Overview

overview

10

Static

static

1

RNSM00278.7z

windows7-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00278.7z

  • Size

    3.3MB

  • MD5

    e3c18bb148191204063824cc2e1729ef

  • SHA1

    f294d8334e112ed4aa598528b8e7e5840fb02c8c

  • SHA256

    2a68c74bf9430074297107fa0d4f1cd04b13d5a771b039a096dfbf4a9f38a50a

  • SHA512

    dc94d016b1cf638a81369e5b8cc96f543d5340e91f6cf991117b25c1e220dd77058c82989f0933c1a009c5012be4fa3e51dc225c0bc54e41be8fc5d5f81361a1

  • SSDEEP

    98304:67qAIObVOxYuSyWqz1eNKjZBx8GDsKHUbr46:8qpUcxDd1Xh8SIr46

Score
10/10
cerbergozilockylocky_osiristroldeshbankerdefense_evasiondiscoveryisfbpersistenceransomwaretrojanupx

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\Users\Admin\Desktop\_HELP_HELP_HELP_LVCGITNQ.hta

Ransom Note
☑ English CERBER RANSOMWARE Instructions ☑ Select your language English العربية 中文 Nederlands Français Deutsch Italiano 日本語 한국어 Polski Português Español Türkçe Can't you find the necessary files? Is the content of your files not readable? It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware". It means your files are NOT damaged! Your files are modified only. This modification is reversible. From now it is not possible to use your files until they will be decrypted. The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor". Any attempts to restore your files with the third-party software will be fatal for your files! You can proceed with purchasing of the decryption software at your personal page: Please wait... http://p27dokhpz2n7nvgr.15nhsf.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.14gmtu.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1321z6.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.16ay2s.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1dp6un.top/EFA9-5EFB-D661-0091-C116 If this page cannot be opened click here to get a new address of your personal page. If the address of your personal page is the same as before after you tried to get a new one, you can try to get a new address in one hour. At this page you will receive the complete instructions how to buy the decryption software for restoring all your files. Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you. If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser: run your Internet browser (if you do not know what it is run the Internet Explorer); enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site loading; on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; run Tor Browser; connect with the button "Connect" (if you use the English version); a normal Internet browser window will be opened after the initialization; type or copy the address http://p27dokhpz2n7nvgr.onion/EFA9-5EFB-D661-0091-C116 in this browser address bar; press ENTER; the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. Additional information: You will find the instructions ("*HELP_HELP_HELP*.hta") for restoring your files in any folder with your encrypted files. The instructions "*HELP_HELP_HELP*.hta" in the folders with your encrypted files are not viruses! The instructions "*HELP_HELP_HELP*.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions. لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار... http://p27dokhpz2n7nvgr.15nhsf.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.14gmtu.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1321z6.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.16ay2s.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1dp6un.top/EFA9-5EFB-D661-0091-C116 في حالة تعذر فتح هذه الصفحة انقر هنا لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر); قم بكتابة أو نسخ العنوان https://www.torproject.org/download/download-easy.html.en إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER; انتظر لتحميل الموقع; سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت; قم بتشغيل متصفح Tor; اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية); سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء; قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/EFA9-5EFB-D661-0091-C116 في شريط العنوان في المتصفح; اضغط ENTER; يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى. إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة https://www.youtube.com واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. معلومات إضافية: سوف تجد إرشادات استعادة الملفات الخاصة بك ("*README*") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("*README*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*README*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. 您找不到所需的文件? 您文件的内容无法阅读? 这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用您的文件。 安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。 任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的! 您可以在您的个人页面上购买解密软件: 请稍候... http://p27dokhpz2n7nvgr.15nhsf.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.14gmtu.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1321z6.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.16ay2s.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1dp6un.top/EFA9-5EFB-D661-0091-C116 如果这个页面无法打开,请 点击这里 生成您个人页面的新地址。 您将在这个页面上看到如何购买解密软件以恢复您的文件。 您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。 如果您的个人页面长期不可用,有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器: 使用您的上网浏览器(如果您不知道使用 Internet Explorer 的话); 在浏览器的地址栏输入或复制地址 https://www.torproject.org/download/download-easy.html.en 并按 ENTER 键; 等待站点加载; 您将在站点上下载 Tor 浏览器;下载并运行它,按照安装指南进行操作,等待直至安装完成; 运行 Tor 浏览器; 使用“Connect”按钮进行连接(如果您使用英文版); 初始化之后将打开正常的上网浏览器窗口; 在浏览器地址栏中输入或复制地址 http://p27dokhpz2n7nvgr.onion/EFA9-5EFB-D661-0091-C116 按 ENTER 键; 该站点将加载;如果由于某些原因等待一会儿后没有加载,请重试。 如果在安装期间或使用 Tor 浏览器期间有任何问题,请访问 https://www.baidu.com 并在搜索栏中输入“怎么安装 Tor 浏览器”,您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。 附加信息: 您将在任何带有加密文件的文件夹中找到恢复您文件(“*HELP_HELP_HELP*.hta”)的说明。 带有加密文件的文件夹中的(“*HELP_HELP_HELP*.hta”)说明不是病毒,(“*HELP_HELP_HELP*.hta”)说明将帮助您解密您的文件。 请记住,最坏的情况都发生过了,您的文件还能不能用取决于您的决定和反应速度。 Kunt u de nodige files niet vinden? Is de inhoud van uw bestanden niet leesbaar? Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “Cerber Ransomware”. Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn. De enige manier om uw bestanden veilig te ontsleutelen is door de speciale ontsleutel-software “Cerber Decryptor” te kopen. Elke poging om uw bestanden te herstellen met software van een derde partij zal fataal zijn voor uw bestanden! U kunt op uw persoonlijke pagina de ontsleutel-software kopen: Even geduld aub... http://p27dokhpz2n7nvgr.15nhsf.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.14gmtu.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1321z6.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.16ay2s.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1dp6un.top/EFA9-5EFB-D661-0091-C116 Als deze pagina niet geopend kan worden klik dan hier om een nieuw adres aan uw persoonlijke pagina toe te voegen. Op deze pagina zult u de complete instructies ontvangen hoe u de ontsleutel-software kunt kopen om al uw bestanden te herstellen. Op deze pagina kunt u ook één file gratis herstellen om u ervan te verzekeren dat “Cerber Decryptor” u zal helpen. Als uw persoonlijke pagina langere tijd niet beschikbaar is, is er een andere manier om uw persoonlijke pagina te openen – het installeren en gebruiken van Tor Browser: start uw internet browser (als u niet weet welke dat is, start dan Internet Explorer); voer het adres in of kopieer het adres https://www.torproject.org/download/download-easy.html.en in de adresbalk van uw browser en druk op ENTER; wacht totdat de site laadt; op de site wordt u aangeboden om de Tor Browser te laden; downloadt het en voer het uit, volg de installatie instructies, en wacht totdat de installatie compleet is; voer Tor Browser uit; maak verbinding met de knop “Connect” (als u de Engelse versie gebruikt); een normale Internet browser zal openen na de installatie; typ of kopieer het adres http://p27dokhpz2n7nvgr.onion/EFA9-5EFB-D661-0091-C116 in de adresbalk van uw browser; druk ENTER; de site zou moeten laden; als om enige reden de site niet laadt, wacht dan even en probeer opnieuw. Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar https://www.youtube.com en typ in de zoekbalk “install tor browser windows” en u zult een heleboel training video’s vinden over de installatie en het gebruik van Tor Browser. Aanvullende informatie: U vindt de instructies om uw bestanden te herstellen (“*HELP_HELP_HELP*.hta”) in elke folder met uw versleutelde bestanden. De instructies (“*HELP_HELP_HELP*.hta”) in de folders met uw versleutelde bestanden zijn geen virussen, de instructies (“*HELP_HELP_HELP*.hta”) zal u helpen uw bestanden te ontsleutelen. Denk eraan, het ergste is al gebeurd en de toekomst van uw bestanden hangt af van uw vastberadenheid en de snelheid van uw acties. Vous ne trouvez pas les fichiers necessaires? Le contenu de vos fichiers n’est pas lisible? C’est normal car les noms des fichiers et des donnees dans vos fichiers ont ete cryptes par «Cerber Ransomware». Cela signifie que vos fichiers ne sont PAS endommages! Vos fichiers sont seulement modifies. Cette modification est reversible. A partir de maintenant, il n’est plus possible d’utiliser vos fichiers jusqu'a ce qu’ils soient decryptes. La seule facon de decrypter vos fichiers en toute securite est d’acheter le logiciel de decryptage special «Cerber Decryptor». Toute tentative visant a restaurer vos fichiers avec le logiciel tiers sera fatale pour vos fichiers! Vous pouvez proceder a l’achat du logiciel de decryptage sur votre page personnelle: S'il vous plaît, attendez... http://p27dokhpz2n7nvgr.15nhsf.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.14gmtu.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1321z6.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.16ay2s.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1dp6un.top/EFA9-5EFB-D661-0091-C116 Si vous ne pouvez pas ouvrir cette page cliquez ici pour generer une nouvelle adresse pour votre page personnelle. A cette page, vous recevrez les instructions completes sur la facon d'acheter le logiciel de decryptage pour la restauration de tous vos fichiers. Egalement a cette page, vous serez en mesure de restaurer n’importe quel fichier gratuitement pour etre sur que «Cerber Decryptor» vous aidera. Si votre page personnelle n’est pas disponible pendant une longue periode il y a une autre facon d’ouvrir votre page personnelle - installation et utilisation de Tor Browser: executez votre navigateur Internet (si vous ne savez pas ce que c’est, lancez Internet Explorer); saisissez ou copiez l’adresse https://www.torproject.org/download/download-easy.html.en dans la barre d’adresses de votre navigateur et appuyez sur ENTREE; attendez que le site charge; sur le site, il vous sera propose de telecharger Tor Browser; Telechargez et executez-le, suivez les instructions d’installation, attendez que l’installation se termine; lancez Tor Browser; connectez-vous avec le bouton «Connect» (si vous utilisez la version anglaise); une fenetre du navigateur Internet normale sera ouverte apres l’initialisation; tapez ou copiez l’adresse http://p27dokhpz2n7nvgr.onion/EFA9-5EFB-D661-0091-C116 dans cette barre d’adresse de navigateur; appuyez sur ENTREE; le site doit etre charge; Si pour une raison quelconque, le site ne se charge pas, attendez quelques instants et reessayez. Si vous avez des problemes pendant l’installation ou l’utilisation de Tor Browser, veuillez visiter https://www.youtube.com et saisir la demande dans la barre de recherche « installer la fenetre tor browser » vous y trouverez de nombreuses videos de formation sur l'installation et l'utilisation de Tor Browser. Informations supplementaires: Vous trouverez les instructions pour la restauration de fichiers («*HELP_HELP_HELP*.hta») dans n’importe quel dossier contenant vos fichiers cryptes. Les instructions («*HELP_HELP_HELP*.hta») dans les dossiers contenant vos fichiers cryptes ne sont pas des virus, les d’instructions («*HELP_HELP_HELP*.hta») vous aideront a decrypter vos fichiers. N�
URLs

