Dharma Ransomware

Posted: November 17, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	19,937
Threat Level:	10/10
Infected PCs:	61,656

First Seen:	November 17, 2016
Last Seen:	February 10, 2025
OS(es) Affected:	Windows

The Dharma Ransomware is a Trojan that renames and encrypts your files, blocking them until you pay its ransom. Because the Dharma Ransomware may not provide its victims with decryption services, PC owners should try to maintain updated backups on systems that this Trojan can't access. In ideal cases, your anti-malware products should block the Dharma Ransomware and delete it before it can install itself and encode your files.

A Mute File Burglar from the East

The Crysis Ransomware and many of its relatives already bear responsibility for more than a few attacks against both individuals and business networks, but the continuing excavation of new threats shows that they aren't finishing yet. Malware researchers noted similarities with footer information between other CrySiS-based Trojans and the Dharma Ransomware, one of the newest file-encryptor Trojans. Its attacks cause potentially permanent data damage while offering its victims ransom negotiations via e-mail.

There is evidence of the Dharma Ransomware's campaign using only brute force-based infection vectors that allow threat actors to 'guess' weak passwords for a network-accessible machine currently. Although there is documentation of the Dharma Ransomware being able to target hard drives and servers that are network-accessible, this behavior is inconsistent, and some systems may not be affected.

For systems that the Dharma Ransomware does include in its sweep, the Trojan encrypts all files within the Windows users folder and tags them with the '.[email address]dharma' extension. Malware researchers also saw other variations in the Dharma Ransomware's payload, such as sometimes generating a Notepad TXT message on the desktop.

The instructions contain limited information, mostly only redirecting the victim to the previously-mentioned e-mail address for ransoming negotiations. In other cases, the extension is the only 'message' it leaves, requiring you to guess at the threat author's intentions and how to recover your encoded possessions from an uncommunicative Trojan.

Reordering Your PC's Universe According to Personal the Dharma

As derivative as the Dharma Ransomware may be, its payload is efficient at presenting direct damage to both the infected PC and other PCs found through local networking infrastructure. As con artists continue using weak passwords as footholds into business networks, companies should review their password use protocols and remote desktop settings so that they can eliminate any vulnerabilities. While the Crysis Ransomware-compatible decryption tools are available for no charge, malware researchers find the Dharma Ransomware's encryption method incompatible with them.

With luck, the cyber security industry may crack the Dharma Ransomware's encryption algorithm and develop a freeware application for reversing its file damage. Nonetheless, not every Trojan is subject to decryption equally, and keeping backups not vulnerable to attack will give PC users easier ways of recovering any data they've lost.

Many anti-malware products should identify this threat as being a variant of the Crysis Ransomware and be able to remove the Dharma Ransomware during a system scan. However, such protections aren't helpful for victims who inadvertently give third parties complete access to their home or business networks necessarily, inviting a hacker to install and disable whatever software he prefers essentially.

Update November 6th, 2018 — '.tron File Extension' Ransomware

The Dharma Ransomware and its variants continue to be a very prominent threat to the users worldwide, despite a large number of decryption keys that were released by the project’s authors in 2017. One of the newest variants of the Dharma Ransomware is called '.tron File Extension' Ransomware and malware researchers have determined that it is not compatible with any free decryption utilities. This means that if your files fall victim to the '.tron File Extension' Ransomware’s encryption, then their recovery might be a nearly impossible task unless the attackers provide you with a decryption tool and decryption key. However, they are unlikely to do this since their ransom message states that the only way to acquire the key and decryptor is to pay a hefty ransom sum via Bitcoin.

When the '.tron File Extension' Ransomware initializes its attack, it may encrypt a huge variety of files – documents, images, videos, archives, databases, and spreadsheets are just a small fraction of the file types that the '.tron File Extension' Ransomware is meant to encrypt. In addition to this, the '.tron File Extension' Ransomware also will attempt to disable the System Restore service and erase all the Shadow Volume Copies, therefore reducing the efficiency of data recovery software drastically.

All files that the '.tron File Extension' Ransomware locks can be recognized by the 'id-[VICTIM ID].[xtron@cock.li].tron’ that will be appended to their names. The ransom note is dropped on the desktop when the attack is complete, and its contents reveal that the attackers are willing to provide the victim with a decryptor as soon as they receive a certain amount of money via a Bitcoin transaction.

Recovering from the '.tron File Extension' Ransomware’s attack is not easy due to the lack of a free decryptor. The best victims can do is to get rid of the file locker’s files by using a trustworthy anti-virus software suite that will identify and eradicate all corrupted files brought by the ransomware. Unfortunately, this will solve only half of the problem since you will still be left with a large number of decrypted files whose decryption is impossible. The only thing to do with these files is to keep them backed up so that you can use them in case a free decryptor is released.

