Overview

overview

10

Static

static

1

RNSM00271.7z

windows7-x64

10

Analysis

  • max time kernel
    242s
  • max time network
    243s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00271.7z

  • Size

    5.4MB

  • MD5

    8e22341d491446a519f87e7bd45e1890

  • SHA1

    0314c9ebc7674b7853007cf70b7133062847d0ec

  • SHA256

    2cccaf2d6e94c09a3479d42cb32152a83a007004a1fa87f6fe6f18aac1eb6d1d

  • SHA512

    d062ed6fbc280bc9e479abfaf9ef92e40d885bc55274b9ef3382f0b297739cc1065a8b3e6b41ba347ca2ed12354b73522ff27fcbb3f2445ee25997fd3c2234ee

  • SSDEEP

    98304:+xiSdzKbFSE3N3bmjiyxWDPNYqrdIP5k6CCRz/ff9oaTk:+xNKJSTqPNbyptRLff9D4

Score
10/10
cerberctblockertroldeshdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupxvmprotect

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+vkb.txt

Ransom Note
_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!- What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? _______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!! Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. _______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!!_______!!!!!!!!!!!!!!_______!!!! For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://rbtc23drs.7hdg13udd.com/722623D89ED7C29C 2. http://tsbfdsv.extr6mchf.com/722623D89ED7C29C 3. https://alcov44uvcwkrend.onion.to/722623D89ED7C29C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: alcov44uvcwkrend.onion/722623D89ED7C29C 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://rbtc23drs.7hdg13udd.com/722623D89ED7C29C http://tsbfdsv.extr6mchf.com/722623D89ED7C29C https://alcov44uvcwkrend.onion.to/722623D89ED7C29C Your personal page (using TOR-Browser): alcov44uvcwkrend.onion/722623D89ED7C29C Your personal identification number (if you open the site (or TOR-Browser's) directly): 722623D89ED7C29C
URLs

http://rbtc23drs.7hdg13udd.com/722623D89ED7C29C

http://tsbfdsv.extr6mchf.com/722623D89ED7C29C

https://alcov44uvcwkrend.onion.to/722623D89ED7C29C

http://alcov44uvcwkrend.onion/722623D89ED7C29C

Extracted

Path

C:\Users\Public\Pictures\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196 | | 2. http://cerberhhyed5frqa.onion.cab/6221-9649-0738-0063-7196 | | 3. http://cerberhhyed5frqa.onion.nu/6221-9649-0738-0063-7196 | | 4. http://cerberhhyed5frqa.onion.link/6221-9649-0738-0063-7196 | | 5. http://cerberhhyed5frqa.tor2web.org/6221-9649-0738-0063-7196 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/6221-9649-0738-0063-7196 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196