http://p27dokhpz2n7nvgr.15nhsf.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.14gmtu.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1321z6.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.16ay2s.top/EFA9-5EFB-D661-0091-C116http://p27dokhpz2n7nvgr.1dp6un.top/EFA9-5EFB-D661-0091-C116

http://p27dokhpz2n7nvgr.onion/EFA9-5EFB-D661-0091-C116

https://www.baidu.com

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Locky family
    locky
  • Locky_osiris family
    locky_osiris
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (606) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops startup file 1 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 13 IoCs
  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Sets desktop wallpaper using registry 2 TTPs 5 IoCs
    ransomware
  • Suspicious use of SetThreadContext 11 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 8 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1212
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00278.7z"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\Desktop\00278\Trojan-Ransom.NSIS.Xamyh.kxk-64fbaa750a20ae7cc12cb21e6e409e4d267068417925494fca7405d1cef5e65d.exe
        Trojan-Ransom.NSIS.Xamyh.kxk-64fbaa750a20ae7cc12cb21e6e409e4d267068417925494fca7405d1cef5e65d.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: MapViewOfSection
        PID:2728
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.NSIS.Xamyh.kxk-64fbaa750a20ae7cc12cb21e6e409e4d267068417925494fca7405d1cef5e65d.exe
          Trojan-Ransom.NSIS.Xamyh.kxk-64fbaa750a20ae7cc12cb21e6e409e4d267068417925494fca7405d1cef5e65d.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          PID:708
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            5⤵
            • Adds policy Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1816
      • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Blocker.hrft-83dd335bbc978eb05c4933fa3ea1301740c9d7754068b3de8facf58442171760.exe
        Trojan-Ransom.Win32.Blocker.hrft-83dd335bbc978eb05c4933fa3ea1301740c9d7754068b3de8facf58442171760.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Users\Admin\AppData\Local\Temp\FB_4D84.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\FB_4D84.tmp.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1344
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 768
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2248
      • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Cryptor.gw-b1cb04416c7391d98166ff259bc3a33dbfe0a4e526466b5d30f54b6b78a5c22f.exe
        Trojan-Ransom.Win32.Cryptor.gw-b1cb04416c7391d98166ff259bc3a33dbfe0a4e526466b5d30f54b6b78a5c22f.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2948
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Cryptor.gw-b1cb04416c7391d98166ff259bc3a33dbfe0a4e526466b5d30f54b6b78a5c22f.exe
          "C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Cryptor.gw-b1cb04416c7391d98166ff259bc3a33dbfe0a4e526466b5d30f54b6b78a5c22f.exe"
          4⤵
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          PID:2380
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:3284
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3284 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3128
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC062.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3184
      • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Foreign.njoy-703f9eae4f2b62cc0ca7a2d0a8f34da2853121b232e5a0e220ff72f13f5ad303.exe
        Trojan-Ransom.Win32.Foreign.njoy-703f9eae4f2b62cc0ca7a2d0a8f34da2853121b232e5a0e220ff72f13f5ad303.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\96F2\CB79.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\DDAC3dlg\bitspntw.exe" "C:\Users\Admin\Desktop\00278\TROJAN~4.EXE""
          4⤵
          • System Location Discovery: System Language Discovery
          PID:380
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\DDAC3dlg\bitspntw.exe" "C:\Users\Admin\Desktop\00278\TROJAN~4.EXE""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:836
            • C:\Users\Admin\AppData\Roaming\MICROS~1\DDAC3dlg\bitspntw.exe
              "C:\Users\Admin\AppData\Roaming\MICROS~1\DDAC3dlg\bitspntw.exe" "C:\Users\Admin\Desktop\00278\TROJAN~4.EXE"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:1640
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                PID:2796
      • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.GenericCryptor.jnu-2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78.exe
        Trojan-Ransom.Win32.GenericCryptor.jnu-2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2740
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.GenericCryptor.jnu-2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78.exe
          Trojan-Ransom.Win32.GenericCryptor.jnu-2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_HELP_HELP_LVCGITNQ.hta"
            5⤵
            • Blocklisted process makes network request
            • System Location Discovery: System Language Discovery
            PID:2072
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            5⤵
              PID:1996
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "Trojan-Ransom.Win32.GenericCryptor.jnu-2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78.exe"
                6⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1960
              • C:\Windows\system32\PING.EXE
                ping -n 1 127.0.0.1
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2092
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.aeqw-df0072204b63b2eed626d88921a20e8bf9702b638e36971a279b8959f890a5df.exe
          Trojan-Ransom.Win32.Locky.aeqw-df0072204b63b2eed626d88921a20e8bf9702b638e36971a279b8959f890a5df.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.aeqw-df0072204b63b2eed626d88921a20e8bf9702b638e36971a279b8959f890a5df.exe
            C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.aeqw-df0072204b63b2eed626d88921a20e8bf9702b638e36971a279b8959f890a5df.exe
            4⤵
            • Executes dropped EXE
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            PID:2984
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:2628
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2692
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys1DDD.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:900
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.xey-06ba734b49a3da926c18f3434173981b012a9ecd41f1e45196140b6d41360da7.exe
          Trojan-Ransom.Win32.Locky.xey-06ba734b49a3da926c18f3434173981b012a9ecd41f1e45196140b6d41360da7.exe
          3⤵
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2692
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:1948
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2484
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysC523.tmp"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2448
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.xfq-7e3cffc3e1b735a1ed22fda7204fdefcab0a717be43864cc395cf77f34360cd5.exe
          Trojan-Ransom.Win32.Locky.xfq-7e3cffc3e1b735a1ed22fda7204fdefcab0a717be43864cc395cf77f34360cd5.exe
          3⤵
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:4016
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:275457 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2020
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysCF60.tmp"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4080
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Shade.lnm-7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e.exe
          Trojan-Ransom.Win32.Shade.lnm-7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: MapViewOfSection
          PID:2724
          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Shade.lnm-7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e.exe
            Trojan-Ransom.Win32.Shade.lnm-7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1616
        • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Zerber.fdxn-3db0ccba8fb83e1f5b4511b4d5e40efb55ba2ddca785bc7a5f186c5224e8df09.exe
          Trojan-Ransom.Win32.Zerber.fdxn-3db0ccba8fb83e1f5b4511b4d5e40efb55ba2ddca785bc7a5f186c5224e8df09.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Zerber.fdxn-3db0ccba8fb83e1f5b4511b4d5e40efb55ba2ddca785bc7a5f186c5224e8df09.exe
            Trojan-Ransom.Win32.Zerber.fdxn-3db0ccba8fb83e1f5b4511b4d5e40efb55ba2ddca785bc7a5f186c5224e8df09.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2288
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\N159GW5N--SRMB--Q78Z--87B238B6--9764BF3CE8F3.osiris
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        PID:2056
        • C:\Windows\system32\mspaint.exe
          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\N159GW5N--SRMB--Q78Z--87B238B6--9764BF3CE8F3.osiris"
          3⤵
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2224
      • C:\Windows\system32\cmd.exe
        cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\92B1.bi1"
        2⤵
          PID:2140
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:3020
          • C:\Windows\system32\cmd.exe
            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\92B1.bi1"
            2⤵
              PID:2000
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
            1⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:1040
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
            1⤵
            • System Location Discovery: System Language Discovery
            PID:1520
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
            1⤵
            • System Location Discovery: System Language Discovery
            PID:2292
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
            1⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            PID:3272

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\OSIRIS-5d36.htm
            Filesize

            8KB

            MD5

            8320983488033acd5a4c055b51bbd2cd

            SHA1

            4369f98cb04053054bc1534809c36d15a506312d

            SHA256

            f2c5c7de6182e2985bfc3a413d40ae2f14c9b6d3b2979c1131c44e76da23f920

            SHA512

            28628b94ce1796a467b9c7cffde513ce2473cfb9e435159867293bb1f68470b973a81e54a68d5e5b51ee5288c0eb1fc9a25777110cd7749fef9b190eeabf6339

