Overview

overview

10

Static

static

1

RNSM00282.7z

windows7-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00282.7z

  • Size

    6.2MB

  • MD5

    5af62ab1200f11c2a8f16099ce18409a

  • SHA1

    9295dfda604e99c80a35b749b260b00b66d60df1

  • SHA256

    97db43529fd69353e9ceefac584cc7a1aec8dbe9f7f444f70b7ac5067e27fe1f

  • SHA512

    24209bca094aed1f29a7856dd440d4dc776dfb7920ed1b1b97b68da8b067f629d907d1cd3c59ade602ea52db5ca8c7a307ca2d01584553f92b92166f3bd186f2

  • SSDEEP

    196608:QH9qbJam61w2+/ZIO6DL9yfgnjlLY0SQo2yP0HMB8ODTFVCZo1DC3:QHYbN6rNvDL/RLK/P4K8WFVCGI3

Score
10/10
cerberlockylocky_osirismodiloadernetwirenjratteslacrypttroldeshbotnetdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

netwire

C2

micro.loginto.me:3360

c0der.ddns.net:3360

bakbumz.ddns.net:3360
Attributes
  • activex_autorun

    true

  • activex_key

    {IGXB136N-WP56-42I3-3EN8-85A00571YU01}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    2016-%Rand%

  • install_path

    %AppData%\Install\Notepad.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    parola

  • registry_autorun

    true

  • startup_name

    Notepad

  • use_mutex

    false

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pofpi.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/70E2D9F0B522C0AF 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/70E2D9F0B522C0AF 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/70E2D9F0B522C0AF If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/70E2D9F0B522C0AF 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/70E2D9F0B522C0AF http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/70E2D9F0B522C0AF http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/70E2D9F0B522C0AF *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/70E2D9F0B522C0AF
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/70E2D9F0B522C0AF

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/70E2D9F0B522C0AF

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/70E2D9F0B522C0AF

http://xlowfznrg4wf7dli.ONION/70E2D9F0B522C0AF

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+lne.txt

Ransom Note
++++++==============================================================================================================+++++++====== NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Specially for your PC was generated personal RSA2048 KEY, both public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. ++++++==============================================================================================================+++++++====== Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://alcov44uvcwkrend.softpay4562.com/13E9FBFA6C3A8CD7 2. http://tsbfdsv.extr6mchf.com/13E9FBFA6C3A8CD7 3. http://psbc532jm8c.hsh73cu37n1.net/13E9FBFA6C3A8CD7 4. https://vf4xdqg4mp3hnw5g.onion.to/13E9FBFA6C3A8CD7 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: vf4xdqg4mp3hnw5g.onion/13E9FBFA6C3A8CD7 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://alcov44uvcwkrend.softpay4562.com/13E9FBFA6C3A8CD7 http://tsbfdsv.extr6mchf.com/13E9FBFA6C3A8CD7 http://psbc532jm8c.hsh73cu37n1.net/13E9FBFA6C3A8CD7 https://vf4xdqg4mp3hnw5g.onion.to/13E9FBFA6C3A8CD7 Your personal page (using TOR-Browser): vf4xdqg4mp3hnw5g.onion/13E9FBFA6C3A8CD7 Your personal identification number (if you open the site (or TOR-Browser's) directly): 13E9FBFA6C3A8CD7 ++++++==============================================================================================================+++++++======
URLs

http://alcov44uvcwkrend.softpay4562.com/13E9FBFA6C3A8CD7

http://tsbfdsv.extr6mchf.com/13E9FBFA6C3A8CD7

http://psbc532jm8c.hsh73cu37n1.net/13E9FBFA6C3A8CD7

https://vf4xdqg4mp3hnw5g.onion.to/13E9FBFA6C3A8CD7

http://vf4xdqg4mp3hnw5g.onion/13E9FBFA6C3A8CD7

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+man.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://jf73ndna34df.ceorldess.com/13E9FBFA6C3A8CD7 2. http://fqa4dnfh5fsk4.tarsfee.com/13E9FBFA6C3A8CD7 3. http://hrdsjrnvskdjnt.pay4softrn.com/13E9FBFA6C3A8CD7 4. https://t7r67vsrpjcm5dfc.onion.to/13E9FBFA6C3A8CD7 5. https://t7r67vsrpjcm5dfc.tor2web.org/13E9FBFA6C3A8CD7 6. https://t7r67vsrpjcm5dfc.onion.cab/13E9FBFA6C3A8CD7 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: t7r67vsrpjcm5dfc.onion/13E9FBFA6C3A8CD7 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://jf73ndna34df.ceorldess.com/13E9FBFA6C3A8CD7 http://fqa4dnfh5fsk4.tarsfee.com/13E9FBFA6C3A8CD7 http://hrdsjrnvskdjnt.pay4softrn.com/13E9FBFA6C3A8CD7 https://t7r67vsrpjcm5dfc.onion.to/13E9FBFA6C3A8CD7 !!! Your personal page in TOR Browser: t7r67vsrpjcm5dfc.onion/13E9FBFA6C3A8CD7 !!! Your personal identification ID: 13E9FBFA6C3A8CD7 ========!!!!!========!!!!!========!!!!!========!!!!!========!!!!!========!!!!!========!!!!!========!!!!!========!!!!!
URLs

http://jf73ndna34df.ceorldess.com/13E9FBFA6C3A8CD7

http://fqa4dnfh5fsk4.tarsfee.com/13E9FBFA6C3A8CD7

http://hrdsjrnvskdjnt.pay4softrn.com/13E9FBFA6C3A8CD7

https://t7r67vsrpjcm5dfc.onion.to/13E9FBFA6C3A8CD7

https://t7r67vsrpjcm5dfc.tor2web.org/13E9FBFA6C3A8CD7

https://t7r67vsrpjcm5dfc.onion.cab/13E9FBFA6C3A8CD7

http://t7r67vsrpjcm5dfc.onion/13E9FBFA6C3A8CD7

Extracted

Path

C:\Users\Admin\Desktop\_HELP_HELP_HELP_OVA31S_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url('data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=') left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return showBlock('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li> <li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't you find the necessary files?<br>Is the content of your files not readable?</p> <p>It is normal because the files' names and the data in your files have been encrypted by "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>It means your files are NOT damaged! Your files are modified only. This modification is reversible.<br>From now it is not possible to use your files until they will be decrypted.</p> <p>The only way to decrypt your files safely is to &#98;uy the special decryption software "Cer&#98;er&nbsp;Decryptor".</p> <p>Any attempts to restore your files with the third-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proceed with purchasing of the decryption software at your personal page:</p> <p><span class="info"><span class="updating">Please wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.1a7ivn.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1a7ivn.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1jh5kv.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1jh5kv.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1aghep.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1aghep.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.14kfoz.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.14kfoz.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1ebvqb.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1ebvqb.top/C757-3632-5978-0091-CAB6</a></span></p> <p>If this page cannot be opened &nbsp;<span class="button" onclick="return updUrl('en');">click here</span>&nbsp; to get a new address of your personal page.<br><br>If the address of your personal page is the same as before after you tried to get a new one,<br>you can try to get a new address in one hour.</p> <p>At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.</p> <p>Also at this page you will be able to restore any one file for free to be sure "Cer&#98;er&nbsp;Decryptor" will help you.</p> <hr> <p>If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Internet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>enter or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor&nbsp;Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened &#097;fter the initialization;</li> <li>type or copy the address <br><span class="info">http://p27dokhpz2n7nvgr.onion/C757-3632-5978-0091-CAB6</span><br> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Additional information:</strong></p> <p>You will find the instructi&#111;ns ("*_HELP_HELP_HELP_*.hta") for rest&#111;ring y&#111;ur files in &#097;ny folder with your encrypted files.</p> <p>The instructions "*_HELP_HELP_HELP_*.hta" in the f&#111;lders with your encrypted files are not viruses! The instructions "*_HELP_HELP_HELP_*.hta" will help you to decrypt your files.</p> <p>Remember! The worst situation already happened and n&#111;w the future of your files depends on your determination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.1a7ivn.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1a7ivn.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1jh5kv.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1jh5kv.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1aghep.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1aghep.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.14kfoz.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.14kfoz.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1ebvqb.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1ebvqb.top/C757-3632-5978-0091-CAB6</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return updUrl('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/C757-3632-5978-0091-CAB6</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إضافية:</strong></p> <p>سوف تجد إرشادات استعادة الملفات الخاصة بك ("*_HELP_HELP_HELP_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرشادات ("*_HELP_HELP_HELP_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_HELP_HELP_HELP_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用您的文件。</p> <p>安全解密您文件的唯一方式是购买特别的解密软件“Cer&#98;er&nbsp;Decryptor”。</p> <p>任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的!</p> <hr> <p>您可以在您的个人页面上购买解密软件:</p> <p><span class="info"><span class="updating">请稍候...</span><a class="url" href="http://p27dokhpz2n7nvgr.1a7ivn.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1a7ivn.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1jh5kv.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1jh5kv.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1aghep.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1aghep.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.14kfoz.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.14kfoz.top/C757-3632-5978-0091-CAB6</a><hr><a href="http://p27dokhpz2n7nvgr.1ebvqb.top/C757-3632-5978-0091-CAB6" target="_blank">http://p27dokhpz2n7nvgr.1ebvqb.top/C757-3632-5978-0091-CAB6</a></span></p> <p>如果这个页面无法打开,请 <span class="button" onclick="return updUrl('zh');">点击这里</span> 生成您个人页面的新地址。</p> <p>您将在这个页面上看到如何购买解密软件以恢复您的文件。</p> <p>您可以在这个页面使用“Cer&#98;er&nbsp;Decryptor”免费恢复任何文件。</p> <hr> <p>如果您的个人页面长期不可用,有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器:</p> <ol> <li>使用您的上网浏览器(如果您不知道使用 Internet&nbsp;Explorer 的话);</li> <li>在浏览器的地址栏输入或复制地址 <a href="https://w

