
  • Detect XtremeRAT payload 5 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • GandCrab payload 3 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Lokibot family
    lokibot
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Formbook payload 1 IoCs
    rat
  • Renames multiple (786) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 47 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 45 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00317.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2232
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3020
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\Desktop\00317\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-f7f66376257457e25ebf73eeee699b7eb4fdfe668069bb4c8170e0a050821ede.exe
      HEUR-Trojan-Ransom.Win32.GandCrypt.gen-f7f66376257457e25ebf73eeee699b7eb4fdfe668069bb4c8170e0a050821ede.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:236
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2240
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1148
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3048
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2356
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2956
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2348
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1868
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2800
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1700
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2072
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2232
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        3⤵
          PID:2888
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns2.wowservers.ru
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2236
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup carder.bit ns2.wowservers.ru
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1964
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns1.wowservers.ru
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2376
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup carder.bit ns1.wowservers.ru
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1984
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns2.wowservers.ru
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2808
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup carder.bit ns2.wowservers.ru
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2036
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns1.wowservers.ru
          3⤵
            PID:3000
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup carder.bit ns1.wowservers.ru
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2408
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup ransomware.bit ns2.wowservers.ru
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1592
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup carder.bit ns2.wowservers.ru
            3⤵
              PID:2484
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns1.wowservers.ru
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3044
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns1.wowservers.ru
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2716
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns2.wowservers.ru
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1312
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns2.wowservers.ru
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2536
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns1.wowservers.ru
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2308
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns1.wowservers.ru
              3⤵
                PID:2672
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1776
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1704
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                3⤵
                  PID:3008
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup carder.bit ns1.wowservers.ru
                  3⤵
                    PID:664
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup ransomware.bit ns2.wowservers.ru
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2064
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup carder.bit ns2.wowservers.ru
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1516
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup ransomware.bit ns1.wowservers.ru
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1820
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup carder.bit ns1.wowservers.ru
                    3⤵
                      PID:568
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup ransomware.bit ns2.wowservers.ru
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2448
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup carder.bit ns2.wowservers.ru
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:2924
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup ransomware.bit ns1.wowservers.ru
                      3⤵
                        PID:1932
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup carder.bit ns1.wowservers.ru
                        3⤵
                          PID:1696
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup ransomware.bit ns2.wowservers.ru
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1748
                      • C:\Users\Admin\Desktop\00317\HEUR-Trojan-Ransom.Win32.Generic-4b5344ff9df658967a626c17eccfb44517998206562efa52167ce9cd3f272592.exe
                        HEUR-Trojan-Ransom.Win32.Generic-4b5344ff9df658967a626c17eccfb44517998206562efa52167ce9cd3f272592.exe
                        2⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:2308
                        • C:\Users\Admin\Desktop\00317\HEUR-Trojan-Ransom.Win32.Generic-4b5344ff9df658967a626c17eccfb44517998206562efa52167ce9cd3f272592.exe
                          "C:\Users\Admin\Desktop\00317\HEUR-Trojan-Ransom.Win32.Generic-4b5344ff9df658967a626c17eccfb44517998206562efa52167ce9cd3f272592.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:1608
                          • C:\Users\Admin\AppData\Local\Temp\server.exe
                            "C:\Users\Admin\AppData\Local\Temp\server.exe"
                            4⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Adds Run key to start application
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:2752
                            • C:\Windows\SysWOW64\svchost.exe
                              svchost.exe
                              5⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              • Adds Run key to start application
                              PID:944
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe"
                              5⤵
                                PID:2596
                              • C:\Windows\SysWOW64\explorer.exe
                                explorer.exe
                                5⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:2688
                              • C:\Users\Admin\AppData\Local\Temp\686eroi.exe
                                "C:\Users\Admin\AppData\Local\Temp\686eroi.exe"
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Adds Run key to start application
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:2404
                                • C:\Users\Admin\AppData\Local\Temp\686eroi.exe
                                  "C:\Users\Admin\AppData\Local\Temp\686eroi.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Accesses Microsoft Outlook profiles
                                  • System Location Discovery: System Language Discovery
                                  • outlook_office_path
                                  • outlook_win_path
                                  PID:3008
                            • C:\Program Files\Java\jre7\bin\javaw.exe
                              "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ustr.jar"
                              4⤵
                              • Drops file in System32 directory
                              • Suspicious use of SetWindowsHookEx
                              PID:2668
                              • C:\Program Files\Java\jre7\bin\java.exe
                                "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.27390721529108045681802202947732099.class
                                5⤵
                                • Drops file in System32 directory
                                • Suspicious use of SetWindowsHookEx
                                PID:2128
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1450662429174993737.vbs
                                  6⤵
                                    PID:952
                                    • C:\Windows\system32\cscript.exe
                                      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1450662429174993737.vbs
                                      7⤵
                                        PID:2300
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6395918070622287408.vbs
                                      6⤵
                                        PID:2944
                                        • C:\Windows\system32\cscript.exe
                                          cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6395918070622287408.vbs
                                          7⤵
                                            PID:2252
                                        • C:\Windows\system32\xcopy.exe
                                          xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
                                          6⤵
                                            PID:2632
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe
                                            6⤵
                                              PID:332
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7769579416715362525.vbs
                                            5⤵
                                              PID:2528
                                              • C:\Windows\system32\cscript.exe
                                                cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7769579416715362525.vbs
                                                6⤵
                                                  PID:2516
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive116018245270192050.vbs
                                                5⤵
                                                  PID:272
                                                  • C:\Windows\system32\cscript.exe
                                                    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive116018245270192050.vbs
                                                    6⤵
                                                      PID:1816
                                                  • C:\Windows\system32\xcopy.exe
                                                    xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
                                                    5⤵
                                                      PID:828
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd.exe
                                                      5⤵
                                                        PID:1956
                                                      • C:\Windows\system32\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v evkNhGHpOmO /t REG_EXPAND_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\OlwlPKwCfaK\gaWGaXfvcOu.GNePhm\"" /f
                                                        5⤵
                                                        • Adds Run key to start application
                                                        • Modifies registry key
                                                        PID:760
                                                      • C:\Windows\system32\attrib.exe
                                                        attrib +h "C:\Users\Admin\OlwlPKwCfaK\*.*"
                                                        5⤵
                                                        • Views/modifies file attributes
                                                        PID:2172
                                                      • C:\Windows\system32\attrib.exe
                                                        attrib +h "C:\Users\Admin\OlwlPKwCfaK"
                                                        5⤵
                                                        • Views/modifies file attributes
                                                        PID:1524
                                                      • C:\Program Files\Java\jre7\bin\javaw.exe
                                                        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar C:\Users\Admin\OlwlPKwCfaK\gaWGaXfvcOu.GNePhm
                                                        5⤵
                                                        • Drops file in System32 directory
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1048
                                                        • C:\Program Files\Java\jre7\bin\java.exe
                                                          "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.262626224004327348779818178443561680.class
                                                          6⤵
                                                          • Drops file in System32 directory
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1688
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3818544890627276176.vbs
                                                            7⤵
                                                              PID:2432
                                                              • C:\Windows\system32\cscript.exe
                                                                cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3818544890627276176.vbs
                                                                8⤵
                                                                  PID:1992
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive128195377080628013.vbs
                                                                7⤵
                                                                  PID:2328
                                                                  • C:\Windows\system32\cscript.exe
                                                                    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive128195377080628013.vbs
                                                                    8⤵
                                                                      PID:984
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd.exe
                                                                    7⤵
                                                                      PID:2004
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2122418498012650029.vbs
                                                                    6⤵
                                                                      PID:2744
                                                                      • C:\Windows\system32\cscript.exe
                                                                        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2122418498012650029.vbs
                                                                        7⤵
                                                                          PID:588
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7748245377754199259.vbs
                                                                        6⤵
                                                                          PID:1764
                                                                          • C:\Windows\system32\cscript.exe
                                                                            cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7748245377754199259.vbs
