Overview

overview

10

Static

static

1

RNSM00277.7z

windows7-x64

10

Analysis

  • max time kernel
    223s
  • max time network
    222s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00277.7z

  • Size

    4.9MB

  • MD5

    7ec43b51a359d15602306e801f8d53e0

  • SHA1

    b2488fc63e257f4b71a300605254f1bf2ea3555c

  • SHA256

    8e74097ec91b78acbb08f7915388ef1a7e960ee402fe19cbaee76ea3488854bf

  • SHA512

    e42ce9e577e56a86fcb5b16c837f7b31cc798060e06fa8954701d05908a5322bb814322bcef812b349f6f283d3b8d94c47fde2d7d69e070b5151d80173d7cc77

  • SSDEEP

    98304:Bow/SvMwj39mc/Abt41EKldc3DBnjugrGukzzaPDG/:Bo6SvMwDkcT1Ecc3djjkParG/

Score
10/10
cerberlockylocky_osiristroldeshdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+tjqws.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/E2148AFD29CA248 * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/E2148AFD29CA248 * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/E2148AFD29CA248 If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/E2148AFD29CA248 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/E2148AFD29CA248 http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/E2148AFD29CA248 http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/E2148AFD29CA248 Your personal pages TOR Browser xlowfznrg4wf7dli. onion/E2148AFD29CA248
URLs

http://t54ndnku456ngkwsudqer.wallymac.com/E2148AFD29CA248

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/E2148AFD29CA248

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/E2148AFD29CA248

http://xlowfznrg4wf7dli.onion/E2148AFD29CA248

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #CerberRansomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580</a></li> <li><a href="http://cerberhhyed5frqa.xzcfr4.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.xzcfr4.win/B82D-7CBA-BE2D-0063-7580</a></li> <li><a href="http://cerberhhyed5frqa.asxce4.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.asxce4.win/B82D-7CBA-BE2D-0063-7580</a></li> <li><a href="http://cerberhhyed5frqa.45kgok.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.45kgok.win/B82D-7CBA-BE2D-0063-7580</a></li> <li><a href="http://cerberhhyed5frqa.ad34ft.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.ad34ft.win/B82D-7CBA-BE2D-0063-7580</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580" target="_blank">http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/B82D-7CBA-BE2D-0063-7580</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580 | | 2. http://cerberhhyed5frqa.xzcfr4.win/B82D-7CBA-BE2D-0063-7580 | | 3. http://cerberhhyed5frqa.asxce4.win/B82D-7CBA-BE2D-0063-7580 | | 4. http://cerberhhyed5frqa.45kgok.win/B82D-7CBA-BE2D-0063-7580 | | 5. http://cerberhhyed5frqa.ad34ft.win/B82D-7CBA-BE2D-0063-7580 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/B82D-7CBA-BE2D-0063-7580 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.azlto5.win/B82D-7CBA-BE2D-0063-7580