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cljdp.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/59474F67A7E51D49 2. http://b4youfred5485jgsa3453f.italazudda.com/59474F67A7E51D49 3. http://5rport45vcdef345adfkksawe.bematvocal.at/59474F67A7E51D49 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/59474F67A7E51D49 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/59474F67A7E51D49 http://b4youfred5485jgsa3453f.italazudda.com/59474F67A7E51D49 http://5rport45vcdef345adfkksawe.bematvocal.at/59474F67A7E51D49 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/59474F67A7E51D49 *-*-* Your personal identification ID: 59474F67A7E51D49
URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/59474F67A7E51D49

http://b4youfred5485jgsa3453f.italazudda.com/59474F67A7E51D49

http://5rport45vcdef345adfkksawe.bematvocal.at/59474F67A7E51D49

http://fwgrhsao3aoml7ej.onion/59474F67A7E51D49

http://fwgrhsao3aoml7ej.ONION/59474F67A7E51D49

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Locky family
    locky
  • Locky_osiris family
    locky_osiris
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Njrat family
    njrat
  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Teslacrypt family
    teslacrypt
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Contacts a large (17503) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • ModiLoader Second Stage 5 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 9 IoCs
    ransomwareevasion
  • Renames multiple (179) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (263) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 16 IoCs
  • Executes dropped EXE 49 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 15 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 15 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Interacts with shadow copies 3 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 8 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00282.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1304
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Generic-f1b5cea52e738db88ecc79bfe309848392fb9d78be4827ddf0f3222280ce8194.exe
      HEUR-Trojan-Ransom.Win32.Generic-f1b5cea52e738db88ecc79bfe309848392fb9d78be4827ddf0f3222280ce8194.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\4f6047d6-c9b5-42a4-a781-6f0f5ef8cc4a" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:536
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\4f6047d6-c9b5-42a4-a781-6f0f5ef8cc4a" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1569543683.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\adobeupdate.exe"
        3⤵
          PID:1316
      • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Shade.gen-903874f34f196c071e5d5d45947d14d4055fe39f297f85199103e1ee99375414.exe
        HEUR-Trojan-Ransom.Win32.Shade.gen-903874f34f196c071e5d5d45947d14d4055fe39f297f85199103e1ee99375414.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:708
        • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Shade.gen-903874f34f196c071e5d5d45947d14d4055fe39f297f85199103e1ee99375414.exe
          HEUR-Trojan-Ransom.Win32.Shade.gen-903874f34f196c071e5d5d45947d14d4055fe39f297f85199103e1ee99375414.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2516
      • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Zerber.gen-c9cd071df9878030ac9273d81c8608c54ddcedd0258e8e556297206d26424cb7.exe
        HEUR-Trojan-Ransom.Win32.Zerber.gen-c9cd071df9878030ac9273d81c8608c54ddcedd0258e8e556297206d26424cb7.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: MapViewOfSection
        PID:2956
        • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Zerber.gen-c9cd071df9878030ac9273d81c8608c54ddcedd0258e8e556297206d26424cb7.exe
          HEUR-Trojan-Ransom.Win32.Zerber.gen-c9cd071df9878030ac9273d81c8608c54ddcedd0258e8e556297206d26424cb7.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2120
      • C:\Users\Admin\Desktop\00282\Trojan-Ransom.MSIL.Cyclone.a-b81c2be2f09d2a25011594b5d4e1ad2626070b8fe18eade90edce4b24ed91968.exe
        Trojan-Ransom.MSIL.Cyclone.a-b81c2be2f09d2a25011594b5d4e1ad2626070b8fe18eade90edce4b24ed91968.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2776
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Xfdpsi.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Xfdpsi.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1808
      • C:\Users\Admin\Desktop\00282\Trojan-Ransom.NSIS.Onion.jrn-2fe3dc08b68486f6f6a8f8f2eb8892bd1f340d254d092dff7d6fadd863f32ec1.exe
        Trojan-Ransom.NSIS.Onion.jrn-2fe3dc08b68486f6f6a8f8f2eb8892bd1f340d254d092dff7d6fadd863f32ec1.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2884
        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.NSIS.Onion.jrn-2fe3dc08b68486f6f6a8f8f2eb8892bd1f340d254d092dff7d6fadd863f32ec1.exe
          C:\Users\Admin\Desktop\00282\Trojan-Ransom.NSIS.Onion.jrn-2fe3dc08b68486f6f6a8f8f2eb8892bd1f340d254d092dff7d6fadd863f32ec1.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:484
          • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
            "C:\Users\Admin\AppData\Roaming\Install\Notepad.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:1840
            • C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
              C:\Users\Admin\AppData\Roaming\Install\Notepad.exe
              5⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2960
      • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.aerc-878d67e8d1ca84b466420e8c5bcecb0beee739c0cbace827a2dab1f1429c6f85.exe
        Trojan-Ransom.Win32.Bitman.aerc-878d67e8d1ca84b466420e8c5bcecb0beee739c0cbace827a2dab1f1429c6f85.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.aerc-878d67e8d1ca84b466420e8c5bcecb0beee739c0cbace827a2dab1f1429c6f85.exe
          Trojan-Ransom.Win32.Bitman.aerc-878d67e8d1ca84b466420e8c5bcecb0beee739c0cbace827a2dab1f1429c6f85.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:668
          • C:\Users\Admin\AppData\Roaming\hbjhv-a.exe
            C:\Users\Admin\AppData\Roaming\hbjhv-a.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:1856
            • C:\Users\Admin\AppData\Roaming\hbjhv-a.exe
              C:\Users\Admin\AppData\Roaming\hbjhv-a.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:2196
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe /set {current} bootems off
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1572
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe /set {current} advancedoptions off
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2460
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe /set {current} optionsedit off
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2872
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:3060
              • C:\Windows\system32\bcdedit.exe
                bcdedit.exe /set {current} recoveryenabled off
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2424
              • C:\Windows\System32\vssadmin.exe
                "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                6⤵
                • Interacts with shadow copies
                PID:1912
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00282\TROJAN~4.EXE
            4⤵
              PID:1332
        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.bwd-314faedeb271c13cdd9665a3391af87180668f9e3fc8c00ef5c0cc4ea5b8bd6d.exe
          Trojan-Ransom.Win32.Bitman.bwd-314faedeb271c13cdd9665a3391af87180668f9e3fc8c00ef5c0cc4ea5b8bd6d.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2080
          • C:\Users\Admin\AppData\Roaming\qyrepskhf2.exe
            C:\Users\Admin\AppData\Roaming\qyrepskhf2.exe
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:332
            • C:\Windows\System32\vssadmin.exe
              "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
              4⤵
              • Interacts with shadow copies
              PID:1044
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00282\TR759F~1.EXE
            3⤵
              PID:828
          • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.lsm-1a0c3d07bde5f44928a98d5c3139455f9974ff348095b4bf3b2f4c9b23f1ae03.exe
            Trojan-Ransom.Win32.Bitman.lsm-1a0c3d07bde5f44928a98d5c3139455f9974ff348095b4bf3b2f4c9b23f1ae03.exe
            2⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1420
            • C:\Windows\oyapmgbhhlwn.exe
              C:\Windows\oyapmgbhhlwn.exe
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: RenamesItself
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:2468
              • C:\Windows\System32\wbem\WMIC.exe
                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:852
              • C:\Windows\SysWOW64\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
                4⤵
                • System Location Discovery: System Language Discovery
                • Opens file in notepad (likely ransom note)
                PID:4072
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:4092
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:275457 /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1528
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:472067 /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3460
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:996371 /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3452
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:2110482 /prefetch:2
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:212
              • C:\Windows\System32\wbem\WMIC.exe
                "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                4⤵
                  PID:2228
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OYAPMG~1.EXE
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:4004
                  • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe
                    "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe"
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3648
                    • C:\Windows\system32\vssadmin.exe
                      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                      6⤵
                      • Interacts with shadow copies
                      PID:2488
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                      6⤵
                        PID:1600
                      • C:\Windows\System32\bcdedit.exe
                        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
                        6⤵
                        • Modifies boot configuration data using bcdedit
                        PID:3328
                      • C:\Windows\System32\bcdedit.exe
                        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
                        6⤵
                        • Modifies boot configuration data using bcdedit
                        PID:1584
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00282\TR33F6~1.EXE
                  3⤵
                    PID:2300
                • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.nwj-e4b6e8818a14748e013434e722d2653096b44329e5604a6b81159a433cba8d85.exe
                  Trojan-Ransom.Win32.Bitman.nwj-e4b6e8818a14748e013434e722d2653096b44329e5604a6b81159a433cba8d85.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of SetWindowsHookEx
                  PID:2716
                  • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.nwj-e4b6e8818a14748e013434e722d2653096b44329e5604a6b81159a433cba8d85.exe
                    Trojan-Ransom.Win32.Bitman.nwj-e4b6e8818a14748e013434e722d2653096b44329e5604a6b81159a433cba8d85.exe
                    3⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2108
                    • C:\Windows\hwhrrgmjbicc.exe
                      C:\Windows\hwhrrgmjbicc.exe
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2232
                      • C:\Windows\hwhrrgmjbicc.exe
                        C:\Windows\hwhrrgmjbicc.exe
                        5⤵
                        • Drops startup file
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        • Modifies system certificate store
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:3320
                        • C:\Windows\System32\wbem\WMIC.exe
                          "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                          6⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2744
                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Opens file in notepad (likely ransom note)
                          PID:3896
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HWHRRG~1.EXE
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:4000
                          • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe
                            "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe"
                            7⤵
                            • Adds policy Run key to start application
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            • Modifies Control Panel
                            PID:3744
                            • C:\Windows\system32\vssadmin.exe
                              "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                              8⤵
                              • Interacts with shadow copies
                              PID:2336
                            • C:\Windows\system32\wbem\wmic.exe
                              "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                              8⤵
                                PID:3304
                              • C:\Windows\System32\bcdedit.exe
                                "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