http://cerberhhyed5frqa.onion.cab/6221-9649-0738-0063-7196

http://cerberhhyed5frqa.onion.nu/6221-9649-0738-0063-7196

http://cerberhhyed5frqa.onion.link/6221-9649-0738-0063-7196

http://cerberhhyed5frqa.tor2web.org/6221-9649-0738-0063-7196

http://cerberhhyed5frqa.onion/6221-9649-0738-0063-7196

Extracted

Path

C:\Users\Public\Pictures\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.cab/6221-9649-0738-0063-7196</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.nu/6221-9649-0738-0063-7196</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.link/6221-9649-0738-0063-7196</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.tor2web.org/6221-9649-0738-0063-7196</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196" target="_blank">http://cerberhhyed5frqa.onion.to/6221-9649-0738-0063-7196</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/6221-9649-0738-0063-7196</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Ctblocker family
    ctblocker
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Contacts a large (16421) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 9 IoCs
    ransomwareevasion
  • Renames multiple (251) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 38 IoCs
  • Loads dropped DLL 27 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 55 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of SetThreadContext 13 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Interacts with shadow copies 3 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs
  • Suspicious use of UnmapMainImage 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • Suspicious use of UnmapMainImage
    PID:608
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:3868
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1772
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:1416
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
          2⤵
            PID:2164
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            2⤵
              PID:1612
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3896
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3896 CREDAT:275457 /prefetch:2
                3⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1796
            • C:\Windows\SysWOW64\DllHost.exe
              C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
              2⤵
              • System Location Discovery: System Language Discovery
              PID:3908
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
              2⤵
                PID:4084
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                2⤵
                  PID:3628
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  2⤵
                    PID:1936
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                    2⤵
                      PID:1060
                  • C:\Program Files\7-Zip\7zFM.exe
                    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00271.7z"
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:2780
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:772
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2024
                    • C:\Users\Admin\Desktop\00271\HEUR-Trojan-Ransom.Win32.Locky.gen-8b884f7d28d6041a42b5daf927d494a39763828d59f43c74cc363558ecffbe9c.exe
                      HEUR-Trojan-Ransom.Win32.Locky.gen-8b884f7d28d6041a42b5daf927d494a39763828d59f43c74cc363558ecffbe9c.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: MapViewOfSection
                      PID:2044
                      • C:\Users\Admin\Desktop\00271\HEUR-Trojan-Ransom.Win32.Locky.gen-8b884f7d28d6041a42b5daf927d494a39763828d59f43c74cc363558ecffbe9c.exe
                        HEUR-Trojan-Ransom.Win32.Locky.gen-8b884f7d28d6041a42b5daf927d494a39763828d59f43c74cc363558ecffbe9c.exe
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2684
                    • C:\Users\Admin\Desktop\00271\HEUR-Trojan-Ransom.Win32.Shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe
                      HEUR-Trojan-Ransom.Win32.Shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: MapViewOfSection
                      PID:1036
                      • C:\Users\Admin\Desktop\00271\HEUR-Trojan-Ransom.Win32.Shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe
                        HEUR-Trojan-Ransom.Win32.Shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Adds Run key to start application
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1560
                        • C:\Users\Admin\AppData\Roaming\VFFeWltV\UrycCnar.exe
                          C:\Users\Admin\AppData\Roaming\VFFeWltV\UrycCnar.exe
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: MapViewOfSection
                          PID:2840
                          • C:\Users\Admin\AppData\Roaming\VFFeWltV\UrycCnar.exe
                            C:\Users\Admin\AppData\Roaming\VFFeWltV\UrycCnar.exe
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3432
                        • C:\Windows\SysWOW64\cmd.exe
                          /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00271\HEUR-T~2.EXE"
                          4⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          PID:3204
                        • C:\Users\Admin\Desktop\00271\heur-trojan-ransom.win32.shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe
                          "C:\Users\Admin\Desktop\00271\heur-trojan-ransom.win32.shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe"
                          4⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1728
                    • C:\Users\Admin\Desktop\00271\Trojan-Ransom.NSIS.Agent.n-6916a119de914b05fd4313da5f002585586c00c55fffd19d550101e08a45f371.exe
                      Trojan-Ransom.NSIS.Agent.n-6916a119de914b05fd4313da5f002585586c00c55fffd19d550101e08a45f371.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: MapViewOfSection
                      PID:2660
                      • C:\Users\Admin\Desktop\00271\Trojan-Ransom.NSIS.Agent.n-6916a119de914b05fd4313da5f002585586c00c55fffd19d550101e08a45f371.exe
                        Trojan-Ransom.NSIS.Agent.n-6916a119de914b05fd4313da5f002585586c00c55fffd19d550101e08a45f371.exe
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:888
                    • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Blocker.jrza-3d38f79934074b902feb4a599785d07899bcac602461310d2410193a22717ad9.exe
                      Trojan-Ransom.Win32.Blocker.jrza-3d38f79934074b902feb4a599785d07899bcac602461310d2410193a22717ad9.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2888
                      • C:\Users\Admin\AppData\Roaming\aEBAaAxx\osfip.exe
                        C:\Users\Admin\AppData\Roaming\aEBAaAxx\osfip.exe
                        3⤵
                        • Modifies visiblity of hidden/system files in Explorer
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3856
                        • C:\Windows\SysWOW64\cmd.exe
                          /a /c netsh advfirewall firewall add rule name="aEBAaAxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\aEBAaAxx\osfip.exe"
                          4⤵
                            PID:2044
                          • C:\Users\Admin\AppData\Roaming\aEBAaAxx\osfip.exe
                            "C:\Users\Admin\AppData\Roaming\aEBAaAxx\osfip.exe"
                            4⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3116
                        • C:\Windows\SysWOW64\cmd.exe
                          /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\Desktop\00271\TROJAN~2.EXE"
                          3⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          PID:1692
                          • C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe
                            "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe"
                            4⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1212
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:1764
                      • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Crusis.dq-2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f.exe
                        Trojan-Ransom.Win32.Crusis.dq-2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:2920
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Crusis.dq-2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f.exe
                          "C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Crusis.dq-2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f.exe"
                          3⤵
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3640
                      • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Crypmod.aagm-a83edc82b76dbfe858ed9fd208e8384ff097d10afb92a571398806e5e9db11e6.exe
                        Trojan-Ransom.Win32.Crypmod.aagm-a83edc82b76dbfe858ed9fd208e8384ff097d10afb92a571398806e5e9db11e6.exe
                        2⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2828
                        • C:\Users\Admin\AppData\Roaming\mkjtr-a.exe
                          C:\Users\Admin\AppData\Roaming\mkjtr-a.exe
                          3⤵
                          • Drops startup file
                          • Executes dropped EXE
                          • Drops file in Program Files directory
                          • System Location Discovery: System Language Discovery
                          • Modifies system certificate store
                          • Suspicious behavior: RenamesItself
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:3792
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit.exe /set {current} bootems off
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:4084
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit.exe /set {current} advancedoptions off
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:1992
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit.exe /set {current} optionsedit off
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:1704
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:2092
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit.exe /set {current} recoveryenabled off
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:1640
                          • C:\Windows\System32\vssadmin.exe
                            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                            4⤵
                            • Interacts with shadow copies
                            PID:3528
                          • C:\Windows\SysWOW64\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • Opens file in notepad (likely ransom note)
                            PID:1964
                          • C:\Program Files\Internet Explorer\iexplore.exe
                            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
                            4⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:3676
                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3676 CREDAT:275457 /prefetch:2
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies Internet Explorer settings
                              • Suspicious use of SetWindowsHookEx
                              PID:1212
                            • C:\Windows\system32\WerFault.exe
                              C:\Windows\system32\WerFault.exe -u -p 3676 -s 2032
                              5⤵
                                PID:1296
                            • C:\Windows\System32\vssadmin.exe
                              "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                              4⤵
                              • Interacts with shadow copies
                              PID:1868
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\mkjtr-a.exe
                              4⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              PID:3940
                              • C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe
                                "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe"
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1340
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00271\TROJAN~4.EXE
                            3⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:3980
                            • C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe
                              "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe"
                              4⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:964
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Foreign.nfve-0ecacf4dd6cb576dbecde849c434ac97bfacbfd64690e35cbd4d738ed08a43cc.exe
                          Trojan-Ransom.Win32.Foreign.nfve-0ecacf4dd6cb576dbecde849c434ac97bfacbfd64690e35cbd4d738ed08a43cc.exe
                          2⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:2444
                          • C:\Windows\SysWOW64\dllhost.exe
                            C:\Windows\SysWOW64\dllhost.exe
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:2548
                            • C:\Windows\SysWOW64\vssadmin.exe
                              vssadmin.exe Delete Shadows /All /Quiet
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Interacts with shadow copies
                              PID:1496
                            • C:\Windows\system32\bcdedit.exe
                              bcdedit.exe /set {default} recoveryenabled No
                              4⤵
                              • Modifies boot configuration data using bcdedit
                              PID:2120
                            • C:\Windows\system32\bcdedit.exe
                              bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                              4⤵
                              • Modifies boot configuration data using bcdedit
                              PID:1256
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            3⤵
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            PID:1804
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 328
                              4⤵
                              • Program crash
                              PID:1068
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Locky.bil-6421e8233f7a1a4aa53e6525ecd65db197c68699ec7e930fb3cd7b0bb66d37dc.exe
                          Trojan-Ransom.Win32.Locky.bil-6421e8233f7a1a4aa53e6525ecd65db197c68699ec7e930fb3cd7b0bb66d37dc.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:1356
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Locky.vy-02b76b1e4ec5de4b02cd58efa079744ffde46573bb6c4049f8cdddc69452b32a.exe
                          Trojan-Ransom.Win32.Locky.vy-02b76b1e4ec5de4b02cd58efa079744ffde46573bb6c4049f8cdddc69452b32a.exe
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:680
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Locky.yr-2c9633c0a2560bfe6afd16bd2a98a3c9280e6561d72e7c2ad905c3de6f9c11ee.exe
                          Trojan-Ransom.Win32.Locky.yr-2c9633c0a2560bfe6afd16bd2a98a3c9280e6561d72e7c2ad905c3de6f9c11ee.exe
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:2900
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Purga.h-d8978e93ac4bea3b104da71542fbde5c9c7397e6c298f42c3a5fe8b6cac21855.exe
                          Trojan-Ransom.Win32.Purga.h-d8978e93ac4bea3b104da71542fbde5c9c7397e6c298f42c3a5fe8b6cac21855.exe
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          PID:2960
                          • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                            "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\1337\Ñðîêè ñäà÷è îò÷åòíîñòè çà 2016.docx"
                            3⤵
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: AddClipboardFormatListener
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SetWindowsHookEx
                            PID:3988
                          • C:\Users\Admin\AppData\Roaming\1337\FZur6532.exe
                            "C:\Users\Admin\AppData\Roaming\1337\FZur6532.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Maps connected drives based on registry
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4020
                            • C:\Users\Admin\AppData\Roaming\ur6532.exe
                              "C:\Users\Admin\AppData\Roaming\ur6532.exe"
                              4⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Maps connected drives based on registry
                              • System Location Discovery: System Language Discovery
                              • NTFS ADS
                              PID:1832
                              • C:\Windows\SysWOW64\mshta.exe
                                mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SG','C:\\Users\\Admin\\AppData\\Roaming\\ur6532.exe');}catch(e){}},10);"
                                5⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                PID:2080
                              • C:\Windows\SysWOW64\mshta.exe
                                mshta.exe "C:\Users\Admin\Important Information.hta"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:3092
                              • C:\Windows\SysWOW64\mshta.exe
                                mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Roaming\\ur6532.exe');close()}catch(e){}},10);"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                PID:3284
                            • C:\Windows\SysWOW64\mshta.exe
                              mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Roaming\\1337\\FZur6532.exe');close()}catch(e){}},10);"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:916
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Shade.kyt-a0173b49137f1ebe3911dd8dbd565d8e6e6a6e8fe06aee9819cd664d835341a6.exe
                          Trojan-Ransom.Win32.Shade.kyt-a0173b49137f1ebe3911dd8dbd565d8e6e6a6e8fe06aee9819cd664d835341a6.exe
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious behavior: MapViewOfSection
                          PID:1284
                          • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Shade.kyt-a0173b49137f1ebe3911dd8dbd565d8e6e6a6e8fe06aee9819cd664d835341a6.exe
                            Trojan-Ransom.Win32.Shade.kyt-a0173b49137f1ebe3911dd8dbd565d8e6e6a6e8fe06aee9819cd664d835341a6.exe
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1456
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Shade.lcm-88a15cf25bd3f541e41c911dd45e667a7a6b45e844a3f9f690dd9ff8c5566ba1.exe
                          Trojan-Ransom.Win32.Shade.lcm-88a15cf25bd3f541e41c911dd45e667a7a6b45e844a3f9f690dd9ff8c5566ba1.exe
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious behavior: MapViewOfSection
                          PID:2992
                          • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Shade.lcm-88a15cf25bd3f541e41c911dd45e667a7a6b45e844a3f9f690dd9ff8c5566ba1.exe
                            Trojan-Ransom.Win32.Shade.lcm-88a15cf25bd3f541e41c911dd45e667a7a6b45e844a3f9f690dd9ff8c5566ba1.exe
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3336
                        • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Zerber.gqd-0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06.exe
                          Trojan-Ransom.Win32.Zerber.gqd-0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06.exe
                          2⤵
                          • Adds policy Run key to start application
                          • Drops startup file
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          • Modifies Control Panel
                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2976
                          • C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe
                            "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe"
                            3⤵
                            • Adds policy Run key to start application
                            • Drops startup file
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Adds Run key to start application
                            • Checks whether UAC is enabled
                            • Sets desktop wallpaper using registry
                            • System Location Discovery: System Language Discovery
                            • Modifies Control Panel
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3652
                            • C:\Windows\system32\vssadmin.exe
                              "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                              4⤵
                              • Interacts with shadow copies
                              PID:3968
                            • C:\Windows\system32\wbem\wmic.exe
                              "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                              4⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2992
                            • C:\Windows\System32\bcdedit.exe
                              "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
                              4⤵
                              • Modifies boot configuration data using bcdedit
                              PID:3452
                            • C:\Windows\System32\bcdedit.exe
                              "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
                              4⤵
                              • Modifies boot configuration data using bcdedit
                              PID:3564
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
                              4⤵
                              • Modifies Internet Explorer settings
                              • Suspicious use of SetWindowsHookEx
                              PID:1040
                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:275457 /prefetch:2
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                • Suspicious use of SetWindowsHookEx
                                PID:2084
                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:406530 /prefetch:2
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                • Suspicious use of SetWindowsHookEx
                                PID:3720
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                              4⤵
                                PID:2108
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                                4⤵
                                  PID:1540
                                • C:\Windows\system32\cmd.exe
                                  /d /c taskkill /t /f /im "cacls.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe" > NUL
                                  4⤵
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  PID:3352
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /t /f /im "cacls.exe"
                                    5⤵
                                    • Kills process with taskkill
                                    PID:2608
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 1 127.0.0.1
                                    5⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1076
                              • C:\Windows\SysWOW64\cmd.exe
                                /d /c taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.gqd-0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Zerber.gqd-0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06.exe" > NUL
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:3828
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.gqd-0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06.exe"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3924
                            • C:\Users\Admin\Desktop\00271\VHO-Trojan-Ransom.Win32.Rack.gen-8a695887010a5b63787b92eec20992a2f5e1a1a3f48eb4b4bd7711313e24d13b.exe
                              VHO-Trojan-Ransom.Win32.Rack.gen-8a695887010a5b63787b92eec20992a2f5e1a1a3f48eb4b4bd7711313e24d13b.exe
                              2⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of UnmapMainImage
                              PID:2956
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4036
                          • C:\Windows\system32\taskeng.exe
                            taskeng.exe {AF5A9090-2025-49F0-BD16-787484546D95} S-1-5-18:NT AUTHORITY\System:Service:
                            1⤵
                              PID:2340
                              • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
                                C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: MapViewOfSection
                                PID:3836
                                • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
                                  C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
                                  3⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2824
                                  • C:\Windows\SysWOW64\vssadmin.exe
                                    vssadmin delete shadows all
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Interacts with shadow copies
                                    PID:1384
                                  • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
                                    "C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe" -u
                                    4⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: MapViewOfSection
                                    PID:2672
                                    • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
                                      "C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe" -u
                                      5⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2792
                            • C:\Windows\Explorer.EXE
                              "C:\Windows\Explorer.EXE"
                              1⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              • Sets desktop wallpaper using registry
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of SetWindowsHookEx
                              PID:2252
                              • C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe
                                "C:\Users\Admin\AppData\Roaming\{03DCD65C-9679-444D-F105-BB6BAC813AA4}\cacls.exe"
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1788
                              • C:\Windows\system32\taskmgr.exe
                                "C:\Windows\system32\taskmgr.exe" /4
                                2⤵
                                • Modifies registry class
                                • Suspicious behavior: GetForegroundWindowSpam
                                PID:2728
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Important Information.hta"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                PID:2908
                              • C:\Windows\system32\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\aEBAaAxx\# DECRYPT MY FILES #.txt
                                2⤵
                                  PID:568
                              • C:\Windows\system32\AUDIODG.EXE
                                C:\Windows\system32\AUDIODG.EXE 0x5c4
                                1⤵
                                  PID:3880