http://cerberhhyed5frqa.xzcfr4.win/B82D-7CBA-BE2D-0063-7580

http://cerberhhyed5frqa.asxce4.win/B82D-7CBA-BE2D-0063-7580

http://cerberhhyed5frqa.45kgok.win/B82D-7CBA-BE2D-0063-7580

http://cerberhhyed5frqa.ad34ft.win/B82D-7CBA-BE2D-0063-7580

http://cerberhhyed5frqa.onion/B82D-7CBA-BE2D-0063-7580

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Locky family
    locky
  • Locky_osiris family
    locky_osiris
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Contacts a large (24102) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (386) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds policy Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops startup file 10 IoCs
  • Executes dropped EXE 38 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Sets desktop wallpaper using registry 2 TTPs 5 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Interacts with shadow copies 3 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 13 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 4 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 44 IoCs
  • Suspicious use of UnmapMainImage 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00277.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1880
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\Desktop\00277\HEUR-Trojan-Ransom.MSIL.Blocker.gen-24edb45b9af68ec237eef33dff1f9253e1e3e3232f56a6d0c4336c0e4e816cee.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-24edb45b9af68ec237eef33dff1f9253e1e3e3232f56a6d0c4336c0e4e816cee.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1684
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\cd482369-09b5-4f6f-929d-87c40c6be1bc" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3008
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\cd482369-09b5-4f6f-929d-87c40c6be1bc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp514587445.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2504
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\cd482369-09b5-4f6f-929d-87c40c6be1bc" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\oougw.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
        • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe
          "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:1824
          • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe
            "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe"
            5⤵
            • Executes dropped EXE
            PID:2788
    • C:\Users\Admin\Desktop\00277\HEUR-Trojan-Ransom.Win32.Zerber.gen-39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba.exe
      HEUR-Trojan-Ransom.Win32.Zerber.gen-39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: MapViewOfSection
      PID:1488
      • C:\Users\Admin\Desktop\00277\HEUR-Trojan-Ransom.Win32.Zerber.gen-39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba.exe
        HEUR-Trojan-Ransom.Win32.Zerber.gen-39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:2640
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe List Shadows
          4⤵
          • Interacts with shadow copies
          PID:1616
    • C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe
      Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2868
      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe
        Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe
        3⤵
        • Adds policy Run key to start application
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        PID:2612
        • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe
          "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          PID:2480
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe" > NUL
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:956
        • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe
          "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:1764
          • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe
            "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe"
            5⤵
            • Executes dropped EXE
            PID:1640
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe" > NUL
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:3020
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:1920
    • C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Xamyh.dua-4fa6bce79ebda38216d10a674bb7c1a091b8cace3bb6659f6813478b0e400c0e.exe
      Trojan-Ransom.NSIS.Xamyh.dua-4fa6bce79ebda38216d10a674bb7c1a091b8cace3bb6659f6813478b0e400c0e.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1048
      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Xamyh.dua-4fa6bce79ebda38216d10a674bb7c1a091b8cace3bb6659f6813478b0e400c0e.exe
        Trojan-Ransom.NSIS.Xamyh.dua-4fa6bce79ebda38216d10a674bb7c1a091b8cace3bb6659f6813478b0e400c0e.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2532
    • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Agent.ivn-26e30e2bc99883e065cda7b0c1ce3bbf73a09010e63e028a7b246a995aaa1071.exe
      Trojan-Ransom.Win32.Agent.ivn-26e30e2bc99883e065cda7b0c1ce3bbf73a09010e63e028a7b246a995aaa1071.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies data under HKEY_USERS
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of UnmapMainImage
      PID:992
      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Agent.ivn-26e30e2bc99883e065cda7b0c1ce3bbf73a09010e63e028a7b246a995aaa1071.exe
        "C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Agent.ivn-26e30e2bc99883e065cda7b0c1ce3bbf73a09010e63e028a7b246a995aaa1071.exe" g
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        PID:2724
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:900
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2104
    • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Bitman.qmf-f3a753f279d913d3b5712da9697c859d547cbb7c90e110cc73d150b0af751f66.exe
      Trojan-Ransom.Win32.Bitman.qmf-f3a753f279d913d3b5712da9697c859d547cbb7c90e110cc73d150b0af751f66.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
      • C:\Windows\kkwldujgyyru.exe
        C:\Windows\kkwldujgyyru.exe
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2220
        • C:\Windows\System32\wbem\WMIC.exe
          "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2776
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
          4⤵
          • System Location Discovery: System Language Discovery
          • Opens file in notepad (likely ransom note)
          PID:1160
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1000
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2224
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275468 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1156
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275491 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1512
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:2503706 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1292
        • C:\Windows\System32\wbem\WMIC.exe
          "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
          4⤵
            PID:836
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\KKWLDU~1.EXE
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1520
            • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe
              "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2860
              • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe
                "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\eventvwr.exe"
                6⤵
                • Executes dropped EXE
                PID:584
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00277\TROJAN~4.EXE
          3⤵
            PID:2676
        • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Blocker.aimw-c3fa3aef6c645c4f490d2ad76d227d4dfc9ddc4987d1186caaf454f4e7a4a119.exe
          Trojan-Ransom.Win32.Blocker.aimw-c3fa3aef6c645c4f490d2ad76d227d4dfc9ddc4987d1186caaf454f4e7a4a119.exe
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of SetWindowsHookEx
          PID:2972
        • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Crypmod.yef-5538363b2539e01e0799ae6d51646dbaf18be461b65213ba66f423b5f4c5e62a.exe
          Trojan-Ransom.Win32.Crypmod.yef-5538363b2539e01e0799ae6d51646dbaf18be461b65213ba66f423b5f4c5e62a.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: MapViewOfSection
          PID:1496
          • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Crypmod.yef-5538363b2539e01e0799ae6d51646dbaf18be461b65213ba66f423b5f4c5e62a.exe
            Trojan-Ransom.Win32.Crypmod.yef-5538363b2539e01e0799ae6d51646dbaf18be461b65213ba66f423b5f4c5e62a.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:896
        • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Foreign.cklf-abce23a6929ac4ff694debfd6f25780020f0b4381f83feca6b10dd84f63aa05c.exe
          Trojan-Ransom.Win32.Foreign.cklf-abce23a6929ac4ff694debfd6f25780020f0b4381f83feca6b10dd84f63aa05c.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: MapViewOfSection
          PID:1544
        • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Foreign.nipz-03940eab794fd3ed646504ac1ffe2fbf5b73e73ed2f8c2269a7765cd23257473.exe
          Trojan-Ransom.Win32.Foreign.nipz-03940eab794fd3ed646504ac1ffe2fbf5b73e73ed2f8c2269a7765cd23257473.exe
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2036
        • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.bil-73770d505e81cffd36121a113c79e3aff7d757f9c1167660ca3a7e216bc6a892.exe
          Trojan-Ransom.Win32.Locky.bil-73770d505e81cffd36121a113c79e3aff7d757f9c1167660ca3a7e216bc6a892.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2804
        • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.xbq-d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f.exe
          Trojan-Ransom.Win32.Locky.xbq-d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f.exe
          2⤵
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1456
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:2104
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2372
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys3B3C.tmp"
            3⤵
              PID:2524
          • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.xdt-13302b92d75ad29f88d8a0330c153ed0c5156c659a129e852251a3e3552f8537.exe
            Trojan-Ransom.Win32.Locky.xdt-13302b92d75ad29f88d8a0330c153ed0c5156c659a129e852251a3e3552f8537.exe
            2⤵
            • Executes dropped EXE
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2360
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              3⤵
                PID:2184
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
                3⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:2032
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2812
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:209928 /prefetch:2
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2076
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys1FC0.tmp"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2932
            • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.xem-b65f63f75a0b88ac2fb0612cf8e2298447e2080b67a2d016b5e6e50c61f1d517.exe
              Trojan-Ransom.Win32.Locky.xem-b65f63f75a0b88ac2fb0612cf8e2298447e2080b67a2d016b5e6e50c61f1d517.exe
              2⤵
              • Executes dropped EXE
              • Sets desktop wallpaper using registry
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              • Suspicious behavior: EnumeratesProcesses
              PID:3040
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys27EB.tmp"
                3⤵
                  PID:2132
              • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.SageCrypt.k-10aa206bffbda3959773554bd14447100719e07a6002ff6ffe5697b00697beea.exe
                Trojan-Ransom.Win32.SageCrypt.k-10aa206bffbda3959773554bd14447100719e07a6002ff6ffe5697b00697beea.exe
                2⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of UnmapMainImage
                PID:2668
                • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.SageCrypt.k-10aa206bffbda3959773554bd14447100719e07a6002ff6ffe5697b00697beea.exe
                  "C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.SageCrypt.k-10aa206bffbda3959773554bd14447100719e07a6002ff6ffe5697b00697beea.exe" g
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of UnmapMainImage
                  PID:2368
              • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Shade.opq-ca4727bd4e0147e0218ade8603dd6dca3c2d71dd800d4b65457528e944fc74b8.exe
                Trojan-Ransom.Win32.Shade.opq-ca4727bd4e0147e0218ade8603dd6dca3c2d71dd800d4b65457528e944fc74b8.exe
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious behavior: MapViewOfSection
                PID:2168
                • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Shade.opq-ca4727bd4e0147e0218ade8603dd6dca3c2d71dd800d4b65457528e944fc74b8.exe
                  Trojan-Ransom.Win32.Shade.opq-ca4727bd4e0147e0218ade8603dd6dca3c2d71dd800d4b65457528e944fc74b8.exe
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:2272
              • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Spora.j-175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911.exe
                Trojan-Ransom.Win32.Spora.j-175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2104
                • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Spora.j-175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911.exe
                  "C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Spora.j-175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911.exe"
                  3⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2076
                  • C:\Windows\SysWOW64\wbem\WMIC.exe
                    "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2604
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\US63A-26XHT-ZTXTX-HTOKT-FYYYY.HTML
                    4⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:1780
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:2980
              • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Zerber.dsw-d01a5d62bb91753fb9ebc8a48b6f1a2aa77af57a53500443e70c98d551f97cbe.exe
                Trojan-Ransom.Win32.Zerber.dsw-d01a5d62bb91753fb9ebc8a48b6f1a2aa77af57a53500443e70c98d551f97cbe.exe
                2⤵
                • Adds policy Run key to start application
                • Drops startup file
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies Control Panel
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                PID:2424
                • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe
                  "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe"
                  3⤵
                  • Adds policy Run key to start application
                  • Drops startup file
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Checks whether UAC is enabled
                  • System Location Discovery: System Language Discovery
                  • Modifies Control Panel
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of UnmapMainImage
                  PID:1892
                  • C:\Windows\system32\vssadmin.exe
                    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:2772
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                    4⤵
                      PID:2808
                    • C:\Windows\System32\bcdedit.exe
                      "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
                      4⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1072
                    • C:\Windows\System32\bcdedit.exe
                      "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
                      4⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1812
                    • C:\Windows\system32\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                      4⤵
                        PID:1952
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                        4⤵
                          PID:2388
                        • C:\Windows\system32\cmd.exe
                          /d /c taskkill /t /f /im "verifier.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe" > NUL
                          4⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          PID:700
                          • C:\Windows\system32\taskkill.exe
                            taskkill /t /f /im "verifier.exe"
                            5⤵
                            • Kills process with taskkill
                            PID:836
                          • C:\Windows\system32\PING.EXE
                            ping -n 1 127.0.0.1
                            5⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:3036
                      • C:\Windows\SysWOW64\cmd.exe
                        /d /c taskkill /t /f /im "Trojan-Ransom.Win32.Zerber.dsw-d01a5d62bb91753fb9ebc8a48b6f1a2aa77af57a53500443e70c98d551f97cbe.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Zerber.dsw-d01a5d62bb91753fb9ebc8a48b6f1a2aa77af57a53500443e70c98d551f97cbe.exe" > NUL
                        3⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        PID:2604
                    • C:\Users\Admin\Desktop\00277\UDS-Trojan-Ransom.Win32.CryptXXX.sb-50c9e2e7c86b4a56bad74486f02a92a5a1b2c8976e597078988a70774d1e610a.exe
                      UDS-Trojan-Ransom.Win32.CryptXXX.sb-50c9e2e7c86b4a56bad74486f02a92a5a1b2c8976e597078988a70774d1e610a.exe
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:840
                      • C:\Users\Admin\AppData\Local\Temp\ebfcabfbdfja.exe
                        C:\Users\Admin\AppData\Local\Temp\ebfcabfbdfja.exe 8#2#0#0#4#9#2#0#1#6#3 J05JRDkuMTAxGixLU0JQRTs7MB8pSz1SV09OQkdEPCodJ0JJU1BAQj0vGiw7R0Q9LBctUFFJQU1BVF9FOzswHylQPVBWRU5WU1JLN2VscnA6KyZxcnUoQT1RSy1QRk4tQEpNJkdORksXLUNLQ0BDR0Q9HCZCMTwnLhgtRDI5JC8gLj4wNSsxICs7Mj0sKx0nQjU9KSgeL09MTDxTQ1RbR1BJVTtAUTsgL0xJTURUPVFXQ1VMPTQeL09MTDxTQ1RbRT9NRDcdJ0NYRVtMUEw8Giw9VkVfP0RCTEhIQjUeL0hLSlJfQUxMT1FFUjksHi9TQj5GSVlPUVZTUks3HSdUTT0uFy1EUis6GC1SVUpLR01EWVQ9SkNPSTxHTUBBQk1QTD0cJkdTXkxSRlJJTUE0cnJ0Xx0nUEVUUUlMSU1BXE1RRVJbOz9ZUjcvGC1ISUA8Vj0wGixBUV9EVUU/TUg9XD1MQ1JVR1JFQzdjWWpzZRwmQk9WSElHP0RfRUc7Mi8yKykvMC41KiwxMSwdJ1JJTUE0LzQxMy4oLzM5MBctRE5RS0RNQURbS0dNRDcxJy81Ly4nLzUpKy8yMTY6LysoUEwaLE0/PVB1a2ZvbSdyampsaV4cMGYxKDQYLVVSSDRmdHNqIitfJTJiHDBmZl9xKSwwMS0oYmVyY2RmLGluYmYjMmVMcmZSaW1hO213bWZsWWJNYWpYZWVxWWFdbmxvdRwwZjAuLzEvMDEwJzElMWBhZ3VubGtYYm1gaF5fY3IlLl0vNDEzLigvNDAvHDFmMi40LDE3NC0wLzVZQUNsS2pRMFlCd3RHZmt0SW1GXWBHYi9KSQ==
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1528
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          wmic /output:C:\Users\Admin\AppData\Local\Temp\81732295203.txt bios get serialnumber
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2720
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          wmic /output:C:\Users\Admin\AppData\Local\Temp\81732295203.txt bios get version
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2164
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          wmic /output:C:\Users\Admin\AppData\Local\Temp\81732295203.txt bios get version
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1204
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          wmic /output:C:\Users\Admin\AppData\Local\Temp\81732295203.txt bios get version
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2388
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          wmic /output:C:\Users\Admin\AppData\Local\Temp\81732295203.txt bios get version
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2468
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 368
                          4⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:2244
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2748
                  • C:\Windows\syswow64\svchost.exe
                    "C:\Windows\syswow64\svchost.exe"
                    1⤵
                    • Modifies WinLogon for persistence
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    PID:3068
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2016
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                    1⤵
                    • Process spawned unexpected child process
                    PID:2264
                    • C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe
                      "C:\Users\Admin\AppData\Roaming\{3948277D-206E-C453-92EF-7A792F7F3E4D}\verifier.exe"
                      2⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      • Suspicious use of UnmapMainImage
                      PID:1532
                  • C:\Windows\SysWOW64\DllHost.exe
                    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                    1⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of FindShellTrayWindow
                    PID:2716
                  • C:\Windows\system32\taskmgr.exe
                    "C:\Windows\system32\taskmgr.exe" /4
                    1⤵
                      PID:2760
                    • C:\Windows\SysWOW64\DllHost.exe
                      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                      1⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of FindShellTrayWindow
                      PID:2676
                    • C:\Windows\SysWOW64\DllHost.exe
                      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                      1⤵
                      • System Location Discovery: System Language Discovery
                      PID:1796
                    • C:\Windows\system32\AUDIODG.EXE
                      C:\Windows\system32\AUDIODG.EXE 0xc4
                      1⤵
                        PID:272