Update November 5th, 2018 — '.adobe File Extension' Ransomware

The Dharma Ransomware variants have become very common in 2018, and the latest addition to the long list of file-lockers based on the Dharma project is called '.adobe File Extension' Ransomware. As you can probably guess, this ransomware has nothing to do with the software publisher Adobe – it is the product of anonymous cybercriminals who make money by extorting their victims. The extortion happens thanks to the '.adobe File Extension' Ransomware, which is able to encrypt a huge number of files found on the compromised computer swiftly, therefore making it impossible to access their contents. Unfortunately, the '.adobe File Extension' Ransomware uses a secure file-encryption method, which ensures that its victims cannot get their files back for free.

It is likely that the '.adobe File Extension' Ransomware is being propagated with the use of fraudulent emails, which are designed to appear as if they were sent to the victim by a legitimate company or institution. Usually, these emails contain a file attachment, which is said to be important but, in reality, it is a harmful file meant to execute the '.adobe File Extension' Ransomware.

When this ransomware is launched, it will not reveal its activities and presence immediately, therefore giving it a few minutes to complete the attack, which includes:

Encrypting a broad range of files – documents, photos, videos, songs, spreadsheets, archives, databases, backups and others.
Renaming the locked files by using the extension ‘.id-[VICTIM ID].[badbusiness@tutanota.de].adobe.’
Disabling the Windows System Restore.
Deleting the Shadow Volume Copies and the System Restore points

Following the advice of the '.adobe File Extension' Ransomware’s authors is a bad idea because they may ask you to send a significant amount of money to their Bitcoin wallet. Naturally, the attackers are anonymous, so there is nothing to stop them from taking the money of their victims without providing them with anything in return.

If you are a victim of the '.adobe File Extension' Ransomware, you should use a trustworthy anti-virus tool to dispose of the corrupted files immediately. However, removing the '.adobe File Extension' Ransomware will solve only half of your problems because you will still need to find a way to get your files back – via backup or 3rd-party data recovery software whose success is questionable.

Update November 11th, 2018 — '.back File Extension' Ransomware

The '.back File Extension' Ransomware is a new version of the Dharma Ransomware, which conducts file-locking attacks using encryption. After blocking your media, the Trojan delivers ransom notes with instructions on buying the criminal's help, although the users should restore from backups, instead, if possible. Anti-malware products can protect your files and PC by uninstalling the '.back File Extension' Ransomware or identifying and halting it during the installation routine.

Former USSR Satellites Turning into Extortion Victims

The modern history of Ransomware-as-a-Service has a close and unique relationship with both Russia and the nations near it, such as Kazakhstan and Armenia. It's the latter country that's the current focus of a campaign by the '.back File Extension' Ransomware, which is a new release for the Dharma Ransomware family. While its infection strategies are likely of being opportunistic instead of using geo-targeting, this file-locker Trojan shows that no nation, big or small, is out of the RaaS industry's shadow.

The '.back File Extension' Ransomware and other Dharma Ransomware builds, like the '.cccmn File Extension' Ransomware, the icrypt@cock.li Ransomware, the 'paydecryption@qq.com' Ransomware, and the old 'wisperado@india.com' Ransomware, leverage AES and RSA data encryption against the victim's media. This feature searches for and locks content that includes various formats of general use in both business and casual environments for Windows users, especially documents, pictures, and other visual or audio media. As per its name, the locking process also includes appending a second extension and some ransoming details, although this side effect has no direct correlation with the encryption that keeps the files from opening.

The ID and e-mail that also are part of the filenames are for, in conjunction with the 'wisperado@india.com' Ransomware's TXT-formatted ransoming instructions, promoting the threat actor's decryptor. Such services may or may not provide the unlocking assistance that they promise, and victims should be cautious of the risks of fraud, especially when they're trafficking in cryptocurrency or voucher-based transactions.

Getting Back What's Yours without Paying for It

The modern version of the Dharma Ransomware and its original ancestor, the Crysis Ransomware, is secure against any attempts at developing a free decryption program that the public could use effectively, instead of paying the ransom. Because decryption is, often, impossible, you can stop file-locker Trojans from doing damage to your media most easily by saving backups on other devices. Local backup resources, especially Windows defaults like the Shadow Volume Copies, are targeted for removal by these same threats nearly universally.

Although the '.back File Extension' Ransomware's family remains Windows-based, malware researchers haven't narrowed down its possible infection vectors to any single, definite exploit or infection vector. Threat actors could be breaking into servers by brute-forcing their logins, taking advantage of unsafe RDP and firewall settings, or using exploit kits for compromising PCs through their browsers. However, many anti-malware applications are viable for removing the '.back File Extension' Ransomware and its close relatives, in most cases, before the encryption ever starts.

The '.back File Extension' Ransomware's victims being Armenian may be meaningful data for estimating its favored targets or a statistical anomaly. Hints about the rest of this Trojan campaign's behavior and that of the rest of the Dharma Ransomware family may be appearing around the world, soon.

Update November 30th, 2018 — 'audit@cock.li' Ransomware

The 'audit@cock.li' Ransomware is a new variant of the Dharma Ransomware family, but the only changes it includes are a different file extension to mark the locked files, as well as a different email address for contact. When the 'audit@cock.li' Ransomware completes its attack, it will render a large number of documents, videos, photos, archives, songs and other files inaccessible. In addition to this, the names of the encrypted files will be modified to include the ‘.id-.[audit@cock.li].risk’ extension. Last but not least, the 'audit@cock.li' Ransomware will provide the victim with data recovery instructions by dropping the file ‘FILES ENCRYPTED.txt.’