                                Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Execution

                                Windows Management Instrumentation

                                1
                                T1047

                                Persistence

                                Boot or Logon Autostart Execution

                                3
                                T1547

                                Active Setup

                                1
                                T1547.014

                                Registry Run Keys / Startup Folder

                                2
                                T1547.001

                                Privilege Escalation

                                Boot or Logon Autostart Execution

                                3
                                T1547

                                Active Setup

                                1
                                T1547.014

                                Registry Run Keys / Startup Folder

                                2
                                T1547.001

                                Defense Evasion

                                Direct Volume Access

                                1
                                T1006

                                Hide Artifacts

                                1
                                T1564

                                Hidden Files and Directories

                                1
                                T1564.001

                                Indicator Removal

                                3
                                T1070

                                File Deletion

                                3
                                T1070.004

                                Modify Registry

                                8
                                T1112

                                Subvert Trust Controls

                                1
                                T1553

                                Install Root Certificate

                                1
                                T1553.004

                                Credential Access

                                Credentials from Password Stores

                                1
                                T1555

                                Credentials from Web Browsers

                                1
                                T1555.003

                                Unsecured Credentials

                                1
                                T1552

                                Credentials In Files

                                1
                                T1552.001

                                Discovery

                                Network Service Discovery

                                2
                                T1046

                                Peripheral Device Discovery

                                2
                                T1120

                                Query Registry

                                5
                                T1012

                                Remote System Discovery

                                1
                                T1018

                                System Information Discovery

                                6
                                T1082

                                System Location Discovery

                                1
                                T1614

                                System Language Discovery

                                1
                                T1614.001

                                System Network Configuration Discovery

                                1
                                T1016

                                Internet Connection Discovery

                                1
                                T1016.001

                                Lateral Movement

                                Collection

                                Data from Local System

                                1
                                T1005

                                Command and Control

                                Exfiltration

                                Impact

                                Defacement

                                1
                                T1491

                                Inhibit System Recovery

                                3
                                T1490

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+vkb.html
                                  Filesize