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Windows Management Instrumentation

                      1
                      T1047

                      Persistence

                      Boot or Logon Autostart Execution

                      3
                      T1547

                      Registry Run Keys / Startup Folder

                      2
                      T1547.001

                      Winlogon Helper DLL

                      1
                      T1547.004

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      3
                      T1547

                      Registry Run Keys / Startup Folder

                      2
                      T1547.001

                      Winlogon Helper DLL

                      1
                      T1547.004

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Defense Evasion

                      Direct Volume Access

                      1
                      T1006

                      Indicator Removal

                      3
                      T1070

                      File Deletion

                      3
                      T1070.004

                      Modify Registry

                      6
                      T1112

                      Credential Access

                      Credentials from Password Stores

                      1
                      T1555

                      Credentials from Web Browsers

                      1
                      T1555.003

                      Unsecured Credentials

                      1
                      T1552

                      Credentials In Files

                      1
                      T1552.001

                      Discovery

                      Network Service Discovery

                      2
                      T1046

                      Peripheral Device Discovery

                      2
                      T1120

                      Query Registry

                      2
                      T1012

                      Remote System Discovery

                      1
                      T1018

                      System Information Discovery

                      4
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      System Network Configuration Discovery

                      1
                      T1016

                      Internet Connection Discovery

                      1
                      T1016.001

                      Lateral Movement

                      Collection

                      Data from Local System

                      1
                      T1005

                      Command and Control

                      Exfiltration

                      Impact

                      Defacement

                      1
                      T1491

                      Inhibit System Recovery

                      3
                      T1490

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+tjqws.html
                        Filesize

                        12KB

                        MD5

                        11d0daa62fb3cc8f2663d4f1b24fc611

                        SHA1

                        1abd540eeb22b121ba206ae1dbc4e256d77aa97c

                        SHA256

                        d25140050e792a8a84f696a15ee55d17c15b08b32e8fca87267735648aa53c53

                        SHA512

                        b0caaa24e722b1fe90d69f203678caecf06db3c69764efd90b5daa31612efee02fadec09d92c89ea1fb26446fba7debeaa0367181099fe37c2c88382f6079723

                        Download Submit

                      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+tjqws.png
                        Filesize

                        64KB

                        MD5

                        06859260a4a1508a5305de550888ca4e

                        SHA1

                        763e8877e5a4889bbf70de0f9b4aecfafcbcf03d

                        SHA256

                        9e610cfe1e47e7149a886fb782195393ab8bf9c31d1ff628b703d55b32543cea

                        SHA512

                        4696df969bb23739380554624ca8823a6beeef3921d9d789aede6cb14183f4bb358e9d0e236b2846ddee2b5510db57aef11ed3a2fe67d5e2eb7316ea888b7140

                        Download Submit

                      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+tjqws.txt
                        Filesize