                                8⤵
                                • Modifies boot configuration data using bcdedit
                                PID:1816
                              • C:\Windows\System32\bcdedit.exe
                                "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
                                8⤵
                                • Modifies boot configuration data using bcdedit
                                PID:3876
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00282\TRF58D~1.EXE
                        4⤵
                          PID:632
                    • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.eawb-2ffde1f8c618f58127dc15cf16eebd67ca3faca642fa7370a4a208c12b96a756.exe
                      Trojan-Ransom.Win32.Blocker.eawb-2ffde1f8c618f58127dc15cf16eebd67ca3faca642fa7370a4a208c12b96a756.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:2196
                    • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.hluv-b11064fe9fb26716d0f4a4de4b838abe7e727007c36a37495592a0f46216d57b.exe
                      Trojan-Ransom.Win32.Blocker.hluv-b11064fe9fb26716d0f4a4de4b838abe7e727007c36a37495592a0f46216d57b.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious use of SetWindowsHookEx
                      PID:1796
                      • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.hluv-b11064fe9fb26716d0f4a4de4b838abe7e727007c36a37495592a0f46216d57b.exe
                        "C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.hluv-b11064fe9fb26716d0f4a4de4b838abe7e727007c36a37495592a0f46216d57b.exe"
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:1660
                        • C:\Users\Admin\AppData\Roaming\AdobeART.exe
                          "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2904
                          • C:\Users\Admin\AppData\Roaming\AdobeART.exe
                            "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
                            5⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:2912
                    • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.ivbh-a943200e2f0d2331ec6eaf7441e4971303fc8db20b745e11ec477d1e2e3372b2.exe
                      Trojan-Ransom.Win32.Blocker.ivbh-a943200e2f0d2331ec6eaf7441e4971303fc8db20b745e11ec477d1e2e3372b2.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:2064
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" echo.>C:\Users\Admin\AppData\Local\Temp\regdrv.exe:Zone.Identifier
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1492
                      • C:\Users\Admin\AppData\Local\Temp\regdrv.exe
                        C:\Users\Admin\AppData\Local\Temp\regdrv.exe
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" echo.>C:\Users\Admin\AppData\Roaming\regdrv.exe:Zone.Identifier
                          4⤵
                            PID:2444
                          • C:\Users\Admin\AppData\Roaming\regdrv.exe
                            C:\Users\Admin\AppData\Roaming\regdrv.exe
                            4⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Enumerates connected drives
                            • System Location Discovery: System Language Discovery
                            PID:2660
                      • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.jxpk-3e4a1ac760fafb91eb7cbbb0c2ce2a5a308f03f7c506cf0c02866271dd4ea60a.exe
                        Trojan-Ransom.Win32.Blocker.jxpk-3e4a1ac760fafb91eb7cbbb0c2ce2a5a308f03f7c506cf0c02866271dd4ea60a.exe
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:1848
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Octopuscpy.vbs"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2292
                        • C:\Users\Admin\AppData\Local\Temp\snjr.exe
                          "C:\Users\Admin\AppData\Local\Temp\snjr.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:2236
                          • C:\Users\Admin\AppData\Local\Temp\njrat.exe
                            "C:\Users\Admin\AppData\Local\Temp\njrat.exe"
                            4⤵
                            • Drops startup file
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:2312
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njrat.exe" "njrat.exe" ENABLE
                              5⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              • System Location Discovery: System Language Discovery
                              PID:2872
                      • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Locky.xnv-aaa39db65718c8ea367740e2da1b0eafcd042c7b469fc244e3ebf5ba9244a696.exe
                        Trojan-Ransom.Win32.Locky.xnv-aaa39db65718c8ea367740e2da1b0eafcd042c7b469fc244e3ebf5ba9244a696.exe
                        2⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:1724
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys2868.tmp"
                          3⤵
                            PID:3192
                            • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe
                              "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe"
                              4⤵
                                PID:3664
                          • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Shade.yn-a5eeba06ab0d94894a423582d05d0e10728dca46d618503e5ebaa5b911c9be17.exe
                            Trojan-Ransom.Win32.Shade.yn-a5eeba06ab0d94894a423582d05d0e10728dca46d618503e5ebaa5b911c9be17.exe
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            • Suspicious behavior: MapViewOfSection
                            PID:976
                            • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Shade.yn-a5eeba06ab0d94894a423582d05d0e10728dca46d618503e5ebaa5b911c9be17.exe
                              Trojan-Ransom.Win32.Shade.yn-a5eeba06ab0d94894a423582d05d0e10728dca46d618503e5ebaa5b911c9be17.exe
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:1580
                          • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.ezzq-6ffc30be8c3d202eaee11f0961d752c9e7762f48f2ed3e2fd22d69f9e9b96ba3.exe
                            Trojan-Ransom.Win32.Zerber.ezzq-6ffc30be8c3d202eaee11f0961d752c9e7762f48f2ed3e2fd22d69f9e9b96ba3.exe
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:236
                            • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.ezzq-6ffc30be8c3d202eaee11f0961d752c9e7762f48f2ed3e2fd22d69f9e9b96ba3.exe
                              Trojan-Ransom.Win32.Zerber.ezzq-6ffc30be8c3d202eaee11f0961d752c9e7762f48f2ed3e2fd22d69f9e9b96ba3.exe
                              3⤵
                              • Drops startup file
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Sets desktop wallpaper using registry
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1256
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_HELP_HELP_OVA31S_.hta"
                                4⤵
                                • Blocklisted process makes network request
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                PID:2060
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe"
                                4⤵
                                  PID:3168
                            • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.faqb-4d29e02f7f74868e80eb23194417ddacd4f97ff393a316d1aacbeca0e67b80c2.exe
                              Trojan-Ransom.Win32.Zerber.faqb-4d29e02f7f74868e80eb23194417ddacd4f97ff393a316d1aacbeca0e67b80c2.exe
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              • Suspicious use of SetWindowsHookEx
                              PID:1672
                              • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.faqb-4d29e02f7f74868e80eb23194417ddacd4f97ff393a316d1aacbeca0e67b80c2.exe
                                Trojan-Ransom.Win32.Zerber.faqb-4d29e02f7f74868e80eb23194417ddacd4f97ff393a316d1aacbeca0e67b80c2.exe
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1408
                            • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
                              Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
                              2⤵
                              • Adds policy Run key to start application
                              • Drops startup file
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              • Modifies Control Panel
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2584
                              • C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe
                                "C:\Users\Admin\AppData\Roaming\{C7CD5A05-A6B9-B06B-3FDB-EB4CCFC45048}\compact.exe"
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2428
                              • C:\Windows\SysWOW64\cmd.exe
                                /d /c taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe" > NUL
                                3⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:1596
                            • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.txu-be5011d393af2d125a1973732b9180430b9a4ab788f9ddd412fe05d693d390c5.exe
                              Trojan-Ransom.Win32.Zerber.txu-be5011d393af2d125a1973732b9180430b9a4ab788f9ddd412fe05d693d390c5.exe
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              • Suspicious behavior: MapViewOfSection
                              PID:2552
                              • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.txu-be5011d393af2d125a1973732b9180430b9a4ab788f9ddd412fe05d693d390c5.exe
                                Trojan-Ransom.Win32.Zerber.txu-be5011d393af2d125a1973732b9180430b9a4ab788f9ddd412fe05d693d390c5.exe
                                3⤵
                                • Executes dropped EXE
                                PID:1760
                            • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.uwb-9fded7e2be6826dc2b92ab6d70369cf20bac613ad104ae7d3c72566f93530379.exe
                              Trojan-Ransom.Win32.Zerber.uwb-9fded7e2be6826dc2b92ab6d70369cf20bac613ad104ae7d3c72566f93530379.exe
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              • Suspicious behavior: MapViewOfSection
                              PID:872
                              • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.uwb-9fded7e2be6826dc2b92ab6d70369cf20bac613ad104ae7d3c72566f93530379.exe
                                Trojan-Ransom.Win32.Zerber.uwb-9fded7e2be6826dc2b92ab6d70369cf20bac613ad104ae7d3c72566f93530379.exe
                                3⤵
                                • Executes dropped EXE
                                PID:2988
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /4
                            1⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:584
                          • C:\Windows\system32\conhost.exe
                            \??\C:\Windows\system32\conhost.exe "-12873321032093491037745609207410547671-156707293120609019681347854810-1626880663"
                            1⤵
                              PID:1572
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3048
                            • C:\Windows\SysWOW64\DllHost.exe
                              C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                              1⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of FindShellTrayWindow
                              PID:108
                            • C:\Windows\SysWOW64\DllHost.exe
                              C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                              1⤵
                              • System Location Discovery: System Language Discovery
                              PID:2868
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0xc4
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2948
                            • C:\Windows\system32\conhost.exe
                              \??\C:\Windows\system32\conhost.exe "1337789551763400693-47349565016913362671514161126956099600-356827645-1376175181"
                              1⤵
                                PID:632
                              • C:\Windows\SysWOW64\DllHost.exe
                                C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                1⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of FindShellTrayWindow
                                PID:2064
                              • C:\Windows\SysWOW64\DllHost.exe
                                C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                1⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of FindShellTrayWindow
                                PID:3472
                              • C:\Windows\system32\DllHost.exe
                                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                1⤵
                                  PID:1816
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\OSIRIS-c571.htm
                                  1⤵
                                    PID:1020
                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:275457 /prefetch:2
                                      2⤵
                                        PID:2708
                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:275472 /prefetch:2
                                        2⤵
                                          PID:748
                                      • C:\Windows\SysWOW64\DllHost.exe
                                        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                                        1⤵
                                          PID:796