                                  7KB

                                  MD5

                                  fe21b6a3ca7fff53b894ed9b771d3a33

                                  SHA1

                                  aeafd9ccffce589aeb3e285ee1bc7557ff48f685

                                  SHA256

                                  7e2dd188421544c6ccf1c6c18ebd3f84e97c5b5a76db0e83a64c9a8a61422111

                                  SHA512

                                  1010856c42ce447c9611db15718e7b7a5f462df80bdab5ff106584600d4727e9305e99b4fc8dd5a4d140400e2d685467916192a94da1506c838a1cc303f3d96b

                                  Download Submit

                                • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+vkb.txt
                                  Filesize

                                  2KB

                                  MD5

                                  4654626574ee739c79f12b5331fef5c7

                                  SHA1

                                  f943f250be3c06d5ca2b8f5827a49d47f2ec9ee3

                                  SHA256

                                  44d65cb9275e21926d0228da16cd76c0d011e2e81a0f22ee1136daa5481fa6ba

                                  SHA512

                                  6d1b36fc3f7632695c4d3087d5fb188fd56c249dc68381dfbebc1e05ce8565c1c4a28cc15f374f55619acbf8d01299f3f0fc18e1c678ee97d7ef46a264ecf2b0

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                  Filesize

                                  914B

                                  MD5

                                  e4a68ac854ac5242460afd72481b2a44

                                  SHA1

                                  df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                                  SHA256

                                  cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                                  SHA512

                                  5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                  Filesize

                                  1KB

                                  MD5

                                  a266bb7dcc38a562631361bbf61dd11b

                                  SHA1

                                  3b1efd3a66ea28b16697394703a72ca340a05bd5

                                  SHA256

                                  df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                  SHA512

                                  0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                  Filesize

                                  252B

                                  MD5

                                  898577c608e05c2f95a3d18b7ef2e917

                                  SHA1

                                  4a56541d181aafc1a2cd82e53a8491e7b5861a4c

                                  SHA256

                                  34e8011a8f480513b3d582cbc63515e97dc63478b9b0ecefbdb51c5461f07446

                                  SHA512

                                  97c90db6ac0d6d8cc418ab55a70c7d5856954e1ad4ed7e535ae3e9486e6adbe5d37d1f7adbdda5c68400b1ed35111faa2ababb7e8eff0c941b53b91198d5d413

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  33a5bb1c6232dcb3bfb72db977004b98

                                  SHA1

                                  6c93afb034e384217c084af3484cc7aca068cf9e

                                  SHA256

                                  9b5b07d081f598ee7a6c4e82bf9907def1d10189a82a94f2cb853ce7b65b5b47

                                  SHA512

                                  693c561582ead232d2d3966d354333eebd8aa15bdeb9bc609b435cb3e26a7bc9449d9f799138d15732e025d8fa7782abbec00df39c9286d12c39943d8fa8f264

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  a9a950b17509049027dc3f888f8dc6da

                                  SHA1

                                  3c5f960ec93c2b2c646d2ff77161cc3ea2590a9b

                                  SHA256

                                  3b50fc0c68860c9e7493a82a5b0f19a5f9edb35a635c5b9ef83075f545381233

                                  SHA512

                                  d7ffec84f9a7f159f290c80cc7e390b595fa63a31402e536d29b8ae75837b6ed08560c3c97a5e3c132f17a07dae3a7a5001a066809fde2f9b0dcf6cb1179b731

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  0a850394a4bafd63849ef58642bda951

                                  SHA1

                                  8881c1128c8cca42d0ca994bbd808d123e8787ea

                                  SHA256

                                  d3c1f734be33564503e53e812897702578657a4e3a488c2b7beb994183801f5b

                                  SHA512

                                  d99dcdcaeb70ae2c47aca9ed85df5f51103d5b2bb812f5377818caa3edc9b47c1a9d522b7c05255391cb3c8214b40990607da33ef311264de6315f5ab8c3f2c6

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  4dacfa6fd9723fc4a1538646137b2192

                                  SHA1

                                  6712a28273c6a569d36001b05e6c5e40756bcfdf

                                  SHA256

                                  4d478eba7c9e6f50907e28f709beaafd45383616c3b4f4ec420b11eeb0b817f2

                                  SHA512

                                  c3d9bb72c2feabfc3484b326abb0b9f371bc3a705753fb181a85fce450db2a1e0f18ddd7bf65a58df5021998a6ad6306fef4279ebe994808d7effe09b2bc2179

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  9ba884eb4b60d1df8a4cc7a41e0dccba

                                  SHA1

                                  912c3668548367955bd723982debe814c7c09f78

                                  SHA256

                                  fcc51326e7cdaa33663321189e875f127992e7f5773ba71dedd6e2d9f68adf9a

                                  SHA512

                                  98f7d7190c5250c7567ac991469e6085e9cf8927406ddc5d83b572b82740a65e76e5fb1883680fdcc520b1e16e253f66448fd280977b0b661052134ccd9b2eb0

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  5dd02ce0f4725089aadede0336dd0760

                                  SHA1

                                  46fca5a4e64d66028b16b890958c98c438838700

                                  SHA256

                                  04131d398454d15a55b863f88b1577ed1dc2c17c306ea216d51c167049e23155

                                  SHA512

                                  ab2a61f253965bfd2862cfb64037e7d876b495f0de0c5a2c6869cbdb9afbd7822fd398e3ebc22c6429054486e52e4f372f09300cb29e10be84a07918d6c532e2

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  8fdffb9f521c909e95d3cb7c942f57fa

                                  SHA1

                                  3e13ec855d144dbc83ced3b85a12072673a189e1

                                  SHA256

                                  d290b6249b242e473679f6a5abaf14c6d356fab4317e69224b414fe59d693c91

                                  SHA512

                                  a47be15f6d34513fba2b6b4a9ee5a42ac6dbc23d09a3a332338e5481ef179dfec5c33c2464ef0e1d3ecaf2e35af2770960f484810897125362d19e69ef830724

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  7baa64edf15f6c47bdf9dc760180f5fa

                                  SHA1

                                  9c74a70a43a10e35e945dc8bbd7a3c13f43667d0

                                  SHA256

                                  e074023feb9c5f57287905bd12f44154dbf3106547bf3390686207518e086c61

                                  SHA512

                                  7a917821ef42f84c61eace7b1bad7d207fc10d72e93164905ed48ff55c98ad8a6d4bd92b82bc69f2723e984b5430c53207d852741561fd09c78535bc7728ea8b

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  46d45ff319f640312a0e82e1a3090856

                                  SHA1

                                  2a86ff15cf58e54289d1817141b24b4fe3de6ba0

                                  SHA256

                                  d91fb97c9237b83ba9d561a669b0c80928986bfc618eada38e0d56bd54fb47fa

                                  SHA512

                                  5f9e6c56c857246f4a94208e1fcf57c76f96a0cda7ef57d53d2176fdddedb3ffad16375931f565113bdfa427bcdcbb80814f5ca9745365a787af583a3727a9e3

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  e4d6892c7248532015a924633591d42e

                                  SHA1

                                  22e00cac6c2478d08f7cc91da1b57f1e154bb888

                                  SHA256

                                  2d5dacdbdd99c89aa0fddf2c1f6439eb9f701d97e4947c26b7504eb031d227c6

                                  SHA512

                                  bee3c6acae759956aaeb006a40e6207683a046868ad19bc87fc39dd3072a31a21658a50df8403bb70e4929707a169b1dc02cd52739d449ce086f1deda942121a

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  7d394858f3c4b1e67cce6a4396549f9a

                                  SHA1

                                  b842e48e3c3f327c29a2f461a2efc1081507c622

                                  SHA256

                                  b9298f84774dcfc9fc23c04fe395fcc9efaf5b6b5344d2aa71a9f52cb3e135e5

                                  SHA512

                                  259dc7d839c5563e0c1bcac9d1ee70080d818e01b55d99433f0d7e107759a14612d1f0ada61804c15e903e869e546447bca86dd4ab8217889c81b414d355c316