            Download Submit

          • C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\OSIRIS-7c2d.htm
            Filesize

            8KB

            MD5

            6571f205e5b112f765205ebee0a2a10c

            SHA1

            e3faf875fe6012347e265d33163e85c2b6874866

            SHA256

            010e19e7dcc3257f3b62ae26212b8aa7b0a9cf391c612fa6edf45d5c9b36b0be

            SHA512

            6100864da29fc1d24a13747995171d497605b4ced6d734c588113c0e82749daace15cce7aa7aa5cc62dabf9897874e70ef549fb7e119763b3c68d365714be075

            Download Submit

          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-81f5.htm
            Filesize

            7KB

            MD5

            564ccaefde5b25aa4008c7659cd7eedc

            SHA1

            8eed6be27231bb79cce2eb8ae94e8d52adf22212

            SHA256

            4b81eb2b96284165da1633262fe958e9510d537292aa87bdfaaec890a22de4d7

            SHA512

            5aa67d3560a1dd326434aa7064053adfbac9d4c4f77a179109071b0767061169f5785ed1265d8f99791bf62b861714e6d485074a19d9137fd3edaf0a15ddfa84

            Download Submit

          • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-b468.htm
            Filesize

            8KB

            MD5

            a4c8c115e77087781f223a40fa7f36de

            SHA1

            b00fa1e1337f74aac72305644865633278c4014f

            SHA256

            cde7e5ba625bb19066464b0c99208227a30346264277de11c19d3c4a21f5941a

            SHA512

            0007d485ec941077417cfdcde0a21c02b865b4c6a5f0634393ce4c91ffa9173160603dc107dcfae0623cb05c0e4b8e54e627b98b34712fa0fac712ce294df934

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            cf70983ce18264bc536648a67e4d08f4

            SHA1

            b5b1d71db64c6d17f2c0b0c523a49e46f4f28998

            SHA256

            0ad3f74944af6b0bd90f852401678e87f138959c65faada10268d94a0f2d47ea

            SHA512

            1de59544a6a1892aab58b96c43b1dd9a77df9b673f01a43feddeae8d0d3429bdd72a70dbe6adddf52241a7c7cc82c66c1ade3674a7ff0f751b8664be1c0f2696

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            a58be3801f43e32a801a7952cb5311d9

            SHA1

            4539e40e2526602161d361dff096f805070266fb

            SHA256

            895e5420c927a08efc09cc8a8501f374581a6778f026023b2be74db8ce899eb5

            SHA512

            628fe89679af307b4248f3f00eda19c30fa581c49ad37b2c53533f4eef97e25903c8b4a7c6bc8d0b5962ba8178e13a86f3ca44858045420c0a514fbcb6090756

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            ceee8ae3a8d2e4993f0a62134071f72b

            SHA1

            b994b70cd0b370ef3c961a5e13ed5adb32bc8f02

            SHA256

            a0e0c3e58576b71a877b1e041be2bac778b903678608f40b48003a5c02059f67

            SHA512

            95655108a971c932ce0324e78f76a95d54b1c927999766113097f51f59b58843b47440bea8aae0c643c5098fa1c5d2440c06781d1cceb765bd32643658ed98de

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            0133d4a4a7d9aa6c74fe9b0185e4fe42

            SHA1

            0ca61155afd083488ba4e3b057060a017f35e734

            SHA256

            8bea7ed9dfc1821b77498dd341f02e904848c80b1974b47882bd1e86c8d2e396

            SHA512

            ecaf8e7d0ff26a103db729353ff5d729d032c4cd819a302d69a01677bbf3cd8b272425c25c769c093b5c348b535cc2ca5ccc89c791e49661d54bfe0465ea2403

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            a7260338206074091fcd1f5dabf2b979

            SHA1

            fa39872477907b38100a3a5ce8586d118673e650

            SHA256

            e709ae81a962ad45a5a3fdac141506ecea18ae033febd1ddcfa98e5e81880db1

            SHA512

            150e51b053ffdfefb2e59962367b571cae72371886554055d38fcffbb40e50a1b0db172de0f5bf9727dbc014bc00c79f523c32f66c9b834dcc88b3df76003a15

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            366d131d6ffaefedf10087101c81e200

            SHA1

            e8c5b78cfbb84b501efc63c93f1770f554b639da

            SHA256

            7f2fb07a903da1da5ca8318afb26cc5e6d1d86b62250a13c306b2fe9a236d2bd

            SHA512

            63eb517943daff42ae5299979bb4666f6eb0f7fab414651920553839e184ff9a11bc6d5d5c23b6db7798ceca3d70aa57b5f290c67e1ae312e6e039cdd0f5c15b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            f5d88c4084868821480c7c64891e57b4

            SHA1

            d387d8858183b31ff6547e968edb4842ee404a44

            SHA256

            a922cd066f8be08dcc5a7e2810990bda186345c9db248be3cb79a51970e13fb7

            SHA512

            800048a2947e4a33e212f65230635db230fe5e29f0bc1066b6f84ee094b7a7319e0e077e435837a84738a4b757625d5744c4123b2ae7359cf4818b6483c07bd7

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            ce5ce193cbf5ea240bd27453493a2d93

            SHA1

            30b6be91e49d6c2c79a0593975ca8f2577a6b8de

            SHA256

            d56edd7bf8c51cd85070c11d384ab1fb54d40f42dd6af737b95856707e46a0c9

            SHA512

            225a02e44e4e6f7e317aa02f5ae4d49f84b3045885c988c853b860cdee45319591abd59369ec378b1128354d300e099bad96cf958479e32a739d64fd3b340b69

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            203444118e8dd75d75efbae5bb665bd4

            SHA1

            17641afd5fdb03d66c8c518742083dac20ae3553

            SHA256

            ed4471634d895d3da4b3e8cb86ed6f79018b1e94497dfba345403f8a6af42d7f

            SHA512

            2c79087b4bd9cbc75088696fb096b16d53d573b3e6f703ab99bef2100e201bbec5b7b2c9649b878f4d5d31635bb1b8e8ce4ac9454069893a0d7d912f17e31063

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            307cc4fa88e3a2eeb75358ddce736bdd

            SHA1

            bf4192375ec448d99f24834db07a8eeb139119f0

            SHA256

            27b9f0f6d1ad04e387aa8336f0257216acdd5fd086db16ab9777226f57ea4771

            SHA512

            a0e671d97c3c0c098f07097aed83c55e8eaaffceca1dfdf65713fe646ed65caa45fb78d27a51cc4ef964815cd2559181d219736c671e7c9dc426751fe1b509eb