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Reconnaissance

                                        Resource Development

                                        Initial Access

                                        Execution

                                        Scheduled Task/Job

                                        1
                                        T1053

                                        Scheduled Task

                                        1
                                        T1053.005

                                        Windows Management Instrumentation

                                        1
                                        T1047

                                        Persistence

                                        Boot or Logon Autostart Execution

                                        3
                                        T1547

                                        Active Setup

                                        1
                                        T1547.014

                                        Registry Run Keys / Startup Folder

                                        2
                                        T1547.001

                                        Create or Modify System Process

                                        1
                                        T1543

                                        Windows Service

                                        1
                                        T1543.003

                                        Event Triggered Execution

                                        1
                                        T1546

                                        Netsh Helper DLL

                                        1
                                        T1546.007

                                        Scheduled Task/Job

                                        1
                                        T1053

                                        Scheduled Task

                                        1
                                        T1053.005

                                        Privilege Escalation

                                        Boot or Logon Autostart Execution

                                        3
                                        T1547

                                        Active Setup

                                        1
                                        T1547.014

                                        Registry Run Keys / Startup Folder

                                        2
                                        T1547.001

                                        Create or Modify System Process

                                        1
                                        T1543

                                        Windows Service

                                        1
                                        T1543.003

                                        Event Triggered Execution

                                        1
                                        T1546

                                        Netsh Helper DLL

                                        1
                                        T1546.007

                                        Scheduled Task/Job

                                        1
                                        T1053

                                        Scheduled Task

                                        1
                                        T1053.005

                                        Defense Evasion

                                        Direct Volume Access

                                        1
                                        T1006

                                        Impair Defenses

                                        1
                                        T1562

                                        Disable or Modify System Firewall

                                        1
                                        T1562.004

                                        Indicator Removal

                                        3
                                        T1070

                                        File Deletion

                                        3
                                        T1070.004

                                        Modify Registry

                                        7
                                        T1112

                                        Subvert Trust Controls

                                        1
                                        T1553

                                        Install Root Certificate

                                        1
                                        T1553.004

                                        Credential Access

                                        Credentials from Password Stores

                                        1
                                        T1555

                                        Credentials from Web Browsers

                                        1
                                        T1555.003

                                        Unsecured Credentials

                                        1
                                        T1552

                                        Credentials In Files

                                        1
                                        T1552.001

                                        Discovery

                                        Network Service Discovery

                                        2
                                        T1046

                                        Peripheral Device Discovery

                                        2
                                        T1120

                                        Query Registry

                                        2
                                        T1012

                                        System Information Discovery

                                        3
                                        T1082

                                        System Location Discovery

                                        1
                                        T1614

                                        System Language Discovery

                                        1
                                        T1614.001

                                        System Network Configuration Discovery

                                        1
                                        T1016

                                        Internet Connection Discovery

                                        1
                                        T1016.001

                                        Lateral Movement

                                        Collection

                                        Data from Local System

                                        1
                                        T1005

                                        Command and Control

                                        Exfiltration

                                        Impact

                                        Defacement

                                        1
                                        T1491

                                        Inhibit System Recovery

                                        3
                                        T1490

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cljdp.html
                                          Filesize

                                          8KB

                                          MD5

                                          1a158517666bd10c2b431c1736dd39c4

                                          SHA1

                                          527f52fd6494de01db57f9f06c7066b471aa0698

                                          SHA256

                                          5124ab8385f9a6b1cc1af010602127217663e5111e9626fb6cee16ec28f561bb

                                          SHA512

                                          6a8b6a1c4b837ccdbd1528db042719ae8499551429193bcd6100f69dd176c4e5bc49585a55debc29a21ed4527ec762dc1d1162e05a3209a5934a5f9e2d4c52f2

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cljdp.png
                                          Filesize

                                          68KB

                                          MD5

                                          a83c6554cf51c225e7d257837e1dc52a

                                          SHA1

                                          81121023aa50c6d6b278b1c7186634529452d0ad

                                          SHA256

                                          178b2d3165be4a5512c0310577450b3e95fa82974570b52df26cfba80f486fb0

                                          SHA512

                                          21627886f4b6810ce467fba37b94efd8992dc3aa8da8cf352e55d4aa33d9307447eebb07cebcd39b95b33d14125dd7ca77c0b23deda57d56a7a73be6e36d10c1

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cljdp.txt
                                          Filesize

                                          2KB

                                          MD5

                                          7a40c8cb6513e322362cb4f8cb159979

                                          SHA1

                                          1d5a9562c74ec39beccbc7eff0511209d288b55a

                                          SHA256

                                          53984da5430c3dce29f7729890198bab1fe94fa7ab2712301f4e179d40c93c3b

                                          SHA512

                                          587f8cda7a56ab0bef77bf365aa30706a7ff3797f9a18f1e55ce802d903a2e0a77e50bb8ca48c09f71b6b43837ca4b3fceb86cfcc98416c03e9cca740a4cf025

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pofpi.html
                                          Filesize

                                          11KB

                                          MD5

                                          be71a7bc7b67509826de75fef63a99f6

                                          SHA1

                                          a5223e1187220eca7de5e7dfffb53199efaf2a3a

                                          SHA256

                                          05b06c51adfbfbfd6d0fbb6eb9da5577a888b30446a43d0c8e35693daf035589

                                          SHA512

                                          2b18c0827993e70f4258b627c3f70ba2055eede67a523bc97769353820a4b608d6138c84c9d4e0574c3cb63ae306a3ae22a9868051b708faf3de489b3d39225c

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pofpi.png
                                          Filesize

                                          64KB

                                          MD5

                                          39145a65c13a660f0a5234bac9112efe

                                          SHA1

                                          a84f3babb36819ab6d8e7ee6011a647c4d9b4aec

                                          SHA256

                                          93f90e8b88637a6c9e459878aab8567adc39967d1ddb1216b2054aaff3cd8085

                                          SHA512

                                          ec51483e7e7cf3503e77b34f52a8d88ea8f61b1e183c2c87fa5ec24561150ff4c333e6180d33b883d8efa0baf344a4748a0aa7bdf3d491ab9e0a77dcd8e116b3

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+pofpi.txt
                                          Filesize

                                          1KB

                                          MD5

                                          16a414722d759456d25e1f14a9b642b8

                                          SHA1

                                          83965eab4373e8602857de3f2b3f09e280229ae5

                                          SHA256

                                          cb78e6064b34866facf7625ff97e9cb5f9d8c60e2ad3d686e08b3c8717051ced

                                          SHA512

                                          867903c52b0b94579dfe4668bb1950f4bdc8b43fbe7036f4d4c99597fc55fb4fb0f23ac3ca1c73e43d5ac700a3683f27b7915e0fc0ba55005d70794d39f609c9

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+lne.html
                                          Filesize

                                          9KB

                                          MD5

                                          96abf06061ee0feb2d18c4128b63ca22

                                          SHA1

                                          abb59a968bf0156d46b186b011af974fa2b097e3

                                          SHA256

                                          630d7bce2e993c24bc6416269527146db0642ac430d6f823de1887e40dcfcba7

                                          SHA512

                                          348098e6f4d1df2061aa1a2a861ee8e9c12cd058b250deea0c008a3431e2d43c31a93355e59a6fd136b09822ef98963fc9a26a08d3b10ead765106e7723b09f6

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+lne.txt
                                          Filesize

                                          2KB

                                          MD5

                                          fbcb915249bb638ad13d795f9c71b858

                                          SHA1

                                          64d3a21f1aa364d3a5715b9f47a74e8397ad9959

                                          SHA256

                                          a78e2d46cb02675d38a3858595305264a1f1b659992590872607b5b9263ada04

                                          SHA512

                                          f0ca035fa286446c3cc437bdc0941f2443321adcc16cf975f13a0d84105d8513e88259845223e4ad7f867a323c686e053ac0790e43b0f0c19bd5dab92efa331d

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+man.html
                                          Filesize

                                          10KB

                                          MD5

                                          bc9c6e3e8e9c02ceb4f120b2b4b4c7bb

                                          SHA1

                                          367ecd77a6b7f90407deb24ea8ee318a1342563c

                                          SHA256

                                          ded972ae725b68a85a48b5830151dc24651c49aedbe218fdf48fcea4c7adfd95

                                          SHA512

                                          8afd7f2725925319cf40c69d18deb677f4f3f68219c660577d6e0ed6194c1fdbf41c12b353724444e889383a538e607ad265a792ee66fb7ee8bf0bcbc1358f51

                                          Download Submit

                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+man.txt
                                          Filesize