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  8babd01fe00fddda077a4ff7d00d2375

                                  SHA1

                                  972315a60b4cce86bc7ef58bc3041ed38e276a18

                                  SHA256

                                  e7c548647ff8d0e18a6584295143f4c3e17c32cfc293894046caccf359399fde

                                  SHA512

                                  b79d76dcf9e62fba76dd7a9616da74ce685fbc4e45105a754a15eb7b80cf5e5b0cac9c25fa63cb636b20713e83c0ed99a0548e47d74a39bec844ad28f369b467

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  a70990546322cf04a4a7e6fcb7a3b9e7

                                  SHA1

                                  d3a667104e2adfff5a4a6c87a7964ac7a20717c2

                                  SHA256

                                  ba905384ced0c1d1d2ede73ed4348d1f4760960102988fb8aa116e3150797f03

                                  SHA512

                                  e5f8ccda90dde640625fdd165331aac57011bdbcd03526be28357601081a35bdafb90799f30f443b525e9e9e8e0e487fece50c23ea25a5023c06a175ba198317

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  01374a2aaa9dea2532f05a77b63b97ba

                                  SHA1

                                  214f03410a8233b9c5957a0e5e142f1937e7ebd4

                                  SHA256

                                  08489d4ead8b343851350476e4587d0c1045ae5def0cd2d05f6f5edfe89da091

                                  SHA512

                                  46d6f9702b8ae8d18846224937f9cec03e34ea9f2e7cd0eeb3aff1f2a19554ce012dd86e9b39d68d5d743ec8da27920548069c1a8844e1f8ab0b0f6e3281cdd8

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  75d0fc690aea0849ce8ddc08a30537a2

                                  SHA1

                                  1071a99728b34c4a3c7be088bd8870f62a12f82d

                                  SHA256

                                  615978a5387612aa4fcf0cfc985d6c0f38226b4b611814567a64bb552c9f49d4

                                  SHA512

                                  95a84146292f7dd055c5474f96a65c1f155825a32131b391e453e3ba69f7f6ab84f40650768348eeaafda861344b1678fb28e69b7c9f4693131ce64f685a10cb

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  27cae550a7a52ad9abc35329a8db6863

                                  SHA1

                                  2a5f085bd334d37f9685092890fad83f030093ec

                                  SHA256

                                  cafbcf19b6eb29d082aebb27c98d0144b975d5cf68e6b840c4b130d5a5d6eebf

                                  SHA512

                                  711f210b25b12c3471fbf6dd5fda6ebfed8194a2828007bbc0244458a4b116bfc3dec7b55b9b0615f3279cf36264714d9cc09a101c53b443e045d201f543fdad

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  47c93607cbe11b6323180791037c885d

                                  SHA1

                                  d18e5e1599ccdb9484cd70237f58dbb499ab2cbb

                                  SHA256

                                  f168cb4f0d9a1802000e132b0af867966b2becbe7dae71d7ce3b1eddb3b680a0

                                  SHA512

                                  1a85a94e1f134f63241545cd5e6ad88b7bb3eef7c0a30cca0df4936b903d15ffe181a0dc433fd9e4e69aaf32b0017ccd619b848a71942950f3df122b2334e7e3

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  ff3175f5315b1a17cde45c829c8c41e3

                                  SHA1

                                  c48750a44dd4cc11d561e16a94c76b8af7d02ee8

                                  SHA256

                                  ac27c77d72412626706c74c1e4fdc7ae8a9b58f425b25cb036dc68130e7cfe3d

                                  SHA512

                                  8ce722d6cf7b075e1abf2a3232d39099e83d745cb6e301840635fada569c79d2eeed61bd8f33d32785f74cc37e8daf73009fab7645ff0826083eeb4f755d8900

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  c17174f1e97a71d84f366992a87be9e0

                                  SHA1

                                  ecca74f03ca910bf88c4feaaa20f01ca8d697efb

                                  SHA256

                                  d7cf9594ed4384bab19ebee531f33c55d99882af72c9b0018d6d21dafc831b9a

                                  SHA512

                                  4e44cc74568da23a73a382a41b45ddcfaf9edd7e689a678b86a7bcfc8cad810e4f9064d71575ceb33f9630695963bc984f4a717a08376821b6b47e57cf07cc2f

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  58c141469d1c2d5658e5022a95533f0d

                                  SHA1

                                  5d69853da0d8dd82b393ab3d906626113df63ff6

                                  SHA256

                                  44a02806ccee2c52e8158c44b3590175c3fdb3efb7751665e6cb9f717c80eb8d

                                  SHA512

                                  e47133856ce43fa249f4a68801f00c5d7ecf887ee47e5a6b03c27a07cbbfe89deb3e00b63a00840e75604c28b3e3e03440072f10fefe0194a3728332b4fd211b

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  d900b1b9d011434671516b76cf662ff3

                                  SHA1

                                  2c5152730fa63ad36dc2629e83e69646abaceaac

                                  SHA256

                                  99436e6612967c5d207712f7e1755d9bd772d25f543c9dc70436e206f974c020

                                  SHA512

                                  48da124f9e7f88032deace66287e5ef78052ef098a93fe46084663c4c41cc4111f4120c09d2b5723c5401844132358855dca1e6867d396945b6fd4589d6a338a

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  4d66d020060dc81f7523479fd13beb4c

                                  SHA1

                                  b9b6a3cf9b344271a8be0732e1a349a8b6331c39

                                  SHA256

                                  67740e742de9956994969ea3101b3883adc66990b5c38659d64486380a434ab2

                                  SHA512

                                  824e1de07a1b0f92dd8b7f42eaeeab2114c34b1ffd7bee9a0e342d85fd2bf779e220e95b6e300d5eb93b971e339ab403d4d2ecfe7f43ee7251493b03f5ffac8f

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                  Filesize

                                  342B

                                  MD5

                                  2d42dfe1f006e79897e0d3a261721b70

                                  SHA1

                                  e80fb825e4b120d5e64fda61b2d53ab1a7441be0

                                  SHA256

                                  c933a06160b8814e686d3df4f14d686c073ca2b0f6a9d9b613ecf2755ebca095

                                  SHA512

                                  32734a57bdf95f53aec7dcf48ace3c3920d16a9c9b974ae61cb94c400bae33be38f135d618aed3addd849033bd164c564a1ae66acaa10a82cd74a9d56b249fa0

                                  Download Submit

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                  Filesize

                                  242B

                                  MD5

                                  6ea904cca157f163e4ea18258061b3b1

                                  SHA1

                                  199e47b8782de00c0750f3fe3eb6f31ea064acf8

                                  SHA256

                                  ca722d6c3fd51abb590fb4c057c8bd2eee7a9a84006ac7dd7b0f1d40b640decc

                                  SHA512

                                  8087f06cb74671e57bfd22105887ea406127247fd91efbfe90ff9354e633a110a83657426e4b9572aa2e5a35221fdec28c48860d62521477b10d777f7ed1bd76

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Cab4F98.tmp
                                  Filesize

                                  70KB

                                  MD5

                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                  SHA1

                                  1723be06719828dda65ad804298d0431f6aff976

                                  SHA256

                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                  SHA512

                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Tar4F9A.tmp
                                  Filesize