                                                                            7⤵
                                                                              PID:264
                                                                          • C:\Windows\system32\cmd.exe
                                                                            cmd.exe
                                                                            6⤵
                                                                              PID:1156
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\WQqIslGakb2746182280062847377.reg
                                                                              6⤵
                                                                                PID:2872
                                                                                • C:\Windows\regedit.exe
                                                                                  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\WQqIslGakb2746182280062847377.reg
                                                                                  7⤵
                                                                                  • UAC bypass
                                                                                  • Event Triggered Execution: Image File Execution Options Injection
                                                                                  • Runs .reg file with regedit
                                                                                  PID:2536
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM UserAccountControlSettings.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2616
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM Taskmgr.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:332
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM ProcessHacker.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2756
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM procexp.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2480
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM MSASCui.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:408
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM MsMpEng.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1444
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM MpUXSrv.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2076
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM MpCmdRun.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:3056
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM NisSrv.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2264
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM ConfigSecurityPolicy.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2712
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM procexp.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2756
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM wireshark.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1704
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM tshark.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2480
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM text2pcap.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1672
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM rawshark.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1932
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM mergecap.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:852
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM editcap.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2892
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM dumpcap.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2396
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM capinfos.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2304
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM mbam.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2064
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM mbamscheduler.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1816
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM mbamservice.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1932
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM AdAwareService.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2452
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM AdAwareTray.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2224
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM WebCompanion.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:620
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM AdAwareDesktop.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2396
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM V3Main.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2656
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM V3Svc.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2420
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM V3Up.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1228
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM V3SP.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2616
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM V3Proxy.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2580
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM V3Medic.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2248
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM BgScan.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:952
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM BullGuard.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2596
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM BullGuardBhvScanner.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2172
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM BullGuarScanner.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1784
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM LittleHook.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2324
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM BullGuardUpdate.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2052
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM clamscan.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1980
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM ClamTray.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2516
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM ClamWin.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2976
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM cis.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1000
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM CisTray.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2020
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM cmdagent.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:1784
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                taskkill /IM cavwp.exe /T /F
                                                                                6⤵
                                                                                • Kills process with taskkill
                                                                                PID:2472
                                                                      • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.BadRabbit.a-8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe
                                                                        Trojan-Ransom.Win32.BadRabbit.a-8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:2060
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /c schtasks /Delete /F /TN rhaegal
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:1680
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /Delete /F /TN rhaegal
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2492
                                                                      • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Blocker.jtuz-e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e.exe
                                                                        Trojan-Ransom.Win32.Blocker.jtuz-e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e.exe
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                        PID:340
                                                                      • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Erebus.a-ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
                                                                        Trojan-Ransom.Win32.Erebus.a-ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:2292
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:2888
                                                                          • C:\Windows\SysWOW64\vssadmin.exe
                                                                            vssadmin delete shadows /all /quiet
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Interacts with shadow copies
                                                                            PID:1040
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:588
                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                            wmic logicaldisk where drivetype=2 get deviceid
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2188
                                                                          • C:\Windows\SysWOW64\findstr.exe
                                                                            findstr .
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2084
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1372
                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                            wmic logicaldisk where drivetype=3 get deviceid
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:936
                                                                          • C:\Windows\SysWOW64\findstr.exe
                                                                            findstr .
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2448
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y
                                                                          3⤵
                                                                            PID:2200
                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                              wmic logicaldisk where drivetype=4 get deviceid
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1972
                                                                            • C:\Windows\SysWOW64\findstr.exe
                                                                              findstr .
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2952
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y
                                                                            3⤵
                                                                              PID:2888
                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                wmic path win32_physicalmedia get SerialNumber
                                                                                4⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2332
                                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                                findstr .
                                                                                4⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2172
                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                wmic cpu get ProcessorId
                                                                                4⤵
                                                                                  PID:1640
                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                  findstr .
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:712
                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                  wmic path win32_BASEBOARD get Product
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1776
                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                  findstr .
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2164
                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Foreign.nzvd-cf9db59cec4cd77609f6214cb6fee1aab2c4d8713bbec62c6779b518ca23fd3b.exe
                                                                              Trojan-Ransom.Win32.Foreign.nzvd-cf9db59cec4cd77609f6214cb6fee1aab2c4d8713bbec62c6779b518ca23fd3b.exe
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              • Maps connected drives based on registry
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              • Suspicious use of UnmapMainImage
                                                                              PID:2440
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k
                                                                                3⤵
                                                                                  PID:1240
                                                                              • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Takbum.k-bd6dc195225b09334c248ac01c9a4cd7218167aa521bb4ccd60dafc00320c2a9.exe
                                                                                Trojan-Ransom.Win32.Takbum.k-bd6dc195225b09334c248ac01c9a4cd7218167aa521bb4ccd60dafc00320c2a9.exe
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Enumerates connected drives
                                                                                • Drops file in Program Files directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Checks processor information in registry
                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:2608
                                                                              • C:\Users\Admin\Desktop\00317\VHO-Trojan-Ransom.NSIS.MyxaH.gen-074689a10ad19a3a57fc23687304e50d371b25736325eec5febc786cec8a8f68.exe
                                                                                VHO-Trojan-Ransom.NSIS.MyxaH.gen-074689a10ad19a3a57fc23687304e50d371b25736325eec5febc786cec8a8f68.exe
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                                PID:2764
                                                                                • C:\Users\Admin\Desktop\00317\VHO-Trojan-Ransom.NSIS.MyxaH.gen-074689a10ad19a3a57fc23687304e50d371b25736325eec5febc786cec8a8f68.exe
                                                                                  VHO-Trojan-Ransom.NSIS.MyxaH.gen-074689a10ad19a3a57fc23687304e50d371b25736325eec5febc786cec8a8f68.exe
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:2288
                                                                            • C:\Windows\system32\vssvc.exe
                                                                              C:\Windows\system32\vssvc.exe
                                                                              1⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2344
                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.BadRabbit.a-8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe
                                                                              "C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.BadRabbit.a-8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe"
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1036
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /c schtasks /Delete /F /TN rhaegal
                                                                                2⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2092
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /Delete /F /TN rhaegal
                                                                                  3⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2528