                                          2KB

                                          MD5

                                          479ac1874c6b53c7676030ed1b4c51e0

                                          SHA1

                                          a5e3fce6da79c50d024e4d1d1457680adbaae822

                                          SHA256

                                          d39577a2542490448a148cdc69044dbde9440554f7192ab485d65d5e77bc081d

                                          SHA512

                                          66923f04dd219ebc7798c6c9010866fc525378ba8c16bcedc647cfe310441ed4302e11c65ceac925a1ac0e81413a2b4b12e65738fbb8accb0cd93b2136bcfdbf

                                          Download Submit

                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
                                          Filesize

                                          11KB

                                          MD5

                                          e1b69cc81c0dc8a3605251cb08d2c106

                                          SHA1

                                          04437ef71ecdbf328c41162c2b834841aaf4bfa1

                                          SHA256

                                          4e81436960ad54d3da3b01d05ec65a4845aa3cd5fb4661dde8ea8feb4b4b1eb0

                                          SHA512

                                          6d1b9cf392603b932891a7756c4d60a490e6ec2a56a1fa48e5d30ffc8eef7c3f2d2c5d48510f1187c9a4d2fb451cee4e337ccb4a968bf1ff671a34276b6904bc

                                          Download Submit

                                        • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                          Filesize

                                          109KB

                                          MD5

                                          3e4d9bff95093f80a16c11126af58adc

                                          SHA1

                                          5a20bd7bd578abd23cf73f7885dc8dae2323d8bd

                                          SHA256

                                          72597457359721c31dfaed607b667473060cb3d66499f988b64163996137c585

                                          SHA512

                                          f02839b79657beb1832d9e58ab08328644308947a433f57eab814f22409df18226038c04faf423afb927ee122085cb32f33fa2897e786db13a59466942f30a49

                                          Download Submit

                                        • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
                                          Filesize

                                          173KB

                                          MD5

                                          a8bb5a821c776cc9cb136274b01ca918

                                          SHA1

                                          e05f96659eba1d34b0973725bb954b87491f0091

                                          SHA256

                                          904827e5a11f15aa67d01a641d3a457cd83d925458305641ce5e46fcb074228b

                                          SHA512

                                          a39c733ee0238963b2161fa06bdd480fa9b4c9fbd73bab6e73fccb5e42e591ff065941c091514f902f00b2c7861e7271faa53fd30d81be957fcfff725606da77

                                          Download Submit

                                        • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\OSIRIS-7231.htm
                                          Filesize

                                          8KB

                                          MD5

                                          c4edcfc87f7756bf747707d94bff589b

                                          SHA1

                                          cb38481573b0e62845a23e1dc02af7ab08693088

                                          SHA256

                                          6e862ac77fdbc5cb7585c3224c8ff17beee7c2d1bebeb4c28a0abee29a07afc5

                                          SHA512

                                          ac9fa51cde20dc850bc647d71c4656e031eb96cf8a8162b175f29b98838180898ed9a1aabf23c460b2b2769783b01625547ee7f3a574b6a497f9447ba7044260

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                          Filesize

                                          914B

                                          MD5

                                          e4a68ac854ac5242460afd72481b2a44

                                          SHA1

                                          df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                                          SHA256

                                          cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                                          SHA512

                                          5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                          Filesize

                                          1KB

                                          MD5

                                          a266bb7dcc38a562631361bbf61dd11b

                                          SHA1

                                          3b1efd3a66ea28b16697394703a72ca340a05bd5

                                          SHA256

                                          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                          SHA512

                                          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                          Filesize

                                          252B

                                          MD5

                                          b62b0275b6e4cc9a50984caa26dc775b

                                          SHA1

                                          f3b2cdbd6bbab48a3dcb7e2a8004cf75a7953d52

                                          SHA256

                                          4bfb0bce61d664cbf9e0cfcf3e468c5f7d5c173428085a41a62b86dca4903043

                                          SHA512

                                          8c00bfe240351e7fe671435a2048101b7db2d190d668c0a71062153176ea374fbab6f86061b2f64f11beb96345ef0d6dee3d57cd195186f82eac7a8307b9a9e2

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          04801c4cf3ef6ff9e2ec2f88032aab18

                                          SHA1

                                          159d466612765fff9608149592f7c3bf30e0d4e2

                                          SHA256

                                          137d6a8451b26c092699eeae8193d3dfbf53ad31771abaf5230f983120e73a71

                                          SHA512

                                          2545d3bc209c409d79dddbb8c6b8f52535fdd9768abfdb64aaf565c63c57412aa732d5c4b0e0b254879acce1e96c8bc18b09e4de74a069937c8aee52a6055a81

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          46e60dde80acaa2009e82988fb22ce10

                                          SHA1

                                          ac79a1b1170130f9b227d8983170413ccd0efc3e

                                          SHA256

                                          800b13ae61d711eaa80277f27c3f436aaece233113d67be326a620138c9042ef

                                          SHA512

                                          e8f9bf6f39960312ac0bb63e13f0f7a20728de1abd1f2622425ce180062394789e812345f2e698eb83da92dae28603ae2a4f0691158b3be2e9d0ae5d922dd99d

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          a0bb49407ba17c27608a30d3c257ed4c

                                          SHA1

                                          7d5945abd944f1d748b5f96dc535368cc3c4b607

                                          SHA256

                                          c2eedb716c357e01137433069d39bde0612a10f14b6f6e899faac850bdb97efb

                                          SHA512

                                          abafc3f4376cda9a7c81bd9fbf7e2a906e09627411fbe4c02ee8c5c3ea0e41009a700c6bd6307a0bcfa14dc20fa3a2f6896929991765febc846eb85e7c4c1a25

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          8e39cb6988e05c7e9ac1b225cc6e0002

                                          SHA1

                                          ddac83ca3bc806fdf16b46352fc78e2036293eed

                                          SHA256

                                          fab471abc9e5866cd66c8ed0c2ac63f6fe6993fb693eff8bc037200f4def4afb

                                          SHA512

                                          2ac12ddc8636a0aea9f539472301a98b96c4cb584373b8b8ddf6fd8bff70c1d931b74aed6a24e1b52274a39b144f7f655d750b46953805d9e7124d7ab10cd548

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          5b10dbeba5c4c55063603c1304efc86c

                                          SHA1

                                          2b65b1088730617c5e026efbbcec33146a2008ce

                                          SHA256

                                          08b3d172eb72754829777997f127a7f6643a283ab2147f702f6d3dd8b4fbbd14

                                          SHA512

                                          175b6c7087239c24df01eabc8fbe280a90f7044fa062006bf3cecdfe42ab81a6abf18d1f89875618312115add24d31b9d068b5525c2d6ec16542ef317f56dc55

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          b12e00e715ee1d8f0632911a8a3d7c1e

                                          SHA1

                                          395cd6fb0fac88b25025839a96d8448610f7b1f3

                                          SHA256

                                          616327d50b7cc75e08450ec4c9ecbf71bc70d89dc1865d49520cd93013a5ebba

                                          SHA512

                                          c5fabc4bb1a36d1028f7af29bf317dc18a2eff040b2823deca3a9daa9580c9d2dc59b86dec0f2ae4b62ec54d42d1d4a83856d9e0807837d2b7a0322da21dc94c

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          8a46f5ef07821412d626bbb39b55ee33

                                          SHA1

                                          6fe3f540c461a92b92d712bc2411bec3a8d838e0

                                          SHA256

                                          0c0999d81efea081401e334de079b8b437d768983663af707955c589b5ea7cde

                                          SHA512

                                          c0fc72cbf01d6165a1e52a1bcc3d512d750cc4cb2618cfde58b4681f3d4735679471b58e31b779e2cf236766cba27eaa1be086a2385f005d7e2187346c10016b

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          f7cc8cee83cb098f2f66918a551dd4c6

                                          SHA1

                                          4333177ba8090dd58090df61b2a7ef9cebe2e5a4

                                          SHA256

                                          530cfeda61610f8a2de646ac0875d4cf25d6d6a4aaa5b751cf5a776fecd679bb

                                          SHA512

                                          a1a1c12560f5326b09c38a81c44cf501d26a7b58889fc6df916db921860584561a688872f82026db45d12c4bca3d5a4321fbb93742c7fc8285bbc8bc2376cdeb

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          d9af91498b2b844ce18b34a4b1d05d44

                                          SHA1

                                          6c85a870c48fe6318029f2bd43f9aee148f56817

                                          SHA256

                                          4ff35b157bdc1376a0a57539273a63798703b41cc5205a893fc72ea5707ebe10

                                          SHA512

                                          459dd6f64a8e6652903fd42f9a1cc06e668fe51d60894473280c8fd82450859711aa82f02c3632ac6d1a99bfe81c29b26ddd0bf2c1d6dee859247ca77aca6553

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          856fdbd9fce9119f5a767fa269f4fb8d

                                          SHA1

                                          e4237bac6343c501a0181db17b710871a8397afb

                                          SHA256

                                          c2efb22249797032cf1017f8d2aac546c43fe6b4ace964f0751d81f98d61e50d

                                          SHA512

                                          1fbda9af26a480ce0340d423fa837d9633225b0e20f1c1241964c090cf70d02a3acbf41aecf5338581dbef0fb7fe997a9cc10c304fa687509a54efb5d99aa551

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          3bee56ea622ed38ac7e4d00dec3d88ec

                                          SHA1

                                          4ceffb3ed5727042a09ce2d71e1c3568800ebca5

                                          SHA256

                                          f473a81f3f5a8577b1d4efe35ed3557487d79601ea169a3b68b2eb110d90572f

                                          SHA512

                                          4b4302e62a80906306514c328ea6c7e796ed7c8ec7acbf3c4c40f107eb0e74ba8c17ef71f3887cffdcb255d94a80a5c2af06f9def79d29030fabaf820a5871dd