                        1KB

                        MD5

                        53e3663834dbbfb72c973f61ccafc06b

                        SHA1

                        0495155c571a25a114763d24de07d2d415577305

                        SHA256

                        a744f1800bb8f173f30e2e07baf2eea4da1412d200d743c70c59ae1a5eb90799

                        SHA512

                        f344c624fa115d7b6411779901b04af2508472ea8f18a194b1d2cdf053fa8a6290abb19e2560d7ef60a39ca4414251980e9202c148fd95a97390f7010338bfe5

                        Download Submit

                      • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSIRIS-158d.htm
                        Filesize

                        8KB

                        MD5

                        ef861e8a98c7c9e2f588fbc918b9efd1

                        SHA1

                        71a28e36360fa6f64a884fa678a6f37a4f391d0f

                        SHA256

                        25eb729918d863393727f612807a1532e4a469586c14d8fead5d24831acd73b8

                        SHA512

                        ff42e0d25998f55fe6f85b77f0b35572b5d3c15682488d4839eea2273718ab2d594b8823bbb30668e86272d35195c8d9705cc69d339327628c28b6b8b8969f04

                        Download Submit

                      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
                        Filesize

                        11KB

                        MD5

                        223ef280e938c6c7d1aa534055a70bc6

                        SHA1

                        2643bfe24a8519d6dfaa341ad661c0712c2e76e2

                        SHA256

                        866c0bb24b8a9147852c6a8390605a04e9c3d2b9c126284b3224d1324aa9957a

                        SHA512

                        4fcbdd8c27eb608a2d1ffa9694be8c4c318f7a1b7cbfeddefda8c4c30ed4eb258fe242127012e1344ab21110a686d6112657d2acb1038a170fee3c1d305301ad

                        Download Submit

                      • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
                        Filesize

                        109KB

                        MD5

                        80fbcb02925e0dc9ef635fca2f2ad659

                        SHA1

                        dd571c46238d9f907be1f03b1e6fe3577af13e74

                        SHA256

                        462e59ffd7dbc3e2f0e3a5803c9a8addcd2c7f743bc95d8dcaff6412d35b2775

                        SHA512

                        1537bd723911cfc53e499a129eea71debff2e60395888b809e99670802ea4133df643c59f59ad4a3913a428c304728330616f97b7cdcca0baf8c2869a78b0c31

                        Download Submit

                      • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
                        Filesize

                        173KB

                        MD5

                        a0fabdfff26a7fc639720cad5645609f

                        SHA1

                        2affe318d0727d527f6df3e7814e1cb97d415d9f

                        SHA256

                        73b1256bb061515af283de072ee48ce43ba32e4ce051c4fdaa7d069817c0357c

                        SHA512

                        bd59a345c06aa6d2cdd407f2645dc67bfd47e84fe55024e7667e3fd164350da38756714dc277ec30e42d60488d286d054b03d13e43e5a2f82e170c64cf0b9ee7

                        Download Submit

                      • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-43a5.htm
                        Filesize

                        8KB

                        MD5

                        fe428b8a7011b03fe2fdc16482ea094b

                        SHA1

                        d5d84aad977e312cbc5fd1d4f8d1825a62eb2b8b

                        SHA256

                        c29255f38ce2dcd5ad700eaa341bdc829627181b90ccabe738f5cb7941674933

                        SHA512

                        71753a3ee19ce5d61841bf7876b14219eca8db3f17fa83e8e161241734d9770258c37dde9f6a885a31ed7ee92e7c6d9b0fe5071c8d68a03be7e2f0fc13b7cbc6

                        Download Submit

                      • C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\OSIRIS-7f6c.htm
                        Filesize

                        8KB

                        MD5

                        5e8b19d4ae7688491aa911744b199cc5

                        SHA1

                        c632049b2e3fb8d8afd1cca261443b0d31acd53e

                        SHA256

                        d2fec4770bb8c91285e6b2a46535f4a3cea025754be32a074f00f3e3b8eae3be

                        SHA512

                        df2d297d11678c6a3070bd8e40871bfafd5a7441616f6ad8700312c27fe0d0f70f26e6a06349c2cb8e01c8d18e8319b98fb662393db00b234f1930fd1cfac91b

                        Download Submit

                      • C:\ProgramData\System32\xfs
                        Filesize

                        46KB

                        MD5

                        0fbba348b5f84ff69648a6840f11c43d

                        SHA1

                        701edaa92c119c292fba97607e8d1d63e989ea70

                        SHA256

                        3a4f8c8bac9fdd2287ec6de741b20ca8e660a01b22a2c402b746d03fa69ca569

                        SHA512

                        36fb75d4a91e7e442cac7c58053934d577783312afe393f297ca429338f920566d74a7aa1fa6566016a548c3592fa5761e09a23fe443c3383b2055538f5613a5

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        340aed020afe70528b69afaf9f1e5d01

                        SHA1

                        ad24c3530f2d3ef49646f9144bc917dae85f5bf9

                        SHA256

                        90216a6d896eed0e66ea93da1703570d8524f54cb2970ab15f99d2296a579f0f

                        SHA512

                        799f001350078686a629833abfd70973f45d3e406a1ed64b431c12c9ea9e2930eb35049427c118f16deac6954e01c2c29a47c55732e83418a79194d90ba6e169

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        88cca59b409b1af4c38b0e37fc2de904

                        SHA1

                        e043b08657ad7689bc2dd3ee472f3652d569035b

                        SHA256

                        40e19894ce870edd741f9853dee521724cc71481415d52f84e2b76d7225cabc4

                        SHA512

                        4fc8cfc2b491c608524920be15beefd9049b2762c20bfd33c173e6ed1d1cf8a9b780faa0fa6caddca7ce07ce6334b144814e44601e581835ac5ad3078305683d

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        9d71ff6f53a19e9fcce0ceaf13d8a9b7

                        SHA1

                        f285aa00ae8f2d2d46401618853d0e94533ac84f

                        SHA256

                        3c04807614df0788394cfc24101b2e5c0f61227de0b6f983520b11ec30241352

                        SHA512

                        4523827201036df0bb89fc041c94bb01191331c514d0cfe5ff1b3202e7cca4ea12b9e191fde22eae98074cc1a8d938789053f5271317a01b18edd234a12f99e9

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        97edbcd1501c549b435d4a555946e307

                        SHA1

                        7b66d0b31cc6a203d7fe54dfe3f4baa32afddd80

                        SHA256

                        b2fe5b80dd9c71996d866534a52cb74e1a28fbf394b36be5ceb92db13762217f

                        SHA512

                        79ce84d0bdd7d38aca7b8c8c32ac6f8cfb00273418f80d4f79054e300e0315ce1a1500b908cde4e533d3a7db215aec96f767605a720dc926d73270a39fd894b1

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        93050cdd5ed7209598ba08bf9f196be5

                        SHA1

                        136eba45edbabf7bdc3f804e9c8b743c2514498b

                        SHA256

                        0d03c437c255dadf1120977e6ca071d8dea68b7898b90c315eae0e8062ce8b71

                        SHA512

                        6808b51884f37d2c08443b08ef2e292f40028dbaa9439ebfb804c8cb61054d5ff0829d831d6d91a1c32ef4274b5fceb150303c11ad73c20908980fd3effd2545

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        d4efb4250d555fc990fa09b2b425aea1