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v15

                                                                            Reconnaissance

                                                                            Resource Development

                                                                            Initial Access

                                                                            Execution

                                                                            Windows Management Instrumentation

                                                                            1
                                                                            T1047

                                                                            Persistence

                                                                            Boot or Logon Autostart Execution

                                                                            2
                                                                            T1547

                                                                            Active Setup

                                                                            1
                                                                            T1547.014

                                                                            Registry Run Keys / Startup Folder

                                                                            1
                                                                            T1547.001

                                                                            Event Triggered Execution

                                                                            1
                                                                            T1546

                                                                            Image File Execution Options Injection

                                                                            1
                                                                            T1546.012

                                                                            Privilege Escalation

                                                                            Abuse Elevation Control Mechanism

                                                                            1
                                                                            T1548

                                                                            Bypass User Account Control

                                                                            1
                                                                            T1548.002

                                                                            Boot or Logon Autostart Execution

                                                                            2
                                                                            T1547

                                                                            Active Setup

                                                                            1
                                                                            T1547.014

                                                                            Registry Run Keys / Startup Folder

                                                                            1
                                                                            T1547.001

                                                                            Event Triggered Execution

                                                                            1
                                                                            T1546

                                                                            Image File Execution Options Injection

                                                                            1
                                                                            T1546.012

                                                                            Defense Evasion

                                                                            Abuse Elevation Control Mechanism

                                                                            1
                                                                            T1548

                                                                            Bypass User Account Control

                                                                            1
                                                                            T1548.002

                                                                            Direct Volume Access

                                                                            1
                                                                            T1006

                                                                            Hide Artifacts

                                                                            1
                                                                            T1564

                                                                            Hidden Files and Directories

                                                                            1
                                                                            T1564.001

                                                                            Impair Defenses

                                                                            1
                                                                            T1562

                                                                            Disable or Modify Tools

                                                                            1
                                                                            T1562.001

                                                                            Indicator Removal

                                                                            2
                                                                            T1070

                                                                            File Deletion

                                                                            2
                                                                            T1070.004

                                                                            Modify Registry

                                                                            4
                                                                            T1112

                                                                            Credential Access

                                                                            Credentials from Password Stores

                                                                            1
                                                                            T1555

                                                                            Credentials from Web Browsers

                                                                            1
                                                                            T1555.003

                                                                            Unsecured Credentials

                                                                            1
                                                                            T1552

                                                                            Credentials In Files

                                                                            1
                                                                            T1552.001

                                                                            Discovery

                                                                            Peripheral Device Discovery

                                                                            2
                                                                            T1120

                                                                            Query Registry

                                                                            3
                                                                            T1012

                                                                            System Information Discovery

                                                                            4
                                                                            T1082

                                                                            System Location Discovery

                                                                            1
                                                                            T1614

                                                                            System Language Discovery

                                                                            1
                                                                            T1614.001

                                                                            Lateral Movement

                                                                            Collection

                                                                            Data from Local System

                                                                            1
                                                                            T1005

                                                                            Email Collection

                                                                            1
                                                                            T1114

                                                                            Command and Control

                                                                            Exfiltration

                                                                            Impact

                                                                            Inhibit System Recovery

                                                                            3
                                                                            T1490

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              cbd14f59cbd7b1a2be1c136777e87786

                                                                              SHA1

                                                                              0d5ea25178803bddf3344fd913dca32029e732cd

                                                                              SHA256

                                                                              1a829ca9a6bd5f7cdaaaef8e2740bebd77367f7e469fd2e9985be8998010e8ca

                                                                              SHA512

                                                                              a9aa29cd88feadd9e0a4f9d03aa32ff6201fa8b74107a6c355ab15cdfe3d2cdfebb15bbc2a8ed5ee09e86e2ef20a79abfd76071c95e5b7f794f9757c0e64293f

                                                                              Download Submit

                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              80dc887da68371594ce1e6a67db96e0a

                                                                              SHA1

                                                                              79af8697d212336189bf5ef4818c0eb8094df853

                                                                              SHA256

                                                                              115d177b341e08ad62c0dcd0db9d2bc4cbc008b0df54a5779179b4fa1c336f13

                                                                              SHA512

                                                                              19bbf3544335b0198defb3b3551b654de59fe1cd22f773fbf18ccada5614a416d32724c4bf63c5bfaa94d18c16638c1c75928b08cb202d67f491ee8ab1db0457

                                                                              Download Submit

                                                                            • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              5095afed809a34d429c51719075ab9a3

                                                                              SHA1

                                                                              d49ac84ccaecd099db80eebdab8337be8dbee136

                                                                              SHA256

                                                                              38a48ba099a8b1a081a08aaf80fdb5a111bfadd0d971c9e25b69bc4df61f0a22

                                                                              SHA512

                                                                              bf30f95750dbd7cde332d1738f14e93d559593ed27a0b71109378015af1b0639c2b831542d9b0b17d6c9af22ebc82a4f7554c4f39cc25b4a5c718e46bc82c97c

                                                                              Download Submit

                                                                            • C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              a99ab2cfbef6842a13a8caf41e6a19f0

                                                                              SHA1

                                                                              35f45028422fe7898440971aabc3d0d286d68065

                                                                              SHA256

                                                                              74ae47a0855164efa124aee1cc37c815531307e47bb106cc01b31ba10cc1996f

                                                                              SHA512

                                                                              cff0984563b92c39955e8a764e05025814e4c739b66722d91c51a0684dc04eb05e9f8ee2e20f0727818fee7fc81375faa6319f30fe3a5d32c984e85f16e53a9b

                                                                              Download Submit

                                                                            • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              e6be5b0a75974801648ca53cdbdf97b2