                                  181KB

                                  MD5

                                  4ea6026cf93ec6338144661bf1202cd1

                                  SHA1

                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                  SHA256

                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                  SHA512

                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\calculators.html
                                  Filesize

                                  114KB

                                  MD5

                                  6c8a1b23bf5eb35318153da762d9021d

                                  SHA1

                                  038dd5f01e9172988e4a4a7cac49f763ee117635

                                  SHA256

                                  8b791242e24a292d9b3d038ce37ac27f865d6d3ed9a2a70c366b42da2df7e0ef

                                  SHA512

                                  c442715f124fcd1f8c4d455c7d5c5fa9a063d76b929f8a7395b8597f2071d64db9ca1efb283ba5570c44da69ef37edfca592b84eb30909265102307834317360

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\~DF1B4B23CD5303A118.TMP
                                  Filesize

                                  20KB

                                  MD5

                                  709145b92ccce15d0b6d92e62046c235

                                  SHA1

                                  e8413da827e6919376dadccad32ec695fe232cba

                                  SHA256

                                  af7a6f85fd1a47a478c3d1a02125d7229abc803b1f8cf37aa402ee750211ab8f

                                  SHA512

                                  51de9a370b482bb5c39fe81841ac348642703db22cd2b7056d29b3c691ef44de16a6504d822d0f6ba77a6389a51613baa546f71c9ba2c2e1113efbf5f9f02218

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\1337\FZur6532.exe
                                  Filesize

                                  46KB

                                  MD5

                                  9c4ce119f43fa4a8f3613e17b8141a90

                                  SHA1

                                  53c1ccb476a6908dae6ac4b9843ab0227759526c

                                  SHA256

                                  844a259a700609ac5b711726db9dc90e18e374c07eaabad115a093f6743051a1

                                  SHA512

                                  3d1e96d41ff6cff53b2a8d50f94e42a4b5c454b8b4e740c87d69ad693430eaf1f651f808d1c75258392bededf2114caa7f03a170eb5e6877cc055ebdb21aa0d1

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\1337\Ñðîêè ñäà÷è îò÷åòíîñòè çà 2016.docx
                                  Filesize

                                  17KB

                                  MD5

                                  094fd5646b9a684d99ccaa2f1002991f

                                  SHA1

                                  7977cf42cd684069b243108945c4d366bd009ede

                                  SHA256

                                  eadf473a0d325d00d7ea76a4c098d93fd46f2aff42f246e37c26cb1e5b748654

                                  SHA512

                                  b6938812a33ddc3a241522c80d15ad46cdad459f80713d7f0018af3f7c0b56e5d9afa3b0a915b1dce4742badff8e1ef1b9c5ab9b78794cf472f6b35eee1ab784

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
                                  Filesize

                                  19KB

                                  MD5

                                  6e4fbef155811c2a352d033bb4dbae5b

                                  SHA1

                                  d03b9bee290ccee25a4ff09b49643426d0e0d46a

                                  SHA256

                                  5f8547bc470ddc7da393af0605c89573ee387fa280625bf9ac26f72cbf1b6f8b

                                  SHA512

                                  3fa79c91f51e776090b348842cc1ff6ac9c6372cb9adea2970e540f439943bc8ef581f0549a33f29e45b2e414fb1085995be22833038e474d86897f548b3ae69

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\HEUR-Trojan-Ransom.Win32.Locky.gen-8b884f7d28d6041a42b5daf927d494a39763828d59f43c74cc363558ecffbe9c.exe
                                  Filesize

                                  147KB

                                  MD5

                                  800ef41fc73ec73eb5f9715c90fdf247

                                  SHA1

                                  6c20394de56e31b75844accbf9e317823dab1a95

                                  SHA256

                                  8b884f7d28d6041a42b5daf927d494a39763828d59f43c74cc363558ecffbe9c

                                  SHA512

                                  7345d4eabfce95b1e8b38d63d80b9c91ac07ad3b510af70a653f9e5fdcd30bbcfdb87ef606d5df862460cc046448cf1552d8477ec476accccf411c1921527233

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\HEUR-Trojan-Ransom.Win32.Shade.gen-99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01.exe
                                  Filesize

                                  193KB

                                  MD5

                                  f78ceb841082d0c3f6ed13f78c144f04

                                  SHA1

                                  d4d0bd28beb492fb184556a91e0659c1145d2f2b

                                  SHA256

                                  99fb57bf53f127f880a795d1903505ee06ea7a49f39fb06f579c5379715b2b01

                                  SHA512

                                  59cc18ea7f692e56cc25edcf33ca11ac00d3f2d36a01b1fdb9efe4d398cf25fce4346cc4421dbb512034055a5d985df57f253b13959deaa364465e14ab6e4923

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.NSIS.Agent.n-6916a119de914b05fd4313da5f002585586c00c55fffd19d550101e08a45f371.exe
                                  Filesize

                                  783KB

                                  MD5

                                  9f2605603823db9b57aff4129d631bae

                                  SHA1

                                  3c59f5b027e6bc009f94d7ec6b9bf27504694e52

                                  SHA256

                                  6916a119de914b05fd4313da5f002585586c00c55fffd19d550101e08a45f371

                                  SHA512

                                  b3cd9c204b894042fa0616be948badf021fffb6a5ff40d720967f9dffea46552fe359d3423e979315ac0d68107012eade5ed1e2671d3baa5b466c649e97c7bd7

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Blocker.jrza-3d38f79934074b902feb4a599785d07899bcac602461310d2410193a22717ad9.exe
                                  Filesize

                                  593KB

                                  MD5

                                  61fa70eaa61d55cbbf8a4f2381f8af42

                                  SHA1

                                  bf15ee1b3e73f13534b83c884716cd05c01d99eb

                                  SHA256

                                  3d38f79934074b902feb4a599785d07899bcac602461310d2410193a22717ad9

                                  SHA512

                                  0da8ca98df16ab3861c53f88f471222b94753bf1aff4dc0c5cfae482ad6f6ac804034fc2a4cad979b31d1f42d7222a60d37e72802eb70d6a5b72d660e229f375

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Crusis.dq-2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f.exe
                                  Filesize

                                  243KB

                                  MD5

                                  e8932e011d6d8285f99b581715f17f46

                                  SHA1

                                  88d318cae7066cc8d27156d25935b98069d7c154

                                  SHA256

                                  2b7c4c4370000b258932ffe871e3cd9ec613c223ea129fd164d32070544ee53f

                                  SHA512

                                  33615b7b54cdf3106aeb669567479c6dac8a286222244af92960130953c3141e5c8259712d75cb708cb5c41baca002c35525b26747933eeafd49f603fe2655f3

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Crypmod.aagm-a83edc82b76dbfe858ed9fd208e8384ff097d10afb92a571398806e5e9db11e6.exe
                                  Filesize

                                  403KB

                                  MD5

                                  667802f02270c1226b3caf2f07bb7dd4

                                  SHA1

                                  018f3ca4cf43251954ab6cc78f352e5457afd7f0

                                  SHA256

                                  a83edc82b76dbfe858ed9fd208e8384ff097d10afb92a571398806e5e9db11e6

                                  SHA512

                                  d7eb1d476192135437f9a139cda9e8b0c73f14f794a436cafbaa71119e50801a844888e7a0863a3ff97659c9b90df21481cc53bf3560dadd9f8ddb0111e1cb1b

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Foreign.nfve-0ecacf4dd6cb576dbecde849c434ac97bfacbfd64690e35cbd4d738ed08a43cc.exe
                                  Filesize