                        SHA1

                        87b0a309677a3ae079e544fb2de74019c448a2ef

                        SHA256

                        5d46e4112b44e1d0050cc39090d2c8e505400ffc6b86397c37ecde884aad7def

                        SHA512

                        d0a9543b8990a00b0adc93fe87b82b0dbae15016552b29cc198ecbeed1b08e19bbc1412c6d4b90982bfc6922ed065a8459f2ce3d26322dbfd9db3ae64ba452a0

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        6a42262a0f146b9ba3f77c51f585e505

                        SHA1

                        a33d95b594948c436845f2463786ec1246f2a804

                        SHA256

                        bfa29a8abd11e97f4d122ef9974c47acb6f7489809da39ca78c52c265525b52d

                        SHA512

                        2979984130432613f636b56bf3bd5e598853e3a4a197868653659cd40881941e1a4ca3c73cfcf8c0ea2a627640093c0ce3c0d16ad8478ec565e85e686cd57d93

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                        Filesize

                        342B

                        MD5

                        1d7becc3931abb5242072ca3f1b7b146

                        SHA1

                        cd3d87cb63473306f2b890094d6c54883ddd13b0

                        SHA256

                        560473f1b7fefc45cc9fb310debe9ac793210d578ce43f67c636c20a39b60fa7

                        SHA512

                        776f5843e0732b0c9bccc0ce1a31c7f9dc4952c5755d763e1297314e1eae87407197c28a3710f02856b1cee1959b306cc081a1615ff679018e92eb27d1ba2b43

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\81732295203.txt
                        Filesize

                        58B

                        MD5

                        f8e2f71e123c5a848f2a83d2a7aef11e

                        SHA1

                        5e7a9a2937fa4f06fdf3e33d7def7de431c159b4

                        SHA256

                        79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121

                        SHA512

                        8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Cab32D6.tmp
                        Filesize

                        70KB

                        MD5

                        49aebf8cbd62d92ac215b2923fb1b9f5

                        SHA1

                        1723be06719828dda65ad804298d0431f6aff976

                        SHA256

                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                        SHA512

                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Tar3318.tmp
                        Filesize

                        181KB

                        MD5

                        4ea6026cf93ec6338144661bf1202cd1

                        SHA1

                        a1dec9044f750ad887935a01430bf49322fbdcb7

                        SHA256

                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                        SHA512

                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsj6C2C.tmp\nnpti.dll
                        Filesize

                        120KB

                        MD5

                        7af0795840b6c47bca838f6781035606

                        SHA1

                        967e6b0965c2bac5267dbfa3f34840a199af7a1a

                        SHA256

                        8e0dff8751a24f3da65e110955a29118737100c6324f07aff5dd8a4a0390e818

                        SHA512

                        0b3e0f8e13c2776943f23e5be532b3e166a645a9480cb329182a269ba138a977d6f042f9e02e404ef0aa6dc6bb8da0119466e3d0f509c01d575d428f2b84f028

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\nsoCD2F.tmp\System.dll
                        Filesize

                        11KB

                        MD5

                        a436db0c473a087eb61ff5c53c34ba27

                        SHA1

                        65ea67e424e75f5065132b539c8b2eda88aa0506

                        SHA256

                        75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

                        SHA512

                        908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\~DF2FE161A9EDC0C33A.TMP
                        Filesize

                        20KB

                        MD5

                        f33ae9add6b4c281a34b4169ae644d51

                        SHA1

                        c0d7ea92038c2554e088436a0d1444614dcfafc6

                        SHA256

                        8c96f36a9e70e21a87c06006754b9ca2416bc37afe90850346947c781d634292

                        SHA512

                        f5912e7c5bccf25da2562ce18414493b144db78f1c1fcd3d4d076195ef06753a7764865e89867a23c6b5d5c844a931fa516c5dbfb73a40c56eaf3ce2042bab0f

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\SFhelper.dll
                        Filesize

                        70KB

                        MD5

                        d9fb0839c496f06e824e3a5c41572462

                        SHA1

                        7978f5ac7ec69d8e33751f8009b37279db50e455

                        SHA256

                        55d7dac32b8533e26549f776bd3ca7c87b359fa7de9bfeee1222dec381a8d98c

                        SHA512

                        038c604625d6e08922b9befb412f0922de15c0e9cb5118b91419c03b10f727e91c06a0149a80e5acc5f3b976c3f807264d1e5bdfe5fe947962623d0256d731e4

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\US63A-26XHT-ZTXTX-HTOKT-FYYYY.KEY
                        Filesize

                        1KB

                        MD5

                        447d9d393978e3527a3fd0f5ea79fb00

                        SHA1

                        1068eb5eb9754069928d5e1d5d3c14c7150ee69b

                        SHA256

                        7b52d3f1fd7af8251ed8318326a9b660972144e2f936d1d8f17c3ea5add49398

                        SHA512

                        2211acdbd8a48eaa42cbda819ef529defe5839d9a865d746adbac2925daaa0dc1b6e1a4dd398c3b1b4f3498243326361e085a3e6653062af1dd8113b0bfebb1b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\oougw.exe
                        Filesize

                        822KB

                        MD5

                        d8c6e1768c5cc4414591ed040ce533dc

                        SHA1

                        e51c96f29ade1fc79635706bedafaa1e301c992b

                        SHA256

                        312a521d60cd54cc6d419d1b1dcc3e325d64003805fbd4bce68f9f54878d509e

                        SHA512

                        8fc7a77b9da4980629fb63df014e3928d6398e9deae3c159f862d37588796dff8f420ebc347716017042e1ae6eb8ae8fdddd110ebc34f118b0d5abfc9f64dbcd

                        Download Submit

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
                        Filesize

                        12KB

                        MD5

                        6a1bbc0f07191c4f250f6320c1e3d807

                        SHA1

                        80e4ca200384779f5086baccc69f41380a0372e1

                        SHA256

                        90238e1b3a1dd9bed97871e1328c57c6c691b6ace5cf763a2861223ae633d8f2

                        SHA512

                        2694f300e2d01584d843d07dad7de7268c75b770fcf821e73d6388b791859771bb3e311a20c931114681571c9f790705c52dc19b6eb74e35cc4427fcf4245932

                        Download Submit

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                        Filesize

                        10KB

                        MD5

                        425b049e2542218c7ec0b13868796a7b

                        SHA1

                        74d1cf978af3f06ba5dead81d5a7175cc85720a0

                        SHA256

                        50552400af8cc246e507e92437527fcce55c6058c32a5cdad3198721a46c2c92

                        SHA512

                        0645a34984118e64eb6283bfa8f6295adc82b3a1e73c364aa38abc87ee442237822c972971122db30b8eb2f714bda4b1379b5211efadecbf6117f8d2202d02bf

                        Download Submit

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.url
                        Filesize

                        85B

                        MD5

                        0d6c1cf91ceb2e7ceaa3696363a7114f

                        SHA1

                        477abf7b6abd97c2afa9a1acb1d414c5f799e607

                        SHA256

                        2f7fa231bc5988d50952da83c72e745adc984fe0af0528608265b6faa7d97ddb

                        SHA512

                        2bd31fe7b95a8de9ffb9cf86a9d7e91b53d93198341c2cd521c59fd64034498fbe021d201c2ade7d786af9e3b2266143273eafa8626c1eaf5f0c59949a96a26f

                        Download Submit

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs
                        Filesize