                                                                              SHA1

                                                                              b7dc49a7a1dc0c513e98a3641af124817a1a0f66

                                                                              SHA256

                                                                              c2424470459f9c8f647a8dc58b5d79fb7ef6aa98570d65981828729786190e24

                                                                              SHA512

                                                                              dc71c5058e69433f7a5ac4829ab63bf7f2991df99d1d05ee2a8a3ed0ada9590b0cc917276ccc6c6da01815feb5744b2f8be15bb4862f564a7322b4ea68b3831e

                                                                              Download Submit

                                                                            • C:\Program Files\Java\jdk1.7.0_80\jre\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              6c63c6790fa17e3441ce64baed47dda3

                                                                              SHA1

                                                                              8066337d04119abfecf87130e7ac3b446607f1cb

                                                                              SHA256

                                                                              bcc7f864e4ae010574698b2dad119428f9b6a0649887f859cbbe5201a7ee3fd0

                                                                              SHA512

                                                                              23f01e4f90363604a780bf652798fd24c704af7988cc8e98739c7f29cccbbf9b8bc9dfda4c3a6728349e3fafed35c7f0de738c428030b4185af5a4642c22804e

                                                                              Download Submit

                                                                            • C:\Program Files\Java\jre7\Welcome.html.encry
                                                                              Filesize

                                                                              992B

                                                                              MD5

                                                                              e84d2d6b8ee4eee4fec81a6aa3c500fd

                                                                              SHA1

                                                                              7d8a6332be31dcf4b6dbc0e536dd90f5fa9b9237

                                                                              SHA256

                                                                              fad6aa823aee6bc81dbfd37299dca9d3d5aefe039dd0958578366557d065ae16

                                                                              SHA512

                                                                              fd1b92d44b5c4a8cd0f17d2f906bb483da4bf78e8f2651fb9edcfa16164eca6d75beaaaec9a434c12b337dc9a55fc98bc0fa647fdc2ea4ef788b6f0dd959614c

                                                                              Download Submit

                                                                            • C:\Program Files\Java\jre7\bin\server\Xusage.txt.encry
                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              1a8bde0b842a42a68aa68f2a1f42315c

                                                                              SHA1

                                                                              60f4ce46f68c85b3ecb7e10b05f3cdab3b3bd19f

                                                                              SHA256

                                                                              99546f172fd977bd048e6a72e7efe3aa27b3dcf0405bf5fb3f00df2e28ecef7f

                                                                              SHA512

                                                                              88b5b1cc51e0be6279e6aa31a00921091fff41d203cbcefd4b13945e5dd43f5593b40218580463f279b59f023b17cd393a0bcdbf07a62ce6c5f927f2d660d1d8

                                                                              Download Submit

                                                                            • C:\Program Files\VideoLAN\VLC\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              e5179c4fa7f36a3edb0e64606b619126

                                                                              SHA1

                                                                              bebac498e980c3bdcc8395f5915d6c47b34e3a7b

                                                                              SHA256

                                                                              bfeb447482ce1b0396e532471ad7e1c2be9ee05463b8881ce3ebca7eb5600045

                                                                              SHA512

                                                                              dfcb095ae469ca40eeb710c04ae301a9049128ed20185f2b29d996d4270b0d4965b0f513c5eb69b7d657352fbbaa1fb27360df18b5ee2a1cb870158381fb8d87

                                                                              Download Submit

                                                                            • C:\Program Files\VideoLAN\VLC\plugins\access\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              2bdfb304612dff5dc07c30b2be0eaa33

                                                                              SHA1

                                                                              13f9735e231a3ac95741d2bddad1c20935231a43

                                                                              SHA256

                                                                              0210fb60658a244a51cae9519ed1af622bf8dcd7c18a41042aebb6ae3efe973b

                                                                              SHA512

                                                                              d461ee6bc803a7f81c1bde42ba7cbbff6aa5c54862b76a6280f33d03d105f52a9eb7da1d3079ce480fd3fa4e965036ebd26ec9954bcc0cd7c5b60a198482c5bc

                                                                              Download Submit

                                                                            • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              de2be53206927dc325886f12c3c5eda0

                                                                              SHA1

                                                                              515dd6ab1fa535c62a250c92166b1a1ebe3dcf41

                                                                              SHA256

                                                                              900523097f09abbca42abe3b01c3e3e7c9a4a29a28496090cef4cc14cc59bfc6

                                                                              SHA512

                                                                              00b15767458d2d6934b28c06db1285f6b0844220a867f56a8baef0922ad7f85e716edaa247e996cb89410495266bc96ac531feee39967f435311f45dcfba2380

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\686eroi.exe
                                                                              Filesize

                                                                              460KB

                                                                              MD5

                                                                              8199fd767ee618b4fc8944a8c4b6f2f4

                                                                              SHA1

                                                                              044d366467b55a28d17fd961c4661c2e8b9bcea1

                                                                              SHA256

                                                                              1f700370547685365138c069d02facdc86552d32c82a5aa2f09df69f9d4bfdbd

                                                                              SHA512

                                                                              61ea7fe00d3ddfa04db5bab1f76d302fde92422566819a3a396b4ae9bee980d360f947b2e5d5bbc011e94681def1520814b582e02e0713d942a8a743ee7565aa

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\Retrive116018245270192050.vbs
                                                                              Filesize

                                                                              281B

                                                                              MD5

                                                                              a32c109297ed1ca155598cd295c26611

                                                                              SHA1

                                                                              dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

                                                                              SHA256

                                                                              45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

                                                                              SHA512

                                                                              70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\Retrive7769579416715362525.vbs
                                                                              Filesize

                                                                              276B

                                                                              MD5

                                                                              3bdfd33017806b85949b6faa7d4b98e4

                                                                              SHA1

                                                                              f92844fee69ef98db6e68931adfaa9a0a0f8ce66

                                                                              SHA256

                                                                              9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

                                                                              SHA512

                                                                              ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\WQqIslGakb2746182280062847377.reg
                                                                              Filesize

                                                                              27KB

                                                                              MD5

                                                                              7f97f5f336944d427c03cc730c636b8f

                                                                              SHA1

                                                                              8a50c72b4580c20d4a7bfc7af8f12671bf6715ae

                                                                              SHA256

                                                                              9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57

                                                                              SHA512

                                                                              8f8b5dc16f087bdc73a134b76fd1063765e3c049baca4873d1b9eb30ba59f418395490cafc78a93b1cdcc20461e73c96de34475669715d6ddb93d0b56e6e6c54

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\_0.27390721529108045681802202947732099.class
                                                                              Filesize

                                                                              241KB

                                                                              MD5

                                                                              781fb531354d6f291f1ccab48da6d39f

                                                                              SHA1

                                                                              9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

                                                                              SHA256

                                                                              97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

                                                                              SHA512

                                                                              3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\ustr.jar
                                                                              Filesize