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          09f6dd8f8f9017f6a250f8cd5734717e

                                          SHA1

                                          bb31204e5e9cd9bd7344047b5cb56af795e686c9

                                          SHA256

                                          a9c9271841e9b2de5c1f669cf3ef0cfd3b0ad110cf432e455a9ae7aff095d262

                                          SHA512

                                          05a016544f936cfa0dbe7d69a90b2e81830964e5bce4a7c380237cc3cabe838b63d6ed2efcfc93333fe992eae8e3431c21edb41facf2df50bcb756e1a71880c1

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          e1f9dc66d1c072457964411ffb5037c0

                                          SHA1

                                          8a5f61c59ffdeb8775a7dd6d07e5eac7d361baae

                                          SHA256

                                          863a059390cedf1a4b434daeb3dd8db34c1b00a01e4a1058f5db334b292c4161

                                          SHA512

                                          ccf576a02d90df1dddf4bbb2468c1b51ed5ed91c4486d8a8477843ae149c03fd42b8d7036933779dcf64cb5f09092bcfd3818edeeddfd174008c233434e6bb11

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          52501fe65bb79a3d8a51b7a636d0db14

                                          SHA1

                                          e47721cc3e4709dbc6924e472fd70032053ec540

                                          SHA256

                                          a01c33dec9ce2f930470c0e865417c6a711c36a9d9e0bd962c97083f0d19b509

                                          SHA512

                                          f8b7782b87f4f3053f0cec58619b7955b32efddde1ed4669284fd51d1e9c968df8812cc4eded832715a2609092284b2b7e31ac545d5d296ceafd55b6a1bed1fd

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          5149493be4ad2be9bc65cde2ef25ca93

                                          SHA1

                                          6f73dc98bb803994649398462c84c44fd7013401

                                          SHA256

                                          6ecf74812da7425dbb3391e7c64acb761264e12047b1d85c246bde8ca554f479

                                          SHA512

                                          b26065690ead6c859bd0396f71acbf82d0a83affcb0fbcb7c25798fa3ef2b9f90ff35a7f06f60c19ff75c4a7ca830f58442a572eabc719756271fce2b967b692

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          59192adc50f232fa9a5bfe4d8774525c

                                          SHA1

                                          248b7ccfa6683b61c6478e7d3248e38a0d642029

                                          SHA256

                                          9db526620005f181945903b6440f3d3519d034673a14e6779e8f3250383ea04f

                                          SHA512

                                          accaf45c912be53820fa0fb62efbc05a278871b55fa71424cf5b320c1e1d83ef3fd01dbac7afe13b821ddb93979eaa0d4bb75e8029f868e55c8f9e6f75b33055

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          6da1d296c4c71b79a92bc6599010f070

                                          SHA1

                                          e556cec3a982bfbe3e6729d6788d9a809e7e70ec

                                          SHA256

                                          fecade2d9eeb404f7dfc454bac2aa79c04b8ac299ba542aaabebcb1c68179e46

                                          SHA512

                                          3ac537ffeb2d748f003577c1b42e80117d145f3253d43f713a40fe3ee7b78855e5d8e56f84013f71641a15b44a2110fb676d746d1c473f9ca138d7267603e216

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                          Filesize

                                          342B

                                          MD5

                                          31acc6806173f5856d2fc1c8360d047e

                                          SHA1

                                          ca7d6ddacbe119e22b4f77de6509811bf10b3820

                                          SHA256

                                          0c9092ccf5ab5b0c93140c43ac5971ab69a2b762c82f0128fda298930a07f9d7

                                          SHA512

                                          5e29065211dc56c74e1fcf66b6e6704f154f977d3093ba6fa98fb1a3d4e6766b0367804b3d8cf2c1d50909815ab5255f8f1580242cefeebb56b9c752443f47a8

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                          Filesize

                                          242B

                                          MD5

                                          6b5bcfe68a6d2d632cec052fdca15c24

                                          SHA1

                                          2a7dc6c99991f73d90648804adf5098c8ba1b907

                                          SHA256

                                          06994b3612692fc83b3c2c0ed3cf4eb1aab556e2efe9b646b5a34c1d3c50069c

                                          SHA512

                                          97f9a2e5942e69830046fab4a997f7a991fa41aa8333614e3840c162eaea8be97ab2b4145435c391a811f00a32002b8c0b171b43d74509baaf8eaa1db6429f6d

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\Cab8884.tmp
                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Xfdpsi.exe
                                          Filesize

                                          9.5MB

                                          MD5

                                          10fbc44866e0cefee78b8922924482af

                                          SHA1

                                          d2a030a8f1942fd3254da0ae3b0a7e63589560c4

                                          SHA256

                                          641626b7344b2dac9b329255d35b2a53dd8731183a9b3830691be04c070a65c4

                                          SHA512

                                          f60cf6fc91885ec41b0449b105e5689aa4a1e3ca9d7e4966d4939e7d40d81c08b41e963496b84bbf8fc01ed24e0a09b5cecad4a3eb00ac4de15fa7e9f479e7b5

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\Tar8885.tmp
                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\about
                                          Filesize

                                          18KB

                                          MD5

                                          f5fbd3d88fc67fa0298b94bf84d59656

                                          SHA1

                                          18e7edc38c1001b269c10244c75f2f81a4089b47

                                          SHA256

                                          fd220aea1c6989fb0cdbe593c1a8710de1157e7da58e58958d938f390d86ebc3

                                          SHA512

                                          b3eef24a0890c6bc0809a57342fcc5d5c746a66848833ca908f8a650266fc49b34d1efe844cb647aaeba81067ed22484a82831efdab8ecd8e7348f0d74c751cb

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\njrat.exe
                                          Filesize

                                          23KB

                                          MD5

                                          3082264ae9026f3d860115c844f2dd0e

                                          SHA1

                                          b14ed0712494c2b627123f9aec48b13fdd47a944

                                          SHA256

                                          30f14286b8aa23b6f72f537dfc92c754e143c91ed3af186e003b90cc884a460c

                                          SHA512

                                          ff72a781e32d3399767f489b4fafd5a729769b652cd8cdf13b44757aa7ebdbb5abe07cb93ccf0c65178a37d548f3c2be0753f6331ab5de280bb7852a7e2ebe8b

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\~DF7B4BE634F4360BCD.TMP
                                          Filesize

                                          20KB

                                          MD5

                                          13d1bd2ab8230ea402577f9c9439467b

                                          SHA1

                                          4a20d5fb8e409c211b47747d7a6382d853b125f6

                                          SHA256

                                          ae973561323eceb2f660bcd6e46810a0e5a16a7cccb2452472de8d6b49566be7

                                          SHA512

                                          cacba35ec56eda9d39a9c5ef60f6a5aef33fa48f492af237e41ec2bcfd551da3e088537163c226289c0f32ff3674b5916f181d2a7082a63213e2cfc5509f84a1

                                          Download Submit

                                        • C:\Users\Admin\AppData\Roaming\rivages.dll
                                          Filesize

                                          72KB

                                          MD5

                                          ad71a3a39d2b59c493f1158353228ab4

                                          SHA1

                                          a27a4c87131769ba65963b08835b191745647a53

                                          SHA256

                                          00c9037adfce0c649c02fe5ecfeb998f3a3e44ab637fca01efe5826d880a3f3a

                                          SHA512

                                          eeb490576728a2cb8586e19aa4c4809d4dcf5bd999f47397cf86c6f54da486d6ad23366720ffdc3ccdb0c9c6371522e4992f0024cbdb5a1473d314fac136cedd

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Generic-f1b5cea52e738db88ecc79bfe309848392fb9d78be4827ddf0f3222280ce8194.exe
                                          Filesize

                                          1.3MB

                                          MD5

                                          b41fd5398fff081a8371dad6c3eb23ef

                                          SHA1

                                          497c08f78215128ac60ba878b4393a21c6b3cdb4

                                          SHA256

                                          f1b5cea52e738db88ecc79bfe309848392fb9d78be4827ddf0f3222280ce8194

                                          SHA512

                                          80bda2e3473a7648c82096e0f10fa9880cf7205ab55178472677c686f16cf865749decaa558f430a84b6606014bac6b7e10f1cac1878f85ad911c21d1f44af50

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Shade.gen-903874f34f196c071e5d5d45947d14d4055fe39f297f85199103e1ee99375414.exe
                                          Filesize

                                          895KB

                                          MD5

                                          bd473fe047a3962c718c2ecfb6b8c5ed

                                          SHA1

                                          0d2a9799cd68dc7663c431a303f9ca8981f21a6e

                                          SHA256

                                          903874f34f196c071e5d5d45947d14d4055fe39f297f85199103e1ee99375414

                                          SHA512

                                          cb64dc828d4ab8966773ad870896abbdd400ccc5e23fbff58942ac2978d01fe42591123b5df75d3e05094afd9d613ce43c26717285c6b762e987f08365e09a07

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\HEUR-Trojan-Ransom.Win32.Zerber.gen-c9cd071df9878030ac9273d81c8608c54ddcedd0258e8e556297206d26424cb7.exe
                                          Filesize

                                          910KB

                                          MD5

                                          28e60ba64bfbf427c654670d38747ed1

                                          SHA1

                                          eff9e1f10be3078e1d23cf38ee040437c8d1af96

                                          SHA256

                                          c9cd071df9878030ac9273d81c8608c54ddcedd0258e8e556297206d26424cb7

                                          SHA512

                                          fe58df5148b564fe5799dabed7ba163b303da066cedc7ae5dd7246f99542bf1f7b1afd8f8d082836f977d60ca418a0fa73fd63a1a21d8f39119e4d575dec2e92