                        216B

                        MD5

                        48ac29422570636cae371b68c858b988

                        SHA1

                        ff86dea198c93a8ae49ee52c6eb919fcbd259aab

                        SHA256

                        3926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0

                        SHA512

                        75019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\HEUR-Trojan-Ransom.MSIL.Blocker.gen-24edb45b9af68ec237eef33dff1f9253e1e3e3232f56a6d0c4336c0e4e816cee.exe
                        Filesize

                        822KB

                        MD5

                        19927de468f347a363e4870c20550b7a

                        SHA1

                        e35db8d3990e5cf21664e3769679b0c082d04886

                        SHA256

                        24edb45b9af68ec237eef33dff1f9253e1e3e3232f56a6d0c4336c0e4e816cee

                        SHA512

                        af6f7f2a66d63f2e85f2448bdd4f6691a1dc0ae1f28520cec308dc622c59f6e07d3527d0f5db08a829888089f7a809ed4b49c994176f979dce907b0a549358a7

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\HEUR-Trojan-Ransom.Win32.Zerber.gen-39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba.exe
                        Filesize

                        901KB

                        MD5

                        b7938b29a73c948e483937740e10f679

                        SHA1

                        2d755deff735ba94063d486f2786c2481610e2f7

                        SHA256

                        39a9f8c96ce9f7ecf2f2424ce0aea2db15df3f6b75bb543218dab48a8d1fceba

                        SHA512

                        bf5d9c0dc1d5d1579f103bb7cb2460a1498c78f61ac09b330aaa94da83ace54947b47f7db7455f25cef53b238f7626fab16b96e32162a576be8c59bd77bbb64c

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Onion.aftx-2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75.exe
                        Filesize

                        280KB

                        MD5

                        541364a81cb365be420373fce3d1f19b

                        SHA1

                        fffb124ed79715769e61f793cd3b47458ab74293

                        SHA256

                        2a8285f324c9ad8dc54f190aa3627ac9bebd546173ed89d5ecd1ea7b65641c75

                        SHA512

                        c19e4d702ea3656b1f73ff263574459fc572f955dd7b492efe7f360659d93739334d669edaeeb15a0589490d67092087f7349bb964d426bc86ee412480a08732

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.NSIS.Xamyh.dua-4fa6bce79ebda38216d10a674bb7c1a091b8cace3bb6659f6813478b0e400c0e.exe
                        Filesize

                        120KB

                        MD5

                        2d4cf97c8a7cc2189f684223793b209f

                        SHA1

                        59411aebce8a2153a072d8f7c9d0de56955d6e09

                        SHA256

                        4fa6bce79ebda38216d10a674bb7c1a091b8cace3bb6659f6813478b0e400c0e

                        SHA512

                        d8c40ad260bc89e4ee92d0f344a4e6047fde9f6a0e15be5390fcbcbb9604d4a7c8d5e96c7f510511eda47de1e66c72bcefef3ca4ced74bcd17cc00c01ea868d7

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Agent.ivn-26e30e2bc99883e065cda7b0c1ce3bbf73a09010e63e028a7b246a995aaa1071.exe
                        Filesize

                        324KB

                        MD5

                        4a6e3d45e11bae69b64fc879400fcdb6

                        SHA1

                        bac9617738d21da4c3902d98b070bb1b3e0f13b9

                        SHA256

                        26e30e2bc99883e065cda7b0c1ce3bbf73a09010e63e028a7b246a995aaa1071

                        SHA512

                        b5c5d3010c69422a7bf85db7888f71a864d627e6b6a470cd15e4be2e51e5360f7cec7bcc1f644358590b94bf1d5cc5af866ba2e1bd6590cd771c4531d5310720

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Bitman.qmf-f3a753f279d913d3b5712da9697c859d547cbb7c90e110cc73d150b0af751f66.exe
                        Filesize

                        395KB

                        MD5

                        768b7c67279b8150af55964fdafea7f3

                        SHA1

                        ddafb6631617bb73b9de8c5aaa0354e973f60d78

                        SHA256

                        f3a753f279d913d3b5712da9697c859d547cbb7c90e110cc73d150b0af751f66

                        SHA512

                        1ab6824e7ddf1ec494882afbcc8d21872915165a9d3a6f0673ea588da53f812f64927576d8a7fc30025e5f97605565fcfdb4e545468c3541d4e110579fa555b9

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Blocker.aimw-c3fa3aef6c645c4f490d2ad76d227d4dfc9ddc4987d1186caaf454f4e7a4a119.exe
                        Filesize

                        66KB

                        MD5

                        2d71958e815ec87ced9f101335e6d7ce

                        SHA1

                        59c9cbe7a0b220288f79c5e15185537cdfe3a7ce

                        SHA256

                        c3fa3aef6c645c4f490d2ad76d227d4dfc9ddc4987d1186caaf454f4e7a4a119

                        SHA512

                        6d9a013e2f83388c3e0f591a9e4478ac36b71276a8c061cc3c5fd15fc84c26d96fb8fe1407cd893be08e3ba848cbe1e2a90cd2e3027304a11581ffcbd7d282bc

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Crypmod.yef-5538363b2539e01e0799ae6d51646dbaf18be461b65213ba66f423b5f4c5e62a.exe
                        Filesize

                        186KB

                        MD5

                        a499e8b3f700654697859e4830f26892

                        SHA1

                        1f529c31229d18515e38a7a76a14e70d27fd7d8d

                        SHA256

                        5538363b2539e01e0799ae6d51646dbaf18be461b65213ba66f423b5f4c5e62a

                        SHA512

                        97929bdacd513c09eb27e945d64fcf6a3391fb0c95f2d18ea8b8460cfcf15c62afcecb911c1bc31207dbb6f20fbd9ed70e7ca2891e0bc075513081a77b58ac6a

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Foreign.cklf-abce23a6929ac4ff694debfd6f25780020f0b4381f83feca6b10dd84f63aa05c.exe
                        Filesize

                        125KB

                        MD5

                        e5daff8de9c6cce065b48df0e331f3f8

                        SHA1

                        242120453e137c918255844d60b3a041fcc6e619

                        SHA256

                        abce23a6929ac4ff694debfd6f25780020f0b4381f83feca6b10dd84f63aa05c

                        SHA512

                        f0d7774b47c4901a6047ca573bdabb223569f0a373a4cb5e4af09af9d969f9347e64fdf6cc2a78664db17908af32388dc30900338a2e17f70d11ce89236cce67

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Foreign.nipz-03940eab794fd3ed646504ac1ffe2fbf5b73e73ed2f8c2269a7765cd23257473.exe
                        Filesize

                        276KB

                        MD5

                        35346d1dd0e42f7d627b931af9b782dd

                        SHA1

                        793bbeda1753b214545372130bdfe0519c354ce1

                        SHA256

                        03940eab794fd3ed646504ac1ffe2fbf5b73e73ed2f8c2269a7765cd23257473

                        SHA512

                        456d55811f0162b94ee48d89202b7616b19b768dcfef6bb420ad32d2da1502d5026c1f3b7d80dc69db46890c2abc7760966001b916518e199c9c226499d05749

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.bil-73770d505e81cffd36121a113c79e3aff7d757f9c1167660ca3a7e216bc6a892.exe
                        Filesize

                        244KB

                        MD5

                        2eaaf55025557ec654e05ce2e849f7b4

                        SHA1

                        4c4ae369cf7ece53e612da08db4cddd9989a327c

                        SHA256

                        73770d505e81cffd36121a113c79e3aff7d757f9c1167660ca3a7e216bc6a892

                        SHA512

                        44f00ff06420d2cc1b4a76ed74fdad2d1c27fbd477760a05b5558b738d3b84ec9b5e8f1a5824a384b9a32a8742081fa5b0f268f068ccb0d185b6b440a914247f