                                                                              479KB

                                                                              MD5

                                                                              1e7b592bb26455df95b31b4e5150fc42

                                                                              SHA1

                                                                              f3c2c45926262b4a70e258d3a363ea7ea12c0293

                                                                              SHA256

                                                                              5ef4265b50a6ef694f1bd8137c56c997e986f9f90d49fb4d94722bfb2246aefe

                                                                              SHA512

                                                                              11c965f1a87c454c2a0a9daf0dd8ba3cfc4e706aa8be8f46866b2f33d9a7721f2738261c57e69e31e686309da7cc591c79c15f02dd3751a39f6336bec1edc004

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\y
                                                                              Filesize

                                                                              83B

                                                                              MD5

                                                                              445e94a8ece8238758d3a897fef6822b

                                                                              SHA1

                                                                              2c5e5cb3ce480d98d74fe5a0ed23d31848ebb407

                                                                              SHA256

                                                                              543e763d191bc04c5564cf6521eeff6c154b74415575303c72b46f32bd24594b

                                                                              SHA512

                                                                              c6347eb9214eab5b8e2f61358153244203480c11d4d83f83e1e37cdd3f922a6e50c5568618fb27cb2a70487d7b9bea44614a065631934fca5894a6daec1f82a6

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Local\Temp\y
                                                                              Filesize

                                                                              39B

                                                                              MD5

                                                                              730a1c06f8273df68828bbebb3e1fab0

                                                                              SHA1

                                                                              1c269bdd515ca992df2c07c2b4c0eda26f1a6c91

                                                                              SHA256

                                                                              da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679

                                                                              SHA512

                                                                              1d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\83aa4cc77f591dfc2374580bbd95f6ba_4d69f9e1-559c-46cf-82ac-67913db47c55
                                                                              Filesize

                                                                              45B

                                                                              MD5

                                                                              c8366ae350e7019aefc9d1e6e6a498c6

                                                                              SHA1

                                                                              5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                                                                              SHA256

                                                                              11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                                                                              SHA512

                                                                              33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\README.txt.encry
                                                                              Filesize

                                                                              48B

                                                                              MD5

                                                                              267f85e571a841de66737ff8a216220a

                                                                              SHA1

                                                                              e626663fcb2e52209d4478ad905d4e7ae653594f

                                                                              SHA256

                                                                              3c133ae5fcfcdbffa884a7c9795b3464af478e5298755a9470d6e75fcd82918b

                                                                              SHA512

                                                                              706a9555ed81d4a6e61b79c828de35aace6570ba8133ad8b860466fbaee2b784b4942e1feae87818d3c9296538585565ebcbb6952a9499a6565007a502d32f0d

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt.encry
                                                                              Filesize

                                                                              109KB

                                                                              MD5

                                                                              b9345bbbe89c5426d4ae4763d3cc862a

                                                                              SHA1

                                                                              eb07772fd4731200b3bb7354425511c40843178d

                                                                              SHA256

                                                                              b8ec924128ce605d19c1045f157d54157e649cb1d209c2b8e415707981ba9ca0

                                                                              SHA512

                                                                              0c07cce77b05d44afa8d482829cdd1ecadb778c4465306e849b6c0ab69f53ead8eba315153cc71fc89a51a8c905376f51abcf370ccf19f33095f97ac6f9a753f

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt.encry
                                                                              Filesize

                                                                              172KB

                                                                              MD5

                                                                              117ffa5e6648e4e10eabd42faf17e4c3

                                                                              SHA1

                                                                              74bf3952f62d4aac89b44e31df681446c68a70c6

                                                                              SHA256

                                                                              dc228a26571eb8b32d38a0f7548c3a757983a42d720b9bf2a6f3183c1e59a3b1

                                                                              SHA512

                                                                              822c69f069ea219932a7900be3474d4a95fc565304d247a9a0c7bbee4134dcff1820eece323c406d3fb75de86defc02c9649d394413d4bd089070fdbc07a608d

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
                                                                              Filesize

                                                                              809KB

                                                                              MD5

                                                                              df3ca8d16bded6a54977b30e66864d33

                                                                              SHA1

                                                                              b7b9349b33230c5b80886f5c1f0a42848661c883

                                                                              SHA256

                                                                              1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

                                                                              SHA512

                                                                              951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
                                                                              Filesize

                                                                              3KB

                                                                              MD5

                                                                              0547e7c8dade7157d58f6bf5e74bcce7

                                                                              SHA1

                                                                              f1ef0a100276e7d3adf38b9fbb802d12f4bb8d9f

                                                                              SHA256

                                                                              6953ed5729acafb594c9e81b970f946848453abc6033d4b5519870b58c72abac

                                                                              SHA512

                                                                              b213982a0935465b8d468822912169457b60a55382eba7ee39c62be953512a2d524aa6d01953d05dab981b72c417e62bcdff661bac99534e54778f906ad44d6b

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
                                                                              Filesize

                                                                              153B

                                                                              MD5

                                                                              1e9d8f133a442da6b0c74d49bc84a341

                                                                              SHA1

                                                                              259edc45b4569427e8319895a444f4295d54348f

                                                                              SHA256

                                                                              1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

                                                                              SHA512

                                                                              63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              7da9aa0de33b521b3399a4ffd4078bdb

                                                                              SHA1

                                                                              f188a712f77103d544d4acf91d13dbc664c67034

                                                                              SHA256

                                                                              0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

                                                                              SHA512

                                                                              9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+10
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              715dc3fcec7a4b845347b628caf46c84

                                                                              SHA1

                                                                              1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

                                                                              SHA256

                                                                              3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

                                                                              SHA512

                                                                              72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+2
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              e256eccde666f27e69199b07497437b2

                                                                              SHA1

                                                                              b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7

                                                                              SHA256

                                                                              9e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5

                                                                              SHA512

                                                                              460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+5
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              a2abe32f03e019dbd5c21e71cc0f0db9

                                                                              SHA1

                                                                              25b042eb931fff4e815adcc2ddce3636debf0ae1

                                                                              SHA256

                                                                              27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

                                                                              SHA512

                                                                              197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+7
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              11f8e73ad57571383afa5eaf6bc0456a

                                                                              SHA1

                                                                              65a736dddd8e9a3f1dd6fbe999b188910b5f7931

                                                                              SHA256

                                                                              0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

                                                                              SHA512

                                                                              578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Indian\Christmas
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              02bc5aaee85e8b96af646d479bb3307c