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            f55d593adab153614a1bfcf5f1c18025

            SHA1

            b496e85672384d536d78670e7d5874ad1ce6b727

            SHA256

            296c620710af782a13726f99b7af7287fbd606792505d58387e656aa3c8fc892

            SHA512

            b565251143c1dfe0a351826ce2b25460a5e8084b306b5f987e5f2a9aeaee531228fb6a762520feca7e68428543ea367bda378d173cb350ce96c4f08af873f049

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            a1b6f7d96418ec50a79eb957e6af96ac

            SHA1

            92b1b0b033ac3803dfc7891f5cc55700327bc1d2

            SHA256

            5917b7f666374d64b63a729b794d215e33bb549ad5d1a9082049a88771b80e28

            SHA512

            b11aa15945ea8ed0ec52479b2343a5b5da6d3dbfb5794e168f437a1574568595dd9c037a0a62720fe1bdf085588cc2fa0e782028581017a2e45060430164c8e0

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            1c79fbfb1d8d6cc45bf70d31d57c2778

            SHA1

            898c3b72de553255d2a90bf056338113a0987552

            SHA256

            6fcfc1cdcb1d3318b72061e0187e70f9e199a561040b25ba206f1836a2d6b571

            SHA512

            a87aa34728bbafe975a44def66d7bcfbc4c3f78e64fda50e9932324f83fdd884734200c49ec347e7dff62eff1a0431933f243625c54aa8c96cae89017c7ff308

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            46abe3e383ef473af5dc110f61451d4b

            SHA1

            397404f17185b482232b096ae6be27b5501511b9

            SHA256

            a6b08dec11be1aba78ff79eab9a80f1469009e6ccd2c292328100a6934c33000

            SHA512

            a635ca58626f8f5cb7765288977fa9aa82453e882e75410358aba3146f505d6ac557e787f4843d80ba18abb0cc5cd35ae236616c719ed95d346fd984358ad051

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            3692c9f409c81b9d1cf504ba2b7d722f

            SHA1

            68459ec28a2dd576b412c9cd50d7b5a9d886e60c

            SHA256

            f6a709bd531b139e10851c14aa9a1da04b4bb29e0bd53e3e39f32ef67e96d1e9

            SHA512

            78dded00709c8bca7f9102611b9311cd59a9a007a85b800e1ba1c9ced14b9ba41752ad013d048ad9ef050ac5e549a04988f98b0d274d3c7c5c67f2acb04700b9

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            4cf5e40ee4ded5aa2fe2f7c50e744459

            SHA1

            9c8590343beb6d948a5c6bfbdc1e18bc5f722428

            SHA256

            c8ba32d25648d1fd171518ed8999e1e037853f5362df514b01c82211f17b8221

            SHA512

            65396bbdd3561baf112c5173e095b42f7b0ec516046f9baf57c2ee59747e00199aac21d58f7364f012fbceeb08e7afa8b04629a02125924583c17bc07d9574d6

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            ee034901782be801743fdfbbfd6c2ebf

            SHA1

            b00e49171ca95e3b076b8df01a12b59d110b33f2

            SHA256

            aa751496a034c3c3582f4b9a7c77938a85b38f9be0f96dd164d3ba1f0ddc40b0

            SHA512

            088ab8c1c7fc47daee61f94c62d6e7a0a930e89b35e3dd1cc785e97a5daadcba08322fcae5e623f21e69849269bbdb8c44ff33909815cce8bbf5ab7d8b1fcd21

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            2dbdbc4fb164aa952c004884a6d05212

            SHA1

            0301a2d5238952c367681adaca2ae029d0f0a5a1

            SHA256

            a8afdce846b004425a6aa20c4df7b893e327fce8bb09373bf46940b27a5dc125

            SHA512

            d204f1136ac512e5986b0ab06bc1335762fd83a99e58b098434cf41f6a940aa070200080f289815f5684fce3f98a7685d528d4d84c4b5134ccf499eb68b4d808

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            38810ed3379ee77cbe6845d4a0697be0

            SHA1

            4a8c12eaf004fcb8a3ec27ee4ce66c975704505b

            SHA256

            85cadedc56f671ac22f65425f36e0577082f20816be110291270a6d7940f4e73

            SHA512

            139810d75e4b715150ebf44a9eab5ba4c22a9b9d28e6227cf207a55af1b69fd0b8f1e4698f288705364bf5f972cfecffe213dfb110d79c54cda65ba342c478b7

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            1362de5e5c46b29c8bd3d61ec369ff4e

            SHA1

            b378f652e90a79c7a8e7a9268def298e9edbe3a8

            SHA256

            314933884af356dee52dd2fe6d5ad508b141a3e88346dfe6b29f595e93e92fdd

            SHA512

            4f8d99d1cae55e59ef8e469160db03f89eacc99e0d496193bdd9abf758babf2ddc7112c0ace7dd205b7aaa64f7e17fba138ef24c853e5e411f8a35d3745ee607

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            4fc2993923ddf98641a6ba1247f2a4c0

            SHA1

            1a9b4c7b5288e4ffb49001a1516d4518f3ee1981

            SHA256

            8f315850136aefba8a0bb35c656e907eab38d5bac98a715d3a0884a2cfa16761

            SHA512

            a61cd7b49da9ea9a78c8d0219d9b29c5988fb6564086cfbd255396c8b19779e50ac73917bcc0a0d53f712f43ad1c4d148d3095311e7090866ce4df6edd122eea

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
            Filesize

            1KB

            MD5

            5fdd84abdc7833475907fdc4361336d2

            SHA1

            4715d47ce1824e8a2a9ff524ccb5f0960e4a442b

            SHA256

            66a02f95fb457b2c45a62f2fd2083eb2536ef04487a28017f9d5556a601bbd35

            SHA512

            2748d0c1f123ba2bc9b4a3a8484610fa237831e37086fb82110a0b61ec66d3bc47074d05cf4fb08b5fe483cfa3d28ea9f3e4bae6497f49f7fa20a154f29528d5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
            Filesize

            1KB

            MD5

            dcd465d69e9bc0290caf07bab558a78e

            SHA1

            321f132493a4650328050f3269f00fb7793551f9

            SHA256

            f7ba29aeab66e013f2b9a8b0a1a61fdd46e48bacf62cb9e1f7bf8c57dd0863e7

            SHA512

            9ae4189ad61d21b6bdc6e55fec2fecf367c3b4a2ae27046cff17d993c4c69c522a23a0d425dd05d0a30a93e4bd2cc8029b1a2f30fbde6d11f8b0756285d90297