                                  249KB

                                  MD5

                                  40c3e1207db30cbbadacafd66f215443

                                  SHA1

                                  381151aede4db5f0f17a922a6b6772f713c6d6c6

                                  SHA256

                                  0ecacf4dd6cb576dbecde849c434ac97bfacbfd64690e35cbd4d738ed08a43cc

                                  SHA512

                                  c9be37975ddd109464850ffe00da4c5f7d415121f58166823d81290fc6c0c70faf9cfd73a238b929019ecc802f15334c8f4f1bdd77db5a656f04bfa40993ae74

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Locky.bil-6421e8233f7a1a4aa53e6525ecd65db197c68699ec7e930fb3cd7b0bb66d37dc.exe
                                  Filesize

                                  244KB

                                  MD5

                                  8958cb75191d894721a3f9b84e6d9607

                                  SHA1

                                  f0227ecc327522954505625f86fb82ea24a5260d

                                  SHA256

                                  6421e8233f7a1a4aa53e6525ecd65db197c68699ec7e930fb3cd7b0bb66d37dc

                                  SHA512

                                  66e09c4310d79ad724573186f3c8477b9e0bec76c44946e4a5118240c24ab8310b847efced133d321fec8f8378747a28ff19685bb0115573a59ac463bd152799

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Locky.vy-02b76b1e4ec5de4b02cd58efa079744ffde46573bb6c4049f8cdddc69452b32a.exe
                                  Filesize

                                  193KB

                                  MD5

                                  7266144328364e7a813780f6db1233b5

                                  SHA1

                                  0441deeafdda044246d3a396e8bcc23c3ff7bff1

                                  SHA256

                                  02b76b1e4ec5de4b02cd58efa079744ffde46573bb6c4049f8cdddc69452b32a

                                  SHA512

                                  9f2e65c50c827a59cc4e9b27d2380055db199aa82f66efd4bf824ff3ea0aae31e144732212b910e94572028ca3c3a64375032c49718e81713239280381dbba68

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Locky.yr-2c9633c0a2560bfe6afd16bd2a98a3c9280e6561d72e7c2ad905c3de6f9c11ee.exe
                                  Filesize

                                  114KB

                                  MD5

                                  0ce07339e9fb4822d4a167383bf6507b

                                  SHA1

                                  cf2da0f9eec16c913567ffd60de35fe78b404c8c

                                  SHA256

                                  2c9633c0a2560bfe6afd16bd2a98a3c9280e6561d72e7c2ad905c3de6f9c11ee

                                  SHA512

                                  59a26314be15f62aa24eb865a5d5b78c8588255b3379873de59398d8c2545e044b3b2487094f64f84f27d67e1c5089674fa11ea64fef59aab2abcb2ee05ba507

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Purga.h-d8978e93ac4bea3b104da71542fbde5c9c7397e6c298f42c3a5fe8b6cac21855.exe
                                  Filesize

                                  113KB

                                  MD5

                                  d266ff1044c75bceeee0af47a67d31da

                                  SHA1

                                  8a42b5e3c3d1216e3426bab100ce586342062d2c

                                  SHA256

                                  d8978e93ac4bea3b104da71542fbde5c9c7397e6c298f42c3a5fe8b6cac21855

                                  SHA512

                                  011b94885ef44b7636c242029463705b7a9be287db3192dea4a51c375f61fbc75244cc743d170b2e3862ac24d73c4b7352f3b0be0548da9eb32d7f37245a9455

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Shade.kyt-a0173b49137f1ebe3911dd8dbd565d8e6e6a6e8fe06aee9819cd664d835341a6.exe
                                  Filesize

                                  884KB

                                  MD5

                                  ee0a9d8b1161f9d286f1bfd3c48e1cda

                                  SHA1

                                  fa6edb3521664f01314cff629d5accbc570e2499

                                  SHA256

                                  a0173b49137f1ebe3911dd8dbd565d8e6e6a6e8fe06aee9819cd664d835341a6

                                  SHA512

                                  814293e9f366a8a447648eb2e36355135a59d68d3c8884a4336d48a4a12121f9013809dc693c5618e039e79baaed8ca7b9e2461d3afebe9a1b834d276ff95a63

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Shade.lcm-88a15cf25bd3f541e41c911dd45e667a7a6b45e844a3f9f690dd9ff8c5566ba1.exe
                                  Filesize

                                  923KB

                                  MD5

                                  90293bec8160276d18b58aeb35cdbf79

                                  SHA1

                                  9155de5b46d0595ab418ebab17a4fa1de10425d7

                                  SHA256

                                  88a15cf25bd3f541e41c911dd45e667a7a6b45e844a3f9f690dd9ff8c5566ba1

                                  SHA512

                                  a55dedb29334f7eb5103fde98bff0c5f7ed0df3e8d79f83ff4f4dfc7dfe9e67e3188f2d2a86177f6825f56a2f233e60450fe8e8cbe35067e57c28ea6d1aaefd9

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\Trojan-Ransom.Win32.Zerber.gqd-0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06.exe
                                  Filesize

                                  358KB

                                  MD5

                                  8dd7aaba9b06fc405a85f8bfe851cdcc

                                  SHA1

                                  ed2512715303b97fcd20678981667fd1b78424ed

                                  SHA256

                                  0ac405db120a8f54b15f0711941c31e64720b1d779fc254338846304d8073c06

                                  SHA512

                                  f5f03285c1f478837becade505ddc478e3f718cba0f4afe48b75893e90f5d25d51ef271cc7f7c50c15c16c781c98b715f71466699dd17aabdabf2def3c0e476b

                                  Download Submit

                                • C:\Users\Admin\Desktop\00271\VHO-Trojan-Ransom.Win32.Rack.gen-8a695887010a5b63787b92eec20992a2f5e1a1a3f48eb4b4bd7711313e24d13b.exe
                                  Filesize

                                  2.1MB

                                  MD5

                                  d43fb2d224dfde0c8896efd2a45080aa

                                  SHA1

                                  1ec8ff5296278948ae79490c2e0883cd981b0e34

                                  SHA256

                                  8a695887010a5b63787b92eec20992a2f5e1a1a3f48eb4b4bd7711313e24d13b

                                  SHA512

                                  ad7aa5bbc0ce79725bebc13adffba8fc49bbb7240ffae93729741a4805cba4223851b5fd3701d9d8094d4538c64bc90f2ede6367215a5b9b69772cbc7c4a0e89

                                  Download Submit

                                • C:\Users\Admin\Favorites\Links for United States\Important Information.hta
                                  Filesize

                                  4KB

                                  MD5

                                  3e8740ee49a32f25e5f09393006f567f

                                  SHA1

                                  d92cd85d517db8a3d30485309a5d508274f7ed29

                                  SHA256

                                  9092d56110596f1df2cf42c78ea9d8563743fb72363fd889deaa5aeab3d29880

                                  SHA512

                                  d050ddb6aa1667484b55a9f0104a2806e3c75f38d8e1a0567603bd24fe3c83948d63e848b981cee49a466ce5244bd24302743758d698ca8de733547a04ba1bbf

                                  Download Submit

                                • C:\Users\Public\Pictures\# DECRYPT MY FILES #.html
                                  Filesize

                                  12KB

                                  MD5

                                  c21877c689e53a1e15e3e53e738fdbe1

                                  SHA1

                                  6f0fb499ab8a754621fdacec8fc5a75ce8a9eb23

                                  SHA256

                                  3d78f36278b3a094a8626bc29c806184e3530fde954dadc908b4fc5d6149d12d

                                  SHA512

                                  53628340d2fd3ea98932c76b607b0867a80b2d966d12e4a04b171a3347fcc8e801866dc8378a7c43d768fd9c235479e265e87f83e325804d54ac81b74062879f