                                                                              SHA1

                                                                              1bf41be125fe8058d5999555add1ea2a83505e72

                                                                              SHA256

                                                                              e8d8d94f0a94768716701faa977a4d0d6ef93603de925078822f5c7a89cc8fca

                                                                              SHA512

                                                                              e01d82ac33729e7ee14516f5d9ff753559f73143c7aa8a25ed4cc65b59dc364b1a020bc28427f8ec43fec8ef139cf30b09e492d77f15d7b09ae83240cdf8bc14

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\MET
                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              df1d6d7601b75822e9cf454c03c583b6

                                                                              SHA1

                                                                              966737a61ec5f9bcac90154389f5249ca6c0e1e2

                                                                              SHA256

                                                                              f3936669b75c67d577d93655b07629b30371aefd32845f69d7cef09b27409d8c

                                                                              SHA512

                                                                              50f1943794f84faa26ec8aa1175d98dac365ad3a48eda7b1899e57f1e7fe88365d595403131df926c0471900bf1dcf43f534c57bfb2fb33fe5a81870f4e103ba

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Pacific\Port_Moresby
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              ab2fd12cd39fd03d4a2aef0378c5265c

                                                                              SHA1

                                                                              4a75ef59534203a4f19ea1e675b442c003d5b2f4

                                                                              SHA256

                                                                              df69a28476e88043eba1f893859d5ebf8a8d5f4f5a3696e0e0d3aa0fe6701720

                                                                              SHA512

                                                                              a82567f84dd4300733cd233d1b8fd781e73eaf62f2f6d5e33a4129418d9b0dfc1001e1fa3deeed9a8129acd0ecc0e1153bfb154f93f26a4ca484c04e753808bf

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\AST4
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              090c3805a378e5c6f9170de1f08505a0

                                                                              SHA1

                                                                              b462772078f0264c175f7c9998a8e39d6e4bcc64

                                                                              SHA256

                                                                              4ddfc9ed251c2298e6fca3a0742de925442d9164ba230d28e869097d27b74415

                                                                              SHA512

                                                                              67e57206bff887539568596789c8d77bbb843a97a8ea2ae373225ad4c4fd185b6e602d9b171232a2b8811f2911778b9152ba08daac355e7eeb2e1558b1555763

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\CST6
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              37e9ac1310a963cd36e478a2b59160f8

                                                                              SHA1

                                                                              1406eaa01d4eea3b26054871f7d738e4630500e9

                                                                              SHA256

                                                                              04c9e4b0f69a155074b9ff26351265f78090c7ea2f23c5593b7130b4eb1e5e32

                                                                              SHA512

                                                                              0ccc4e958bd34c2a28dca7b9fc3e9ca018ffc6c54d0f24e3db40e86f0bfc5a232228288cce38350bf8140b98c74658d2616e2ef15b2a085a590711cf975982e1

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\PST8
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              f49040ffcebf951b752c194a42ed775e

                                                                              SHA1

                                                                              4632642740c1db115843409f0bc32b9ca8d834d7

                                                                              SHA256

                                                                              7422b2a82603f03d711b7ac7a9bebe5d1e4d9307cd283ce3d2714af46362f934

                                                                              SHA512

                                                                              f7be16b8418f2d57132ccd6b65f40296c80aa2d34634dee839eb2b50c45cb511db1135f8816956bfa90f4f0ca298909adf70787cd8c9e30c894e836f32ef5ed6

                                                                              Download Submit

                                                                            • C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\YST9
                                                                              Filesize

                                                                              27B

                                                                              MD5

                                                                              4fae101fead3cd098a57d1715ca79a97

                                                                              SHA1

                                                                              f0a556f72dea44bd4065cb874398994005bc5237

                                                                              SHA256

                                                                              fbc6ae3bcdbdd8c91acc153bde0862d443afd70b211404879c36045442524b56

                                                                              SHA512

                                                                              c9d2e4c94b8b0e87b251cc22b8e96799268545e73a9ba3cde726ac0797d6c3288344615bcf30fbe8135e7ddb8d429958357b1ba03a7e953a2c7c8eac3c5dde8f

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-f7f66376257457e25ebf73eeee699b7eb4fdfe668069bb4c8170e0a050821ede.exe
                                                                              Filesize

                                                                              310KB

                                                                              MD5

                                                                              10b4a7b4acb4b0470d778aee9e13263b

                                                                              SHA1

                                                                              7c0d322ee29fb670988b94e7228b747fc3228e84

                                                                              SHA256

                                                                              f7f66376257457e25ebf73eeee699b7eb4fdfe668069bb4c8170e0a050821ede

                                                                              SHA512

                                                                              cf5318f24bd2a0fa79dd083b2f14578e80cf33c6d741c7d94daf92ef3d6eeef57fa19efdb3cb5e07909a1dc327afcf86d059bc5d4495a952554bf4e4e8dc3ced

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\HEUR-Trojan-Ransom.Win32.Generic-4b5344ff9df658967a626c17eccfb44517998206562efa52167ce9cd3f272592.exe
                                                                              Filesize

                                                                              2.2MB

                                                                              MD5

                                                                              94767d8ce0b8219b000f5b373e779f0e

                                                                              SHA1

                                                                              120dd1214aae7b63b3a7bc596b01916e4b8abd60

                                                                              SHA256

                                                                              4b5344ff9df658967a626c17eccfb44517998206562efa52167ce9cd3f272592

                                                                              SHA512

                                                                              e5c96d6dd9f89c503c41a0c43812ae4ba3f839efab0e4ea6c00045dd2027be9b9a29dbf3da13d29588839cdb5904720ec60ed8c0eaea1364d3451da35ba9010c

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.BadRabbit.a-8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe
                                                                              Filesize

                                                                              139KB

                                                                              MD5

                                                                              b14d8faf7f0cbcfad051cefe5f39645f

                                                                              SHA1

                                                                              afeee8b4acff87bc469a6f0364a81ae5d60a2add

                                                                              SHA256

                                                                              8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

                                                                              SHA512

                                                                              f5dcbf3634aedfe5b8d6255e20015555343add5b1be3801e62a5987e86a3e52495b5ce3156e4f63cf095d0cedfb63939eaf39bea379ccac82a10a4182b8ded22

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Blocker.jtuz-e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e.exe
                                                                              Filesize

                                                                              292KB

                                                                              MD5

                                                                              472b1710794d5c420b9d921c484ca9e8

                                                                              SHA1

                                                                              2c1b42e8c8acea5082275b6ea5f5c64ebaf4fa30

                                                                              SHA256

                                                                              e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e

                                                                              SHA512

                                                                              091be55edeed517ad285e7b413fab2d7027b40bd3ed95169a105d5ee16bedecb5a666fe25d95fdf6543952295ea35e2b10e1435936cf0369c1fe67bbd0fd41d9