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
            Filesize

            1KB

            MD5

            dc922408f02788b4e3a7cc1d3c34f6d2

            SHA1

            1e07a3ec9de22aabe5eff9d9840e1e90299bcc70

            SHA256

            40514c76f58ddbdc20de77c8ad9faf34b17948b3105f6a7ce8afb842dfd8d3c0

            SHA512

            fbe1379a816e94216aa88f6f2d7ca13286a929dc5b975c2e90c406da1346e5f3d7c4ea90794d9101237fea972b94086a048c348a60cb9622b3628551d2e6d0a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\96F2\CB79.bat
            Filesize

            112B

            MD5

            105ef0e3860a62d96451dda65cef297c

            SHA1

            ac2eeccf489333bd810580165ae94974e668204b

            SHA256

            436d0ded8c6877ab243d78480432a345648e88f09d9fbc0c7ed06f4cba1e1ac3

            SHA512

            dac057888d6546f425066786024ed27f927dcd3764b2322f5eaa3418e87a20081aa2ffd14d40fda81252cdcea816684bfbcbae8440345543f394212cb2ef8947

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9d81b961\0275.tmp
            Filesize

            130B

            MD5

            8185c67ec0ecd01e984a6ca0cd583a57

            SHA1

            6dcf65464bd4d7b9378494e18d1827ec060121c3

            SHA256

            d2bf1438877f8eb8d29b08f0b1630f96025efcd60efcc183a9a91685854f0ce9

            SHA512

            870e60d06f0a43edce16d50944cf8dd762164748fac8b62daf9ce832608b6c23d89e7dc3be8cb8c74deb5988991b4b1cf6694bc47f8fef941e8fec03d218a8af

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9d81b961\4281.tmp
            Filesize

            344B

            MD5

            28726ccd19444143b2f2022e4f2ce2a6

            SHA1

            5151ab14d71086bf61fdad74c6b7ca66777002d7

            SHA256

            c1cbe5d6d593290169dce1ecc668371b6e55fdf264ac9383b46131acc6e7a0a4

            SHA512

            ebb1cbf393c0d7eaea6788be4e77d3b0dcdc2c128b8cec962e4df02ca1e078273ecdef66cc495080ef0de0a534d223b6576f05a9a9108a1e0eb5a7af83f16f34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CabDB82.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FB_5735.tmp.jpg
            Filesize

            258KB

            MD5

            a170129c54dc03a8c08aeb62658ea160

            SHA1

            294578290c921aeebdb890a42f539dde1503c08a

            SHA256

            24f743c6291c4d5be1aeb7875b1bfe7817cbf0dc06a6217f7ca4b0acee0d32b9

            SHA512

            65b4463ce07cced7371a73b869846a7f40256e0775bfa761f84a14c38c39ff18b6eb0db0e7e3529b513a3c88cbd57e8de877fcac1c761e978bd5ed1ad520f7ae

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarDBA5.tmp
            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~DF2C52F9A6BA2889AE.TMP
            Filesize

            20KB

            MD5

            f6d87bc59e8ea649608e5f3498d55156

            SHA1

            5f9d66f88018f5292dcafd16c1fba8174995b32d

            SHA256

            a3b393e8a08ceb03bbf7662baf586978bba74e38188bdacc169fcf5a65197c1d

            SHA512

            3ecd1aebee4006e46a451e08aafa219b823561b49ec3f82d00ad5fa25e3771e0634cf8b6cfae730ca7114000b5aed79f41b332d933522627693a6f2004d2dd68

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1163522206-1469769407-485553996-1000\e9ac7873c0e427a06f7c758cb6b7941e_9d81b961-0275-4281-8321-63119951606b
            Filesize

            1KB

            MD5

            0de609e18ebf13a05edcc02fb4248f99

            SHA1

            5887b1936a6adb47ba0be7a4cf546e26822320ec

            SHA256

            effdf956bfb174b8a7994cdf65d8ea698c2449df6d8da56150ea11688d2a6c57

            SHA512

            066be2f018d37e673f7224cdaa5bb1149482afcd4b82704c07cef9e1beeababdc0e87aaed133d7a6c3179b18413059eac20be30722b2c1f9a65d7ea8610f37d6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1163522206-1469769407-485553996-1000\e9ac7873c0e427a06f7c758cb6b7941e_9d81b961-0275-4281-8321-63119951606b
            Filesize

            1KB

            MD5

            3474af024a4ed8e8611e30b4956b0d44

            SHA1

            37ff0b6cda2201514eeac2d6c9ab5d8010789aaa

            SHA256

            f30768a5cc9108613f1368f6524d46d81b75cc7e16c30bbb5855d45706b7b2a4

            SHA512

            937c4cb0aacb6cdf220c2a86350b18d7ef1ea8e103684afc15d9f5933e420f705379c2179705b5c893f83062f4d4e7e393711c7ed1ec3deb792441fdfd14d14a

            Download Submit

          • C:\Users\Admin\DesktopOSIRIS.bmp
            Filesize

            3.8MB

            MD5

            81563542328696fd6679e2d799e86787

            SHA1

            3b5ef427d9c41e4234edad86e0aa66385b6fcb4b

            SHA256

            1b52275d2f677a6f49ee7098ab04f635559dea8c37de0e024742e6119c46cbad

            SHA512

            3e39f3847d22accbb5d626eaba988ef45069a9e706e378ea4b86cea515dad165ef0d2d704699efd2d3b3342284771b3ad198b6a186803e35ac5bf5f0ac6b344b

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.NSIS.Xamyh.kxk-64fbaa750a20ae7cc12cb21e6e409e4d267068417925494fca7405d1cef5e65d.exe
            Filesize

            125KB

            MD5

            0d3d0f893df336e1bc396e4a2e5d24a0

            SHA1

            8902b36cbfdda493b9b7e6b59947b722a1daef29

            SHA256

            64fbaa750a20ae7cc12cb21e6e409e4d267068417925494fca7405d1cef5e65d

            SHA512

            e13d69329435512032a7197fdc04dbd25d2f2cde46183e3e9527724e50fbcc1e275c5350835b8f2a3a00b9f28c80adfc0f4c59bdefc9ce0cea8da0282792e0b9