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.xbq-d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f.exe
                        Filesize

                        348KB

                        MD5

                        bc4a269ef127d108659149b6058ac7d8

                        SHA1

                        6e92d9c37f2325a6937a3416b1084fa6cbbfa0b9

                        SHA256

                        d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f

                        SHA512

                        2baf73f8860247a6ac352742e4abed159c20ccde2cdabf5dcbe509843b821e90c149fcf9f841e35d67113561a74729239a896c546ab238f497d193dfc98ed995

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.xdt-13302b92d75ad29f88d8a0330c153ed0c5156c659a129e852251a3e3552f8537.exe
                        Filesize

                        524KB

                        MD5

                        4be3deb2244ef733b4cc0acb71137481

                        SHA1

                        6b82b0f3dba275ea3b104bed6c4a35372cb7fb32

                        SHA256

                        13302b92d75ad29f88d8a0330c153ed0c5156c659a129e852251a3e3552f8537

                        SHA512

                        543cd968bceb879e2b3ee66373900d0cda9d5934b1deee9c18c6408070574c193b96429ddbcda0b876e994551eb2d03c009d3ba81d0412d1fc2ec39b10bed77c

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Locky.xem-b65f63f75a0b88ac2fb0612cf8e2298447e2080b67a2d016b5e6e50c61f1d517.exe
                        Filesize

                        313KB

                        MD5

                        8ab71e1a19ad7cb1e79fb8b1bc3cab97

                        SHA1

                        711473b4cfa62d4d0243c598ef47ce4c481c274d

                        SHA256

                        b65f63f75a0b88ac2fb0612cf8e2298447e2080b67a2d016b5e6e50c61f1d517

                        SHA512

                        5cda8dd5de270e3400f21e903b4031d33bcc095b7ace742b7b48cb183692986968022e9cd32463f2390b10c6facca9ae74d16b965b28741a7933930ca343cafb

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.SageCrypt.k-10aa206bffbda3959773554bd14447100719e07a6002ff6ffe5697b00697beea.exe
                        Filesize

                        300KB

                        MD5

                        0479f04f439101d0e21187a633afe7eb

                        SHA1

                        3d235c9708cbabaf47e2c663c131acb91bd5e645

                        SHA256

                        10aa206bffbda3959773554bd14447100719e07a6002ff6ffe5697b00697beea

                        SHA512

                        bbeb8cdfa9c4e6aea6ecb4055ed81d68a893c3fc7d155bce2e15b3134eb0b566774974cd7b42dcc036a53958a993cb941afab0db44d1e4c1a2f3c3a46ddc3e4d

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Shade.opq-ca4727bd4e0147e0218ade8603dd6dca3c2d71dd800d4b65457528e944fc74b8.exe
                        Filesize

                        904KB

                        MD5

                        e7843fdfa17a9fb7600832f383185c3f

                        SHA1

                        dfe099d2d4c38ff39c822a16338e0e788d73396d

                        SHA256

                        ca4727bd4e0147e0218ade8603dd6dca3c2d71dd800d4b65457528e944fc74b8

                        SHA512

                        f6b02eea25c69f1cdc31972dc809d280288e5dcf7e979f2495895cd3e65b51ef46162a9232722ef4c46a9542eac58149665bed0cea43f7de786f58425d301b8e

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Spora.j-175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911.exe
                        Filesize

                        72KB

                        MD5

                        b66210f925b50bf531c0ec042f12889a

                        SHA1

                        a6dd8fabc0a42c81cd34bace88112fe40e5e0435

                        SHA256

                        175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911

                        SHA512

                        d2b09294429668320bd8352427a878ccbc22d198a129126b9e3a83e6282892fbf3faccac78dc555136d3f4cd560a2a79918e9b3e817227f91d18ebfe0f236a18

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\Trojan-Ransom.Win32.Zerber.dsw-d01a5d62bb91753fb9ebc8a48b6f1a2aa77af57a53500443e70c98d551f97cbe.exe
                        Filesize

                        710KB

                        MD5

                        046c31b39dfd7efa5529d967d9da0cd2

                        SHA1

                        a8dcf135677807e411fe238ca3cdb161904f0615

                        SHA256

                        d01a5d62bb91753fb9ebc8a48b6f1a2aa77af57a53500443e70c98d551f97cbe

                        SHA512

                        c11c66492e6d20c589bfd41d904782c9a7c9fcd38461e5c7f053cb3d9f4eacacf386eeef1c6b914307c5ef630db5e3a3e8c4ba44bf9711549fbc388334fccc5b

                        Download Submit

                      • C:\Users\Admin\Desktop\00277\UDS-Trojan-Ransom.Win32.CryptXXX.sb-50c9e2e7c86b4a56bad74486f02a92a5a1b2c8976e597078988a70774d1e610a.exe
                        Filesize

                        556KB

                        MD5

                        667343b1465c9bc97c13969100ca260f

                        SHA1

                        66a7abb707dec859ba532d536fe1c7042dbbc852

                        SHA256

                        50c9e2e7c86b4a56bad74486f02a92a5a1b2c8976e597078988a70774d1e610a

                        SHA512

                        bcdf36e1cce4b554ce5f8cd482f29b3835c3acb0e56098387cf60439c37ec5bff1c760219385a663b0ee14d445c2cf49f27ca6223832dad19105b6051d65b76c

                        Download Submit

                      • C:\Users\Admin\Documents\JoinDismount.doc
                        Filesize

                        702KB

                        MD5

                        047cd91f3411d82578e2929b695d2adb

                        SHA1

                        0c195899ecb4c31ce72f5d01a2be818aa288eb40

                        SHA256

                        ed58e3a30403b4615d533020843d2a9d21bcfaa32f027e9e5e6b4a6f74213b13

                        SHA512

                        ca82e5daa54d839b70d728264930e335e9f94494766541362cec265cfddba3a4554bbf1a98798d0e89814bf6f99da8216cced1a9ed07a28673e7957ceaaae744

                        Download Submit

                      • C:\Users\Admin\Downloads\NewJoin.doc
                        Filesize

                        749KB

                        MD5

                        99eb6b87871ef1fe89a1245c4fe816ed

                        SHA1

                        c3bd6e576acf7cbc5976a7ae2e6f12323a2def19

                        SHA256

                        0dafce314e66d2a2d5ae6a309031727cd63f29aa0b66a23a9804aae5d298f713

                        SHA512

                        c4459f3105c186aef3532f9cb1a8f6b15a7823ee9c82ac46ffacabf6f964069f377aff31eec919deee8fc8f01287dc57a0da51ced855580c8a613947eea03018

                        Download Submit

                      • C:\Users\Admin\Music\!Recovery_NSd.html
                        Filesize

                        9KB

                        MD5

                        93b49b4df8ec320c729d2ca40cb2daf8

                        SHA1

                        4182846dafaa46d9215d6705a6ac9ffda702d997

                        SHA256

                        a0310d94c76598c5c8ae42536718cc230f5096815e2d7c158be522da632fe1d2

                        SHA512

                        cb2ac69ff946f66bd19ec7b71c656b0dd6ce3e1d35719688c0f8b490475e5e96804c09d1bd036d4d1e96de578adb9c2170b699793f0b5e7db192f8c360b2ac73