                                  Download Submit

                                • C:\Users\Public\Pictures\# DECRYPT MY FILES #.txt
                                  Filesize

                                  10KB

                                  MD5

                                  a21f19db967fa04c0bee7a5db48caa53

                                  SHA1

                                  0f604af3925270eb00c7710ab479b21436e12668

                                  SHA256

                                  dc7d8c6294b742996948df0daa54107f044a8116e8b2aac86114e4d3f9d0ce68

                                  SHA512

                                  2265f8d8ca8005143add85e376f4aedc2834e92063e5fc95e2529cacd73514fd2d2ffdbc4c574dbb7cd279bb383b6b9e16c549846d8bd88030547d95f4ce9bc1

                                  Download Submit

                                • C:\Users\Public\Pictures\# DECRYPT MY FILES #.url
                                  Filesize

                                  83B

                                  MD5

                                  c7a871593dfb5577de0ebc3ae0283b73

                                  SHA1

                                  292553643766ae9fc30f742a087dfd873e430925

                                  SHA256

                                  5dde0f178d0ad4c041aa5617a83b39f1ce5eb893777790f70e2e395e01932658

                                  SHA512

                                  f470ca2198920e148560c18de5f5cbec7320dcc44c8bbc450ed37347b4d740c99bdc1833963854fea93af026044970e280a9765af619d3514ee5dc43c10bfb62

                                  Download Submit

                                • C:\Users\Public\Pictures\# DECRYPT MY FILES #.vbs
                                  Filesize

                                  219B

                                  MD5

                                  35a3e3b45dcfc1e6c4fd4a160873a0d1

                                  SHA1

                                  a0bcc855f2b75d82cbaae3a8710f816956e94b37

                                  SHA256

                                  8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

                                  SHA512

                                  6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

                                  Download Submit

                                • C:\Windows\Temp\ciSIQvB.GAuCAcLcSOk
                                  Filesize

                                  676KB

                                  MD5

                                  f44127ace6c92e713e161165e2cf6264

                                  SHA1

                                  f904f871fbfb026a253ce7447d4b571f3016f482

                                  SHA256

                                  02a608dc609df9882763b6d2c5d2eca0914a84097f4dce6fc70d6032e3692cb3

                                  SHA512

                                  857a8fb453924366e09de742efb79acab82903f59e06fe045d965ec1fd026cef1b55f4d1faf0d82bbf19a3b09b16ff8c8e11f37eef29eb5a12a65a56a37019d3

                                  Download Submit

                                • C:\t+b7Lm9SocL2-W-4PlYnUeTpdFa2xmScKg.ur6532
                                  Filesize

                                  81KB

                                  MD5

                                  e42cf5e1f4237fdb9809f247b87db990

                                  SHA1

                                  eaa41e5ba2b61c15ada1bcd398d4c1cf02c36fe9

                                  SHA256

                                  522875ffc9dbdb74b45f46e8074259a6645c63967092e5a85d45d94b380de6a0

                                  SHA512

                                  ca73605987aad69f9668f3359e5cfde58dd341cc0fd06df2f393e18d2e658e7a54415f05b2dee04b4b2485194a25f685f802dff4ebd8a797a292a7c78ccd4f2c

                                  Download Submit

                                • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
                                  Filesize

                                  129B

                                  MD5

                                  a526b9e7c716b3489d8cc062fbce4005

                                  SHA1

                                  2df502a944ff721241be20a9e449d2acd07e0312

                                  SHA256

                                  e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                  SHA512

                                  d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                  Download Submit

                                • \Users\Admin\AppData\Local\Temp\nse9704.tmp\System.dll
                                  Filesize

                                  11KB

                                  MD5

                                  3e6bf00b3ac976122f982ae2aadb1c51

                                  SHA1

                                  caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

                                  SHA256

                                  4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

                                  SHA512

                                  1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

                                  Download Submit

                                • \Users\Admin\AppData\Local\Temp\nsz8317.tmp\System.dll
                                  Filesize

                                  11KB

                                  MD5

                                  a4dd044bcd94e9b3370ccf095b31f896

                                  SHA1

                                  17c78201323ab2095bc53184aa8267c9187d5173

                                  SHA256

                                  2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

                                  SHA512

                                  87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

                                  Download Submit

                                • \Users\Admin\AppData\Local\Temp\nsz95AD.tmp\System.dll
                                  Filesize

                                  10KB

                                  MD5

                                  bdfea57dac99a598e5f72ce5e6da274d

                                  SHA1

                                  01d68d9ae4df9eb8ebb4b61eb77b5777e628242f

                                  SHA256

                                  07b7bc1a60719d7e68778b1b5843b0505503f3ecba57fc526517daf990f0713c

                                  SHA512

                                  e84294f062033869d78739a81a9b84a82c2f5d9783a042dd943dfd5cae073d2603d22c838d02b273b1ec856b0b2a36221a248d47878286a0ac7824e34c9d13b0

                                  Download Submit

                                • memory/772-32-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/772-31-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/772-30-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/1456-597-0x0000000000400000-0x00000000005DE000-memory.dmp

                                  Filesize

                                  1.9MB

                                  Download

                                • memory/1456-1044-0x0000000000400000-0x00000000005DE000-memory.dmp

                                  Filesize

                                  1.9MB

                                  Download

                                • memory/1804-125-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-109-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-115-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-113-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-117-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-119-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-121-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-94-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-123-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-127-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-129-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-131-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-133-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-135-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-137-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-139-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-111-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-95-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-141-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-143-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-97-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-107-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-105-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-103-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-145-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-147-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-99-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1804-101-0x0000000000360000-0x000000000037D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1832-1019-0x0000000000400000-0x0000000000449000-memory.dmp

                                  Filesize

                                  292KB

                                  Download

                                • memory/1832-1108-0x0000000000400000-0x0000000000449000-memory.dmp

                                  Filesize

                                  292KB

                                  Download

                                • memory/2444-71-0x0000000000AE0000-0x0000000000B26000-memory.dmp

                                  Filesize

                                  280KB

                                  Download

                                • memory/2548-76-0x0000000000230000-0x0000000000330000-memory.dmp

                                  Filesize

                                  1024KB

                                  Download

                                • memory/2548-74-0x0000000000230000-0x0000000000330000-memory.dmp

                                  Filesize

                                  1024KB

                                  Download

                                • memory/2728-9604-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/2728-10246-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/2728-10245-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/2728-9617-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/2728-9616-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/2728-10799-0x0000000140000000-0x00000001405E8000-memory.dmp

                                  Filesize

                                  5.9MB

                                  Download

                                • memory/2960-555-0x0000000002A60000-0x0000000002AA9000-memory.dmp

                                  Filesize

                                  292KB

                                  Download

                                • memory/2960-563-0x0000000002A60000-0x0000000002AA9000-memory.dmp

                                  Filesize

                                  292KB

                                  Download

                                • memory/3336-575-0x0000000000400000-0x00000000005DE000-memory.dmp

                                  Filesize

                                  1.9MB

                                  Download

                                • memory/3336-496-0x0000000000400000-0x00000000005DE000-memory.dmp

                                  Filesize

                                  1.9MB

                                  Download

                                • memory/4020-577-0x0000000002AF0000-0x0000000002B39000-memory.dmp

                                  Filesize

                                  292KB

                                  Download

                                • memory/4020-578-0x0000000000400000-0x0000000000449000-memory.dmp

                                  Filesize

                                  292KB

                                  Download