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Blocker.hrft-83dd335bbc978eb05c4933fa3ea1301740c9d7754068b3de8facf58442171760.exe
            Filesize

            1.1MB

            MD5

            1b41019a6059d594116e633f3ac61d16

            SHA1

            7b25cfb5f2e126267c9efc1dc0fa98ebb222a58a

            SHA256

            83dd335bbc978eb05c4933fa3ea1301740c9d7754068b3de8facf58442171760

            SHA512

            8646ddd55ff8528dc86aa5443bf2a0b18ea97ecdc98231767149332ec125a8c414d4e50621e15319596fe2facb42c82c2a0dba1527a782aa688cc609707cfa76

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Cryptor.gw-b1cb04416c7391d98166ff259bc3a33dbfe0a4e526466b5d30f54b6b78a5c22f.exe
            Filesize

            213KB

            MD5

            1e508f04171bba110871927312483445

            SHA1

            31e09a03960ec04daa448005d77631009dc01bf0

            SHA256

            b1cb04416c7391d98166ff259bc3a33dbfe0a4e526466b5d30f54b6b78a5c22f

            SHA512

            532aebd93ffa37afbfe62de1c9b6c0e81777519711780036d2f0cac088c6ee1fb9e44c321cdbb2d15fc6e1df01a38a0b9fb4889c46ec7f9c933d37d637cdbfca

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Foreign.njoy-703f9eae4f2b62cc0ca7a2d0a8f34da2853121b232e5a0e220ff72f13f5ad303.exe
            Filesize

            352KB

            MD5

            6245a3be8da6a04c694b5d1f81d08b69

            SHA1

            a7d2d70679a5c2d70e24d84905c8c94f95520800

            SHA256

            703f9eae4f2b62cc0ca7a2d0a8f34da2853121b232e5a0e220ff72f13f5ad303

            SHA512

            f9f583d4869ee4c228b8b0fb62a8b508501e845f9bb9e3fa0a2631ea9d3a3931f426740597634875746fb5a2747bd527a07195c7ae572cef62b2913ad9dea1e7

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.GenericCryptor.jnu-2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78.exe
            Filesize

            255KB

            MD5

            ed441acec18afa29fe57d4b9e66ba126

            SHA1

            ee063b1146b855dc5f276228918fe0dee35c15cc

            SHA256

            2175329f4ed46df9f13ed8b80ffbe82ae4df5c24323ab50a1c197ab51b36ae78

            SHA512

            9c64de1d74eebc52ccde7d0cd40dc3d40c15d3c25f0852ef4959b9a42022eaab80ae91d2922cd37be80af6407889f8bb5fcab6042f7378469d4c0fa7f32bf391

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.aeqw-df0072204b63b2eed626d88921a20e8bf9702b638e36971a279b8959f890a5df.exe
            Filesize

            228KB

            MD5

            1e9bc539837b404ad18c1f1d86d78a10

            SHA1

            0ed44f66164597face22bb7ae7866a916a6c96ac

            SHA256

            df0072204b63b2eed626d88921a20e8bf9702b638e36971a279b8959f890a5df

            SHA512

            ce2f6e93c5739d687424d4bad2ee136b59e2c6b95d45eded90e0af4c4e7d763a6c89243e4fc9283d2319362b988a14ac1e9c1f9e7b621bd10c36c14ee18a60b7

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.xey-06ba734b49a3da926c18f3434173981b012a9ecd41f1e45196140b6d41360da7.exe
            Filesize

            383KB

            MD5

            33dfbc8708ab573b38653420aefdc95f

            SHA1

            2e82415d603c1cbbd317ba945b006ed4c4523de6

            SHA256

            06ba734b49a3da926c18f3434173981b012a9ecd41f1e45196140b6d41360da7

            SHA512

            c426825a80ff89ff41aab904436036db27e571cf74d3f541d575a3025a15031e21ae3ca6d6ba9a46aaf91abeea77711a376caebd9f21a8e06ac1d391e4bdb7f0

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Locky.xfq-7e3cffc3e1b735a1ed22fda7204fdefcab0a717be43864cc395cf77f34360cd5.exe
            Filesize

            434KB

            MD5

            a1313f88249614877f772764501c2faa

            SHA1

            375f214c676e90aa83e8c13426fc96b6d45f3ee8

            SHA256

            7e3cffc3e1b735a1ed22fda7204fdefcab0a717be43864cc395cf77f34360cd5

            SHA512

            1f4e15f5a146201db59dff72c836d067ba0d5ace270cbdf318508426beb56b36e41e2a34af7d7898deef29427d02e853ca95b3911d206c5188117cd2cf8b40a3

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Shade.lnm-7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e.exe
            Filesize

            900KB

            MD5

            f18f2e6a984a8a7e8e787f4f052c8bd9

            SHA1

            72dc0821b7f510a55d8010a22161e21bbac92c96

            SHA256

            7d9380055fea5e6c7901b2ce9f1b13de67cddaa2c2823fd08ecde6d37d4f245e

            SHA512

            858a4b745ae39b07f68c0d6877c45c6b710338cf67c96e2ee989906d548490640b9eb77878127a68b6d45fb8384abea8fe82b65a506d1f93c48266e351a38bed

            Download Submit

          • C:\Users\Admin\Desktop\00278\Trojan-Ransom.Win32.Zerber.fdxn-3db0ccba8fb83e1f5b4511b4d5e40efb55ba2ddca785bc7a5f186c5224e8df09.exe
            Filesize

            243KB

            MD5

            fe53909ad081f74af4a11c0ef0ba1222

            SHA1

            cfd8e95f01f82fb8301e4a006c6c23ab25836281

            SHA256

            3db0ccba8fb83e1f5b4511b4d5e40efb55ba2ddca785bc7a5f186c5224e8df09

            SHA512

            f707e284bec9b465f7ce7dc2ccf50e427f16eb42021924a5278422707eae2c1537e5f0171b0d280617e803c4bb05b4a93a56054434700ff74ae4c03b95da054c

            Download Submit

          • C:\Users\Admin\Desktop\_HELP_HELP_HELP_LVCGITNQ.hta
            Filesize

            74KB

            MD5

            7491944d7a944375217823b026cc01fa

            SHA1

            3d6a0055e081705c138139da11a638e02e36c724

            SHA256

            6fddcc78d5e23220e52326098b9ffd4dfc5dbfddca659d668ea37dc3d6b768d0

            SHA512

            f36bc2ac5147d944a253d173324e0d2f3ff51efe747e72b757405a2953c265b6a19448a5810ec473697ac5fc0687a8adc790648d8f107ffe0a67148caf1b1534