                        Download Submit

                      • C:\Users\Admin\Music\MountRedo.doc
                        Filesize

                        255KB

                        MD5

                        c4ac9ec2785defaa98a53a09c6050535

                        SHA1

                        c36a8612d96c327a7cc3f59d60acd19765cc591f

                        SHA256

                        f59ed1c5442d3727d0762f76e41c68656c3b298216fd045546bf35cfaa321f60

                        SHA512

                        4259696dce109ca124840f367fbeed0f3b608dfc4f048a384e2b3e210bf3d541771554e68c416059dfade81eaf9092a07c053d8ff3af40ad276746800031c9d9

                        Download Submit

                      • C:\Users\Admin\Pictures\UnlockDismount.dwg
                        Filesize

                        1.1MB

                        MD5

                        f2107fb299791e6e3c7638ad3d6b52d7

                        SHA1

                        2f550c0c4a07d83577bf40205fc4eb03333b4ff9

                        SHA256

                        9796ec8134b7bf1789239957ccc0b9ae57d455b53d80f0b2e8d22e55e39a4d41

                        SHA512

                        b761396b7ed88f1f4887ec30e889fc4e5c932a6f75c5b9801cfc5cf632637e3167ec374ea5b4f3cd624fc8cf9049b5bbfbe79dde966f14fd1f517066f88bdc8c

                        Download Submit

                      • F:\!Recovery_NSd.html
                        Filesize

                        8KB

                        MD5

                        a7a583de9757b5d7257c45a93ba7c0c5

                        SHA1

                        b72e79a4dd401c3f12633c55a29d8d65cbb8f438

                        SHA256

                        5ddc32d68e8c72325b7cc9ae7dac86b5de91987f4c998061cafa8f09fcd985a8

                        SHA512

                        b91d1f6215a539a0a72272259f59639875748c48574935bd59aa21a83cd331f45bde3086ab4b3be73bb121f95a9621226c97e3f4c7b8f7f337a14b82939791a3

                        Download Submit

                      • F:\US63A-26XHT-ZTXTX-HTOKT-FYYYY.HTML
                        Filesize

                        14KB

                        MD5

                        70ab28da110abd633a304eea28808bc9

                        SHA1

                        f603d5fa31363e07d909222b76da8fcb2c640324

                        SHA256

                        b9f8a1af8f9b4771d8ebcd8aa604704c2126d89a2b4cc6183153c169a3b1213f

                        SHA512

                        21bf5238621373b413eb534c5b2f850ad210384784e710245f4b38649f942415399cd47ed3b78520b25092f25c32b4633fc047451ea240010ec8171d7dcf13d9

                        Download Submit

                      • F:\US63A-26XHT-ZTXTX-HTOKT-FYYYY.LST
                        Filesize

                        5KB

                        MD5

                        34d0d153c7a85da24665d31e88cc0ee9

                        SHA1

                        9390d19a5acfafb08f4d830a1e78e018a1ab84d7

                        SHA256

                        9ede9190d7a54ccc59cb3a98b190528f673814f80ee93f3bc8a51bd4f2154755

                        SHA512

                        e76eaf6cfbccfb2cede7061cbc17072d9a39d7fc32625a46ef9f8c158807e83b6b4c221890e84a5b0ba9412d052633aef42e282495a1ad4a6d8ac2f7cf541560

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\ebfcabfbdfja.exe
                        Filesize

                        764KB

                        MD5

                        bac0e870bbef72352500bb3c0e457c5c

                        SHA1

                        87667f6d54a20c1f6d94feff060ff50c4c23f9da

                        SHA256

                        ce240c731a475b319852b0ce48127bbfbcdc75412eeff3b670bf5fcda6034aa1

                        SHA512

                        aa5a9adc91efda6af7644a3a154623d5ce11058d2d748f2ffe16690e4aad714873ccc6c152d97fcd83d2f7215712c8fd01cd8fb74dcbdde398c62bb0a796d722

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\nsj6C2C.tmp\nsisunz.dll
                        Filesize

                        40KB

                        MD5

                        5f13dbc378792f23e598079fc1e4422b

                        SHA1

                        5813c05802f15930aa860b8363af2b58426c8adf

                        SHA256

                        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

                        SHA512

                        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\nsj6EDB.tmp\System.dll
                        Filesize

                        11KB

                        MD5

                        3e6bf00b3ac976122f982ae2aadb1c51

                        SHA1

                        caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

                        SHA256

                        4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

                        SHA512

                        1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\nso67BA.tmp\System.dll
                        Filesize

                        11KB

                        MD5

                        ca332bb753b0775d5e806e236ddcec55

                        SHA1

                        f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

                        SHA256

                        df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

                        SHA512

                        2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\nsz733E.tmp\System.dll
                        Filesize

                        11KB

                        MD5

                        a4dd044bcd94e9b3370ccf095b31f896

                        SHA1

                        17c78201323ab2095bc53184aa8267c9187d5173

                        SHA256

                        2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

                        SHA512

                        87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

                        Download Submit

                      • memory/896-180-0x00000000001C0000-0x00000000001E7000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/896-186-0x00000000001C0000-0x00000000001E7000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/896-187-0x00000000001C0000-0x00000000001E7000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/992-279-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/992-280-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/992-62-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/992-61-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/992-70-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1544-111-0x0000000000400000-0x0000000001416000-memory.dmp

                        Filesize

                        16.1MB

                        Download

                      • memory/1544-192-0x0000000000400000-0x0000000001416000-memory.dmp

                        Filesize

                        16.1MB

                        Download

                      • memory/1544-191-0x0000000000220000-0x0000000000221000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1892-183-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2076-208-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2076-206-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2076-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2076-203-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2076-201-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2076-199-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2220-267-0x0000000000400000-0x00000000004BA000-memory.dmp

                        Filesize

                        744KB

                        Download

                      • memory/2272-255-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2272-259-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2272-620-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2272-257-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2272-261-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2272-258-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2424-139-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2424-210-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/2612-527-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2612-533-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2612-529-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2612-537-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2612-538-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2612-531-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2612-535-0x0000000000400000-0x0000000000424000-memory.dmp

                        Filesize

                        144KB

                        Download

                      • memory/2640-877-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2640-540-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2640-541-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2640-542-0x0000000000400000-0x00000000005DE000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2668-155-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2668-559-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2668-159-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2748-40-0x0000000140000000-0x00000001405E8000-memory.dmp

                        Filesize

                        5.9MB

                        Download

                      • memory/2748-42-0x0000000140000000-0x00000001405E8000-memory.dmp

                        Filesize

                        5.9MB

                        Download

                      • memory/2748-41-0x0000000140000000-0x00000001405E8000-memory.dmp

                        Filesize

                        5.9MB

                        Download

                      • memory/2804-156-0x0000000000AA0000-0x0000000000ADF000-memory.dmp

                        Filesize

                        252KB

                        Download

                      • memory/2868-524-0x00000000008E0000-0x00000000008FD000-memory.dmp

                        Filesize

                        116KB

                        Download

                      • memory/2948-209-0x0000000000400000-0x00000000004BA000-memory.dmp

                        Filesize

                        744KB

                        Download

                      • memory/2972-630-0x0000000000300000-0x0000000000306000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/2972-114-0x0000000000F10000-0x0000000000F26000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/3068-196-0x0000000000080000-0x0000000000087000-memory.dmp

                        Filesize

                        28KB

                        Download