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.MSIL.Cyclone.a-b81c2be2f09d2a25011594b5d4e1ad2626070b8fe18eade90edce4b24ed91968.exe
                                          Filesize

                                          332KB

                                          MD5

                                          0c09ee39aafb83911bd33bbb9383c601

                                          SHA1

                                          0c14056618d324ef682c52475a7589f1fbc5cc7e

                                          SHA256

                                          b81c2be2f09d2a25011594b5d4e1ad2626070b8fe18eade90edce4b24ed91968

                                          SHA512

                                          ec814bcb4edeebba1f8426cbb96e458d967914126d75bb97d13de097eeec6e5aa417e8e459bd7881f6356a4996aa4952cc19e4aee5f3a107589e519456a48d5d

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.NSIS.Onion.jrn-2fe3dc08b68486f6f6a8f8f2eb8892bd1f340d254d092dff7d6fadd863f32ec1.exe
                                          Filesize

                                          150KB

                                          MD5

                                          0b055d14e4257cefa03f3bd0fd68767e

                                          SHA1

                                          4541ec0db42b3389dc7d06cc980bfb58a2a78620

                                          SHA256

                                          2fe3dc08b68486f6f6a8f8f2eb8892bd1f340d254d092dff7d6fadd863f32ec1

                                          SHA512

                                          3266a117721451c69243442a0cb63ef380b78f150313f55ff268ba3f09bedfe91df4df53366f50e85cd8dff288c2dffc39e2b7057a6977437f0aa2258cdbdbe1

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.aerc-878d67e8d1ca84b466420e8c5bcecb0beee739c0cbace827a2dab1f1429c6f85.exe
                                          Filesize

                                          316KB

                                          MD5

                                          2d9ecc1cf1ffe5b500e879dedf8e6306

                                          SHA1

                                          82238d1373b932123df4d0e0341756343ec6f496

                                          SHA256

                                          878d67e8d1ca84b466420e8c5bcecb0beee739c0cbace827a2dab1f1429c6f85

                                          SHA512

                                          2cb825c2d15361df955495e3fa8dff5df3567656a190fc8d12f14905ec4389f4018827f3b3950d5696ebc08dd4c0181b948c786de4c6a5cc06677f3a5f4bb3ae

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.bwd-314faedeb271c13cdd9665a3391af87180668f9e3fc8c00ef5c0cc4ea5b8bd6d.exe
                                          Filesize

                                          330KB

                                          MD5

                                          ca49ec4b963e559fb3d0f20b61296e6a

                                          SHA1

                                          611c195e3537c07e75cee9f03d770e47c41ccb9b

                                          SHA256

                                          314faedeb271c13cdd9665a3391af87180668f9e3fc8c00ef5c0cc4ea5b8bd6d

                                          SHA512

                                          290637404b61d08efe270e6364a6644dc7785a0d4a87a45251a7c81b21ff6e13332e8fa631f55ccec9fc4bf8ba76725cdcde9a97c573be6b6009d0700489d033

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.lsm-1a0c3d07bde5f44928a98d5c3139455f9974ff348095b4bf3b2f4c9b23f1ae03.exe
                                          Filesize

                                          424KB

                                          MD5

                                          2588649d9bc703f44eeddb93e602eb36

                                          SHA1

                                          b9d43d0a0d2ce69700ae17f2a5e1eae4d1df4609

                                          SHA256

                                          1a0c3d07bde5f44928a98d5c3139455f9974ff348095b4bf3b2f4c9b23f1ae03

                                          SHA512

                                          0f1965bba62345371156299ccdd9e74d9d76a1797a8a3fe22c48f6e807c426a20ff5e6a21782b261ee96fd3fe7e03bd361cecd8c58b9fe3972223b6d37e11ba6

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Bitman.nwj-e4b6e8818a14748e013434e722d2653096b44329e5604a6b81159a433cba8d85.exe
                                          Filesize

                                          364KB

                                          MD5

                                          cfb82364814c7a5f27197a425a4b32c3

                                          SHA1

                                          3a2ae5ea32862de1d891fdb9060ff25ca8ee26cb

                                          SHA256

                                          e4b6e8818a14748e013434e722d2653096b44329e5604a6b81159a433cba8d85

                                          SHA512

                                          8a096a3fd5b99ff9fe45092d4922d49641d8ab16bbf706ff58469fb65ae556c9de950c89dbca4e2e3db55c711fa27e1f4df1ab216b2cdf37f2e7c300c46fccd4

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.eawb-2ffde1f8c618f58127dc15cf16eebd67ca3faca642fa7370a4a208c12b96a756.exe
                                          Filesize

                                          448KB

                                          MD5

                                          922098c3be28f161154b4510fad07415

                                          SHA1

                                          7ab5b340d6d8587895cc4d72807c6d97f25e54e5

                                          SHA256

                                          2ffde1f8c618f58127dc15cf16eebd67ca3faca642fa7370a4a208c12b96a756

                                          SHA512

                                          450028c7fff69109a009b698a890bbd6aa76f726a3192425918f7474c2228f24e4b0c4fd15212611a8a1998f7ad49e226f7001cb49fae4b63442b464ad112b36

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.hluv-b11064fe9fb26716d0f4a4de4b838abe7e727007c36a37495592a0f46216d57b.exe
                                          Filesize

                                          164KB

                                          MD5

                                          4b72407b3f49dae393b0002a018975d1

                                          SHA1

                                          1af612663f7335eccc8e09a56a724fad222b6cfc

                                          SHA256

                                          b11064fe9fb26716d0f4a4de4b838abe7e727007c36a37495592a0f46216d57b

                                          SHA512

                                          99b490800da2b7d2ce36d4fffaa48d90bf629b7a60ee8a3256b28d9b4bb123f3eb28652bccfe311669374a7792aaf0f93ca982327153ad1527e760be3df6d068

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.ivbh-a943200e2f0d2331ec6eaf7441e4971303fc8db20b745e11ec477d1e2e3372b2.exe
                                          Filesize

                                          458KB

                                          MD5

                                          8b348ba0c53ad66f6886d2e7eb1a9c8e

                                          SHA1

                                          66bd77bf72153961fab670c16254a21210efb2d9

                                          SHA256

                                          a943200e2f0d2331ec6eaf7441e4971303fc8db20b745e11ec477d1e2e3372b2

                                          SHA512

                                          519f759d38dca2535d01001d8dc67ab57448ffcb6ad762de746f8ea224cae6025ef9212b8ebab48427b17ba52ea6f73121c6351f6b70c8b92ec113dca20c5985

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Blocker.jxpk-3e4a1ac760fafb91eb7cbbb0c2ce2a5a308f03f7c506cf0c02866271dd4ea60a.exe
                                          Filesize

                                          450KB

                                          MD5

                                          8449191b85850e894e951f3d411367c8

                                          SHA1

                                          0568460a2e498898fba0c48ff5c7007494bfdf7c

                                          SHA256

                                          3e4a1ac760fafb91eb7cbbb0c2ce2a5a308f03f7c506cf0c02866271dd4ea60a

                                          SHA512

                                          3c9c0860ebd34078957a851a049f9dd0f1f291afe41e7ff69b4a9d92f017ad0a1505437dd3ff31833e5e8c95b8dcef904cab5e30fdc62d36890114dc3fdcd2d6

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Locky.xnv-aaa39db65718c8ea367740e2da1b0eafcd042c7b469fc244e3ebf5ba9244a696.exe
                                          Filesize

                                          289KB

                                          MD5

                                          0fd4ffc4ce8793fa76f5673863aec035

                                          SHA1

                                          26207e60db481ac255dafc2c46a6bde10e06a772

                                          SHA256

                                          aaa39db65718c8ea367740e2da1b0eafcd042c7b469fc244e3ebf5ba9244a696

                                          SHA512

                                          afc255b4e6d0038dd27a531b25e4ea67bfa3130e3206a1345fb06ea5e7ce1073ef37314ac9933175c300520afa69a7fb7ea874fa6a441d91b13d7847e9bc34fc

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Shade.yn-a5eeba06ab0d94894a423582d05d0e10728dca46d618503e5ebaa5b911c9be17.exe
                                          Filesize

                                          270KB

                                          MD5

                                          d35d938cccbccb5b84a19d2271c97ae7

                                          SHA1

                                          0276b60e586452c60199bd605f45248dc5e7649c

                                          SHA256

                                          a5eeba06ab0d94894a423582d05d0e10728dca46d618503e5ebaa5b911c9be17

                                          SHA512

                                          88529244f3cd18e277c3bab5be6c7bc9d6bc9a6e7a22b115513312504ab9171f39596eeb070884cb28f28b32e2e13d445df93b08b1982a67857b0cb3231b3308

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.ezzq-6ffc30be8c3d202eaee11f0961d752c9e7762f48f2ed3e2fd22d69f9e9b96ba3.exe
                                          Filesize

                                          261KB

                                          MD5

                                          b65a73263102c6d13301d1d889897cea

                                          SHA1

                                          8d8386e9b37c46cdb65265ef130c15aa8f47c588

                                          SHA256

                                          6ffc30be8c3d202eaee11f0961d752c9e7762f48f2ed3e2fd22d69f9e9b96ba3

                                          SHA512

                                          dac1e3a0fbd951550f5f57ea6122492af8e24ecd2f6b28b12e28f5af33e086fa6cb387c375d54537da8070ad6ce3680a2ef64f4f72e70abb598c20b27c12bda9