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Erebus.a-ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
                                                                              Filesize

                                                                              1.2MB

                                                                              MD5

                                                                              0ced87772881b63caf95f1d828ba40c5

                                                                              SHA1

                                                                              6e5fca51a018272d1b1003b16dce6ee9e836908c

                                                                              SHA256

                                                                              ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791

                                                                              SHA512

                                                                              65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Foreign.nzvd-cf9db59cec4cd77609f6214cb6fee1aab2c4d8713bbec62c6779b518ca23fd3b.exe
                                                                              Filesize

                                                                              1.9MB

                                                                              MD5

                                                                              1cccc1aa17ac9ead4809596b5a4a7ca4

                                                                              SHA1

                                                                              0e9b8ec8c8588473e9bd57f03ecfa1daa9044fca

                                                                              SHA256

                                                                              cf9db59cec4cd77609f6214cb6fee1aab2c4d8713bbec62c6779b518ca23fd3b

                                                                              SHA512

                                                                              96a4dcb5622a1165274444a3853357cee62af064d6461bea8a1f8077e78d30bc125483d5887e863ef7f52d6a0a94cb6bf2d34df60efc6cbe97a87fe446a56c68

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\Trojan-Ransom.Win32.Takbum.k-bd6dc195225b09334c248ac01c9a4cd7218167aa521bb4ccd60dafc00320c2a9.exe
                                                                              Filesize

                                                                              792KB

                                                                              MD5

                                                                              db25cc33c946c7f1bfb38d3c462424ae

                                                                              SHA1

                                                                              685d75376453d993135a39906559c733acff8fd9

                                                                              SHA256

                                                                              bd6dc195225b09334c248ac01c9a4cd7218167aa521bb4ccd60dafc00320c2a9

                                                                              SHA512

                                                                              86f371f9304c01365388f9a724df83c3acae7a18a479526b968fabcc478219cd813696cbc8e4506ece6534d78ddcfc172ccc4bf49b994ffe2061c71036a9c334

                                                                              Download Submit

                                                                            • C:\Users\Admin\Desktop\00317\VHO-Trojan-Ransom.NSIS.MyxaH.gen-074689a10ad19a3a57fc23687304e50d371b25736325eec5febc786cec8a8f68.exe
                                                                              Filesize

                                                                              237KB

                                                                              MD5

                                                                              810b8fb26c39519ff65700ef1e113a0e

                                                                              SHA1

                                                                              76fe131f20ab443e75d679316e0fe2ed307d36b7

                                                                              SHA256

                                                                              074689a10ad19a3a57fc23687304e50d371b25736325eec5febc786cec8a8f68

                                                                              SHA512

                                                                              b0851c3ba1c52fa1144283b627882218cbc1286b1ef1b7a5286f45f11c406b2a6c64880b3acffac5a1aa853cf099edb16c6262c7c705e4de785fc858616c964c

                                                                              Download Submit

                                                                            • C:\Users\Admin\Music\ExitWrite.grf
                                                                              Filesize

                                                                              408KB

                                                                              MD5

                                                                              39655e06ea60419f6b4a618625cfab46

                                                                              SHA1

                                                                              3c4c137898f8e0b3c9493ade22e3fad099fb6484

                                                                              SHA256

                                                                              740c37f692a0f01827c76c645c1a2c774cc1dd403274b012b77a12c258e2b3df

                                                                              SHA512

                                                                              6ec9e9e94532226525f57537ea55f0ca21b9070f60c94d6fac7e2344be8a45517cd663b354d980ba777faad636fb1afcfab603c4394d462de85833d6a87113ac

                                                                              Download Submit

                                                                            • C:\Users\Admin\OlwlPKwCfaK\ID.txt
                                                                              Filesize

                                                                              47B

                                                                              MD5

                                                                              fdc0af101881498a2d589cb57e768e51

                                                                              SHA1

                                                                              1d5f5cd86fa3c3c8c9c3cb057a234e2055aa89bd

                                                                              SHA256

                                                                              790ec17b99bafc70c569d7090af74ed06c38f2cf734865a673b1180d5b127341

                                                                              SHA512

                                                                              8b09b4bce9cf764d8ec8ed2d19e7ba8bf62446863e82de1105964abce02ded52ec236c2c662aff92022eee6a59bde2a113cc0689c9670ee9625779b8794ba7f1

                                                                              Download Submit

                                                                            • C:\Users\Admin\fUTkALeaTxM\ID.txt
                                                                              Filesize

                                                                              47B

                                                                              MD5

                                                                              17f3c07bf7f09a47fc50ab0a76481280

                                                                              SHA1

                                                                              2014785bc78cc0e0a4b2967318dafc9db405aca9

                                                                              SHA256

                                                                              b045e94ad507f0c0a51b496a025ffbe96173ba00e28a240e43da6e913e19b286

                                                                              SHA512

                                                                              6d9c49a539063e2ac6a475ec0fc8926ee25ff255d33bba870fb4180d08d5fcb7aa165ef3123895135014a95d29a524507e1a5b82b9b94d37874c81ae51287b70

                                                                              Download Submit

                                                                            • C:\Users\Public\Videos\Sample Videos\!HELP_YOUR_FILES.HTML
                                                                              Filesize

                                                                              4KB

                                                                              MD5

                                                                              e65f94c2cd54e18689342ce5a24b3c4e

                                                                              SHA1

                                                                              f797b915f5e32ef309e0524c77adf1d4a3ee6eb1

                                                                              SHA256

                                                                              da3e2a13a9e8b0109a348d796013dd2c6bd8bf5e062146da3ea52f2eab1a0a1f

                                                                              SHA512

                                                                              5b44f8e4062cc4bc98aee5d9207ef426a50dff191636bb2c91f4ad62f5e40ca51016a9b561dd78e49c4e34585f7b417e41ebdb250d10dd727def06a086640605

                                                                              Download Submit

                                                                            • C:\Windows\System32\test.txt
                                                                              MD5

                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                              SHA1

                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                              SHA256

                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                              SHA512

                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                              Download Submit

                                                                            • C:\Windows\System32\test.txt
                                                                              Filesize

                                                                              126B

                                                                              MD5

                                                                              a134f710effb2e45388adfe136809dc9

                                                                              SHA1

                                                                              839d58557b8e77231f90e5241a66ecdc42a52e42

                                                                              SHA256

                                                                              356f6714ae77f8dfce1f3aee9869d82f2c7c418adca8f960952d95a2d2f6e13f

                                                                              SHA512

                                                                              751808629cb68197bc27afb7b11f418e9f352e7a6a3f6002844af0f7b70f37125a170ed0234792925e1d1eca3a6fdfa2bc1eebe7b6b49e93a0ebebcedae45336

