Search

Rename file/s from affected computer Create new directory Search a file from affected computer Download file from url Download file from local Enumerate process Terminate process Maximize/Minimize

usually is C:\Windows\Temp on all Windows operating system versions.) Information Theft This spyware logs a user's keystrokes to steal information. NOTES: URL no longer accessible Downloaded from the

ignoreallfailures NOTES: The ransomware displays the following as it's ransom note: Typing the url will not redirect to the proper site. The user needs to click the buttons on the page for it to properly redirect.

files are exhibited on the affected system. NOTES: The URL it accesses contains script that downloads and executes a file from the following URLs: http://www.{BLOCKED}ntsa.ro/counter/?i={value}a={value

cryptonight-lite, cryptonight-heavy -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME username for mining server -p, --pass=PASSWORD password for

user:48tKyhLzJvmfpaZjeEh2rmWSxbFqg7jNzPvQbLgueAc6avfKVrJFnyAMBuTn9ZeG4A3Gfww512YNZB9Tvaf52aVbPHpJFXT pass: x Accepts the following parameters: -a, --algo=ALGO ? cryptonight (default) or cryptonight-lite -o, --url=URL ? URL of mining server -O, --userpass=U:P ? username:password pair for mining

{Encrypted Folder}\HOW_TO_DECRYPT.txt It avoids encrypting files with the following file extensions: exe dll sys msi lnk ini url Ransom:Win32/Hive.P!MTB (MICROSOFT) Downloaded from the Internet, Dropped by

file from the following URL and renames the file when stored in the affected system: https://www.{BLOCKED}onrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip It connects to the

following: It downloads malicious DLL from the following URL and executes it in memory: https://cdn.discordapp.com/attachments/{BLOCKED}81184768/Tbopbh.jpg It executes the following in memory:

Manager\Accounts\Bigfoot LDAP Server = "ldap.bigfoot.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software

" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Server = "ldap.bigfoot.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.

Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search Return = "64" HKEY_CURRENT_USER\Software\Microsoft

Server = "ldap.bigfoot.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account

Manager\Accounts\Bigfoot LDAP Server = "ldap.bigfoot.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software

\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Server = "ldap.bigfoot.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED

Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search Return = "64" HKEY_CURRENT_USER\Software\Microsoft

" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search

Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search Return = "64" HKEY_CURRENT_USER\Software\Microsoft

Account Manager\Accounts\Bigfoot LDAP Server = "ldap.bigfoot.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER

\Accounts\Bigfoot LDAP URL = "http://www.{BLOCKED}t.com" HKEY_CURRENT_USER\Software\Microsoft\ Internet Account Manager\Accounts\Bigfoot LDAP Search Return = "64" HKEY_CURRENT_USER\Software\Microsoft