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.faqb-4d29e02f7f74868e80eb23194417ddacd4f97ff393a316d1aacbeca0e67b80c2.exe
                                          Filesize

                                          412KB

                                          MD5

                                          5a44bcbba7850121be90c9a1bd1fe007

                                          SHA1

                                          0347a1c69fd430e405cf6ce533846ba622ec0a2b

                                          SHA256

                                          4d29e02f7f74868e80eb23194417ddacd4f97ff393a316d1aacbeca0e67b80c2

                                          SHA512

                                          ea654595b61e6b94a2da4b7b034881105e6f6089c58fc9e4b9e8cb62e33f3c7a338fb03a740456bc7b07def45c1306d45212f4ea3cede14809ad365d90f0db8b

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.gwu-e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3.exe
                                          Filesize

                                          129KB

                                          MD5

                                          f06f331393ceb572dccd09c0176fc6bf

                                          SHA1

                                          f2a80d510673b57c7e8d909adeb895be4218e636

                                          SHA256

                                          e54f555db8f72232d7c130104c6b8cc5b32887634e8e2da7158252e3c0caf6f3

                                          SHA512

                                          93ee98666cfc0708ad013a118e1da37c37b1eacff638fd3091d7fd2de85dc77997a6a56f6bc0464ae99a20f2b3accf15668d7ce4b3c242eeccfca2f1726f0cfb

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.txu-be5011d393af2d125a1973732b9180430b9a4ab788f9ddd412fe05d693d390c5.exe
                                          Filesize

                                          261KB

                                          MD5

                                          002ef39cbf1caa457c817a48791143d4

                                          SHA1

                                          8fab13bdf289376ae82555cffeec3728e33566f2

                                          SHA256

                                          be5011d393af2d125a1973732b9180430b9a4ab788f9ddd412fe05d693d390c5

                                          SHA512

                                          30be80f663242fb994721d027616568403c67cadaac813dc7604adb0ee46e579d249f71954f1bf7bedfe13d235cf138408273340ebe8b06f12900a46025b9468

                                          Download Submit

                                        • C:\Users\Admin\Desktop\00282\Trojan-Ransom.Win32.Zerber.uwb-9fded7e2be6826dc2b92ab6d70369cf20bac613ad104ae7d3c72566f93530379.exe
                                          Filesize

                                          343KB

                                          MD5

                                          ef5e4fa9ad61c142620f3a48438e44d5

                                          SHA1

                                          5d8431fb3bf90a7150ed95d67ff73a7b405d960d

                                          SHA256

                                          9fded7e2be6826dc2b92ab6d70369cf20bac613ad104ae7d3c72566f93530379

                                          SHA512

                                          a104ca2e3c5aaa681e91366dd3c566a9d98d1c1ff4ed74383ec673c504d8549677e470190afe41635b6745f006902c50c8f9a958de51f470d24b086c8ac316df

                                          Download Submit

                                        • C:\Users\Admin\Desktop\_HELP_HELP_HELP_OVA31S_.hta
                                          Filesize

                                          74KB

                                          MD5

                                          37325828d36d1568caf1e6a6d2b19f51

                                          SHA1

                                          b2991e23948e0ceb2f50fdc4fbd3b52a0e624142

                                          SHA256

                                          05bcb19eb25d9a99dd66ce20fcfb1b399273ee13cd38d9b9e92a6ed60822cb4c

                                          SHA512

                                          867e80095f4e99d34222b3718ed5c26230d7a726c2aa9a356cc810c53902a2eda5180dba50a699662b11bfa2a59c033d39ccb1d3230afddf425ff36fbc123d91

                                          Download Submit

                                        • C:\Users\_HELP_HELP_HELP_MXLLVQCO_.png
                                          Filesize

                                          426KB

                                          MD5

                                          9410e11a3851fdd15865f86fc69181d1

                                          SHA1

                                          c87125ccb16968071cdf757f407ce3c6fb95b46b

                                          SHA256

                                          391817601c902237127ab96450022c3ad4d9776a28b2223542eca0415247b68c

                                          SHA512

                                          4a6a06d2d2e0e7c059b38d4392a9be444a6cd4eb0502b1231c0b3ce1feb242af0b0f23340511c610cb880c7a0df2cdd7997b73cfe159d1b903c69d08382f134e

                                          Download Submit

                                        • \Users\Admin\AppData\Local\Temp\nsj4E03.tmp\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          3e6bf00b3ac976122f982ae2aadb1c51

                                          SHA1

                                          caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

                                          SHA256

                                          4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

                                          SHA512

                                          1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

                                          Download Submit

                                        • \Users\Admin\AppData\Local\Temp\nst6DA2.tmp\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          ee260c45e97b62a5e42f17460d406068

                                          SHA1

                                          df35f6300a03c4d3d3bd69752574426296b78695

                                          SHA256

                                          e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

                                          SHA512

                                          a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

                                          Download Submit

                                        • \Users\Admin\AppData\Local\Temp\nsy4DC3.tmp\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          a4dd044bcd94e9b3370ccf095b31f896

                                          SHA1

                                          17c78201323ab2095bc53184aa8267c9187d5173

                                          SHA256

                                          2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

                                          SHA512

                                          87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

                                          Download Submit

                                        • \Users\Admin\AppData\Local\Temp\nsz6930.tmp\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          0ff2d70cfdc8095ea99ca2dabbec3cd7

                                          SHA1

                                          10c51496d37cecd0e8a503a5a9bb2329d9b38116

                                          SHA256

                                          982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

                                          SHA512

                                          cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

                                          Download Submit

                                        • \Users\Admin\AppData\Roaming\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          883eff06ac96966270731e4e22817e11

                                          SHA1

                                          523c87c98236cbc04430e87ec19b977595092ac8

                                          SHA256

                                          44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

                                          SHA512

                                          60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

                                          Download Submit

                                        • \Users\Admin\AppData\Roaming\dishabille.dll
                                          Filesize

                                          69KB

                                          MD5

                                          3c565490d3f4f58777335551ed91cdd4

                                          SHA1

                                          13ff222a2d730817805dca32b227351f8dbca3a2

                                          SHA256

                                          fa9cb897b88c0be18545a7938a5416440cb8a2a331249374e0785509dd5297b0

                                          SHA512

                                          bf4f8b9bd754916887bef285adf6749672f61e2a21ef57059af99bdba82dc3c0575fc575142900c302f77f6e8f729d4b16146e7bfe70f1a2de81184cb4ead70a

                                          Download Submit

                                        • memory/236-220-0x0000000000390000-0x00000000003A2000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/484-225-0x0000000000400000-0x000000000041E000-memory.dmp

                                          Filesize

                                          120KB

                                          Download

                                        • memory/484-223-0x0000000000400000-0x000000000041E000-memory.dmp

                                          Filesize

                                          120KB

                                          Download

                                        • memory/484-232-0x0000000000400000-0x000000000041E000-memory.dmp

                                          Filesize

                                          120KB

                                          Download

                                        • memory/484-231-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/484-229-0x0000000000400000-0x000000000041E000-memory.dmp

                                          Filesize

                                          120KB

                                          Download

                                        • memory/484-227-0x0000000000400000-0x000000000041E000-memory.dmp

                                          Filesize

                                          120KB

                                          Download

                                        • memory/584-42-0x0000000140000000-0x00000001405E8000-memory.dmp

                                          Filesize

                                          5.9MB

                                          Download

                                        • memory/584-138-0x0000000140000000-0x00000001405E8000-memory.dmp

                                          Filesize

                                          5.9MB

                                          Download

                                        • memory/584-43-0x0000000140000000-0x00000001405E8000-memory.dmp

                                          Filesize

                                          5.9MB

                                          Download

                                        • memory/668-122-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-135-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-137-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-128-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-126-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-124-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-130-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-329-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/668-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/668-132-0x0000000000400000-0x0000000000485000-memory.dmp

                                          Filesize

                                          532KB

                                          Download

                                        • memory/1420-318-0x0000000000400000-0x00000000004AD000-memory.dmp

                                          Filesize

                                          692KB

                                          Download

                                        • memory/1420-111-0x0000000000400000-0x00000000004AD000-memory.dmp

                                          Filesize

                                          692KB

                                          Download

                                        • memory/1660-139-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/1660-307-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/1660-145-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/1660-144-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/1660-141-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/1848-165-0x0000000000220000-0x0000000000235000-memory.dmp

                                          Filesize

                                          84KB

                                          Download

                                        • memory/1848-166-0x0000000000220000-0x0000000000235000-memory.dmp

                                          Filesize

                                          84KB

                                          Download

                                        • memory/2064-319-0x0000000000400000-0x000000000047C000-memory.dmp

                                          Filesize

                                          496KB

                                          Download

                                        • memory/2120-460-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2120-371-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2120-170-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2120-167-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2120-335-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2516-116-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2516-118-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2516-117-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2516-331-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2516-115-0x0000000000400000-0x00000000005DE000-memory.dmp

                                          Filesize

                                          1.9MB

                                          Download

                                        • memory/2884-199-0x00000000004D0000-0x00000000004EA000-memory.dmp

                                          Filesize

                                          104KB

                                          Download

                                        • memory/2884-317-0x00000000004D0000-0x00000000004EA000-memory.dmp

                                          Filesize

                                          104KB

                                          Download

                                        • memory/2912-327-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/2912-330-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/2912-390-0x0000000000400000-0x0000000000414000-memory.dmp

                                          Filesize

                                          80KB

                                          Download