            Download Submit

          • C:\Users\Admin\Desktop\_HELP_HELP_HELP_LVCGITNQ.jpg
            Filesize

            150KB

            MD5

            ab3c95f6ad44f783b2f7981f948a8203

            SHA1

            885eeb67c66de4eeb7c431ab2ce8cb7935c47cc6

            SHA256

            2e5bebab9d8451381f5b6d270ae4d8b0dc800c689e5d62b1fc3caf384fd5ae91

            SHA512

            4d4222e8f1cd0e5077dfd5db31ac35e1ede9759901cd507f24fcde5aa56cc17835fcd73e47cb66b2f9a6b4cadc4afb6c61fef66ded63e3600f9dc03accab9c2b

            Download Submit

          • \??\c:\Users\Admin\Desktop\_HELP_HELP_HELP_LVCGITNQ.jpg
            Filesize

            151KB

            MD5

            882382ece5df50dabedd18cf2eeef054

            SHA1

            4acdf2f54151ca295bf16c84030275bcf4747052

            SHA256

            b23e02c283b01fd32a999c0ccc53eeb686f20c4815f230e373b6a6c5d4f572ed

            SHA512

            5f1d5ed47fe830b9ec775d6843ac58237640c9147e340f9e54de4cc326c45e54bbf05192cc2c62cf343d1399143284604caf9d3d02be5c23bea7859dc5bfa8e6

            Download Submit

          • \??\c:\Users\Admin\Documents\_HELP_HELP_HELP_J010.jpg
            Filesize

            151KB

            MD5

            3a5faa4d0c36935cffa22a7acb51f33f

            SHA1

            bee380607ee3d9a2d5496d1b6bc8ca25bcbf01c6

            SHA256

            b3e3e017d4ab09eb9c9ba5c5c8a854df1f554a2269f70e8d926ed5809f10ecb2

            SHA512

            6195e567e8fcb258f78f60ff48a6a306dacf73260f3245da5d6618d8b23b2ef4165bcdda7dd57ecb1a3951b6ac425c24b024c96cd7765dbc337ca2118e879671

            Download Submit

          • \??\c:\_HELP_HELP_HELP_D3P2Q65.jpg
            Filesize

            151KB

            MD5

            644f2488fd31c6e43bcddae93cc184b9

            SHA1

            6c20adadf115631a857636f5aa4433386a3cc571

            SHA256

            fb959fea730bb95a370083097893850b1390ade435f32f0d9b17ae18017625b2

            SHA512

            a6f91d53fce85e793a21afc7d7c70c9a686d999c39925b0818edae6f45ac8e7de643530a0304a274d762e57ef1c474112904a44f0e7f9ad4325d3db1e2273633

            Download Submit

          • \Users\Admin\AppData\Local\Temp\FB_4D84.tmp.exe
            Filesize

            863KB

            MD5

            4b52746c51f5f0e1e75f8e58f58b9b81

            SHA1

            b6925f19ec3f544c4997f568e47132833184168e

            SHA256

            8e0172dcfa9da2ae056a197a94bb20ca2759b872f10e5ba438ffa05a02cf0f9b

            SHA512

            6da3d9469f8d0c1735d0e65cd648e975d16685161efc10ca98314d1faba8c1dab945e6d589ff7a1b32064a57a7635dcf59887bb6c4e81fb0206b971de92fe9d4

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Lena.dll
            Filesize

            64KB

            MD5

            404cc3b4c6225405d6e2e0b1ceaea1af

            SHA1

            db12c06c8166f742232e1213310902f785430750

            SHA256

            092addd70106ce015d27c665b2a9bc445ef2c5ab43c5c595e3c2f49e9f70be10

            SHA512

            26d4950d353b54a84edc42efcf77e5db866837ce64f6803c6d6a2ca078f284955d23db97847eb91ea994329a7fa3b37977766001426526afe42c83aa698a78ca

            Download Submit

          • \Users\Admin\AppData\Local\Temp\isogamy.dll
            Filesize

            84KB

            MD5

            e156b330371d62e2820b2613ca5c05ff

            SHA1

            b91d5b78944428c1f3e9ea47cb94708a602752fe

            SHA256

            28d518d8ff4e62b02b31d605f7285d57d9ffae62d49141278f9b8cb9c373adbc

            SHA512

            84f7d48ca9e8794750edd07fe70d55e90d5261a56ecd2b75c27f7df4b7dd0d24aad94ccf4db5d8d205dcea3b00900f6eb4f53c97ff48201eda477b810954e631

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nsy4FE5.tmp\System.dll
            Filesize

            11KB

            MD5

            3e6bf00b3ac976122f982ae2aadb1c51

            SHA1

            caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

            SHA256

            4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

            SHA512

            1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

            Download Submit

          • memory/708-352-0x0000000000400000-0x0000000000404000-memory.dmp

            Filesize

            16KB

            Download

          • memory/1040-184-0x0000000000160000-0x0000000000162000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1616-164-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1616-163-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1616-153-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1616-152-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1616-149-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1616-343-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2160-145-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2160-157-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2224-1970-0x000007FEF6950000-0x000007FEF699C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2224-1968-0x000007FEF6950000-0x000007FEF699C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2288-122-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2288-126-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2288-128-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2288-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2288-131-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2288-124-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2288-169-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2380-712-0x0000000000F80000-0x0000000000FAA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2740-113-0x00000000002E0000-0x00000000002F5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/2768-109-0x00000000004A0000-0x00000000004B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2832-179-0x0000000000400000-0x000000000047E000-memory.dmp

            Filesize

            504KB

            Download

          • memory/2948-706-0x0000000000F80000-0x0000000000FAA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2948-42-0x0000000000F80000-0x0000000000FAA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2948-180-0x0000000000F80000-0x0000000000FAA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2984-78-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-74-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-81-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-79-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-88-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-86-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2984-89-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-75-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-83-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-69-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-68-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-65-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-64-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-62-0x0000000000400000-0x000000000133C000-memory.dmp

            Filesize

            15.2MB

            Download

          • memory/2984-59-0x0000000000300000-0x0000000000400000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2988-32-0x0000000000400000-0x0000000000638000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/2988-181-0x00000000022F0000-0x00000000022F2000-memory.dmp

            Filesize

            8KB

            Download