                                                                              Download Submit

                                                                            • \Users\Admin\AppData\Local\Temp\fascism.dll
                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              3723fbd2bd984ea8e47fc718e26bc5dd

                                                                              SHA1

                                                                              3bae8782819e51d3a8cebf42ff0a670981019756

                                                                              SHA256

                                                                              965af6a5a8ac39b583ed877c30ef5fa456374b0824bf4ae35a43cd2127eadea5

                                                                              SHA512

                                                                              d653776599d791a7cfdadc16ff0fa360fe53ec9ec9ecc10af3d19d01e6844968d69e8cdd0fa968c54401cafe0c3f4112accc29433573227916cc05f02e0a7658

                                                                              Download Submit

                                                                            • \Users\Admin\AppData\Local\Temp\nseC727.tmp\System.dll
                                                                              Filesize

                                                                              11KB

                                                                              MD5

                                                                              375e8a08471dc6f85f3828488b1147b3

                                                                              SHA1

                                                                              1941484ac710fc301a7d31d6f1345e32a21546af

                                                                              SHA256

                                                                              4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

                                                                              SHA512

                                                                              5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

                                                                              Download Submit

                                                                            • \Users\Admin\AppData\Local\Temp\server.exe
                                                                              Filesize

                                                                              516KB

                                                                              MD5

                                                                              27de3aa267ba6a1cfb2ed3919f00a226

                                                                              SHA1

                                                                              75309ced1dc866acef46a23bfe56d1509a4b245a

                                                                              SHA256

                                                                              fd46ec5096c37a4ce0f83018705536be4f753b7a3b4ba5484c9cb978c3b01392

                                                                              SHA512

                                                                              2f52f49984aab21330ac04faf47cc91904b513d27b94063d528d20dafab049e60f4cd1bbf70af6b4a955ba4fa55d8700fca3463274e54a50db43a0db7a8eb821

                                                                              Download Submit

                                                                            • memory/236-42-0x0000000000400000-0x0000000002387000-memory.dmp

                                                                              Filesize

                                                                              31.5MB

                                                                              Download

                                                                            • memory/236-430-0x0000000000400000-0x0000000002387000-memory.dmp

                                                                              Filesize

                                                                              31.5MB

                                                                              Download

                                                                            • memory/236-43-0x00000000002A0000-0x00000000002B7000-memory.dmp

                                                                              Filesize

                                                                              92KB

                                                                              Download

                                                                            • memory/340-432-0x0000000000F80000-0x0000000000FCC000-memory.dmp

                                                                              Filesize

                                                                              304KB

                                                                              Download

                                                                            • memory/944-1205-0x0000000000C80000-0x0000000000D0C000-memory.dmp

                                                                              Filesize

                                                                              560KB

                                                                              Download

                                                                            • memory/944-1207-0x0000000000C80000-0x0000000000D0C000-memory.dmp

                                                                              Filesize

                                                                              560KB

                                                                              Download

                                                                            • memory/1048-3057-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1048-3093-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1048-3100-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1608-1194-0x0000000000400000-0x0000000000509C06-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/1608-1192-0x0000000000780000-0x0000000000901000-memory.dmp

                                                                              Filesize

                                                                              1.5MB

                                                                              Download

                                                                            • memory/1608-1166-0x0000000000400000-0x000000000050A000-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/1608-1172-0x0000000000400000-0x0000000000509C06-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/1608-1171-0x0000000000400000-0x000000000050A000-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/1608-1169-0x0000000000400000-0x000000000050A000-memory.dmp

                                                                              Filesize

                                                                              1.0MB

                                                                              Download

                                                                            • memory/1608-1168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1688-3085-0x0000000001C70000-0x0000000001C71000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1688-3063-0x0000000001C70000-0x0000000001C71000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/1688-3084-0x0000000001C70000-0x0000000001C71000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2128-1247-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2128-3099-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2128-3095-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2128-3096-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2128-3056-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2128-3043-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2288-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2288-94-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                              Filesize

                                                                              168KB

                                                                              Download

                                                                            • memory/2288-97-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                              Filesize

                                                                              168KB

                                                                              Download

                                                                            • memory/2288-92-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                              Filesize

                                                                              168KB

                                                                              Download

                                                                            • memory/2308-1176-0x0000000000400000-0x000000000086F000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/2308-39-0x0000000000400000-0x000000000086F000-memory.dmp

                                                                              Filesize

                                                                              4.4MB

                                                                              Download

                                                                            • memory/2404-1245-0x0000000000400000-0x000000000051F000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                              Download

                                                                            • memory/2404-3261-0x0000000003400000-0x00000000034A2000-memory.dmp

                                                                              Filesize

                                                                              648KB

                                                                              Download

                                                                            • memory/2404-3260-0x0000000000400000-0x000000000051F000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                              Download

                                                                            • memory/2404-3119-0x0000000000400000-0x000000000051F000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                              Download

                                                                            • memory/2440-200-0x0000000010000000-0x0000000010089000-memory.dmp

                                                                              Filesize

                                                                              548KB

                                                                              Download

                                                                            • memory/2440-199-0x00000000035A0000-0x00000000036DC000-memory.dmp

                                                                              Filesize

                                                                              1.2MB

                                                                              Download

                                                                            • memory/2440-185-0x0000000000400000-0x00000000005E9000-memory.dmp

                                                                              Filesize

                                                                              1.9MB

                                                                              Download

                                                                            • memory/2608-40-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                                              Filesize

                                                                              1.8MB

                                                                              Download

                                                                            • memory/2608-35-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                                              Filesize

                                                                              1.8MB

                                                                              Download

                                                                            • memory/2608-377-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                                              Filesize

                                                                              1.8MB

                                                                              Download

                                                                            • memory/2668-3041-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2668-1249-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                              Download

                                                                            • memory/2688-1213-0x0000000000C80000-0x0000000000D0C000-memory.dmp

                                                                              Filesize

                                                                              560KB

                                                                              Download

                                                                            • memory/2688-1215-0x0000000000C80000-0x0000000000D0C000-memory.dmp

                                                                              Filesize

                                                                              560KB

                                                                              Download

                                                                            • memory/2752-1243-0x0000000000C80000-0x0000000000D0C000-memory.dmp

                                                                              Filesize

                                                                              560KB

                                                                              Download

                                                                            • memory/3020-17-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                              Filesize

                                                                              5.9MB

                                                                              Download

                                                                            • memory/3020-18-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                              Filesize

                                                                              5.9MB

                                                                              Download

                                                                            • memory/3020-16-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                                              Filesize

                                                                              5.9MB

                                                                              Download