’All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail audit@cock.li
Write this ID in the title of your message 3A4E114C
In case of no answer in 24 hours write us to theese e-mails:audit@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’

The executable file responsible for the 'audit@cock.li' Ransomware’s execution may be spread via fake email messages, which are designed to look as if they were sent by a legitimate company. Often, the email message may urge the user to download a file attachment or an external file that may look safe, but it is meant to execute the 'audit@cock.li' Ransomware and begin the file-encryption attack.

Unfortunately, recovering from the 'audit@cock.li' Ransomware’s attack for free is not possible for the moment due to the secure method used to store the unique encryption key generated for each victim. The operators of the 'audit@cock.li' Ransomware are the only ones in possession of the key in question. Although their ransom message (found in ‘FILES ENCRYPTED.txt) may tell you that you can obtain the decryption key and decryptor in exchange for a ransom payment, we assure you that you should not trust the perpetrators of the attack. Ransomware operators are certainly not known for their honesty, and it is highly possible that the 'audit@cock.li' Ransomware’s authors might trick you if you pay them. Instead of trying to negotiate with ransomware authors, you should use an up-to-date PC security tool to eliminate the harmful files immediately, and then look into alternative file restoration options.

Update December 5th, 2018 — 'admin@decryption.biz' Ransomware

The Dharma Ransomware’s popularity in the last months of 2018 does not appear to be dying out, and malware researchers continue to identify new file-lockers that are based on the Dharma Ransomwarecode. The latest member of the Dharma family is called 'admin@decryption.biz' Ransomware, and it uses the same old file-encryption algorithm, which may be impossible to decipher currently. The only people able to recover files locked by the 'admin@decryption.biz' Ransomware may be the authors of the ransomware but, unfortunately, they are not willing to do this for free.

When this file-encryption Trojan is initialized, it may encrypt the contents of images, videos, documents, archives, spreadsheets, and many other file formats immediately. All the locked files may have the ‘.id-.[admin@decryption.biz’.bkpx’ extension added to their names. Last but not least, the 'admin@decryption.biz' Ransomware will provide the victims with a detailed ransom note, which explains the situation and urges the victim to contact he attackers and complete the ransom payment.

The bad news is that recovering from the 'admin@decryption.biz' Ransomware’s attack is nearly impossible unless you have a backup copy of all your data. Contacting the attackers is not recommended because they may trick you easily even if you meet all their demands. If you are a victim of the 'admin@decryption.biz' Ransomware, then we advise you to ignore the demands of the attackers, because it is way too easy for them to lure you out of your money. You should rely on a reputable anti-virus product to get rid of the 'admin@decryption.biz' Ransomware, and then you should look into alternative data recovery options.

Update December 14th, 2018 — 'skynet45@tutanota.com' Ransomware

The 'skynet45@tutanota.com' Ransomware file-locker has been identified as a member of the Dharma Ransomware family and, sadly, this means that it is not compatible with free decryption utilities. Some of the oldest Dharma variants can be decrypted for free, but this is not the case with recent updates like this one, and we would advise the victims of the 'skynet45@tutanota.com' Ransomware to look for alternative data recovery options.

It is likely that the harmful file that brings the 'skynet45@tutanota.com' Ransomware is being distributed via fake e-mail messages that try to lure the users into downloading a file attachment that has been dressed up as an important and harmless document. Unfortunately, the users who fall for this trick may end up compromising their computer’s safety and start the 'skynet45@tutanota.com' Ransomware unknowingly. This process may lead to the loss of many files since this file-encryption Trojan is programmed to encrypt the contents of images, documents, videos, archives, spreadsheets, presentations, Adobe files, and many other commonly used file types. The victims of the 'skynet45@tutanota.com' Ransomware will have no trouble recognizing the encrypted files because the Ransomware will add the ‘.combo’ extension to their names.

The last stage of the 'skynet45@tutanota.com' Ransomware’s attack leaves the ransom note ‘FILES ENCRYPTED.txt,’ which contains file decryption instructions and payment details. Unfortunately, the crooks behind the 'skynet45@tutanota.com' Ransomware project demand a hefty ransom payment in exchange for their services. However, you should consider accepting their offer because it would be a child’s play for them to take your , but you will not get a decryption service.

If you think that the 'skynet45@tutanota.com' Ransomware has taken your files hostage, then run an anti-virus program to identify and eradicate the harmful files immediately. When this is done, you should recover the locked files from a backup or look for alternative data recovery options if you do not have a backup copy of the files.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Dharma Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy. * See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Information.hta

File name: Information.hta
Size: 13.63 KB (13639 bytes)
MD5: 16ccedd463222fbfa8b7e2678d892a7c
Detection count: 119
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 24, 2017

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Inf.hta

File name: Inf.hta
Size: 13.64 KB (13641 bytes)
MD5: 1bf867566ccfc201dcf9688a9a21d80b
Detection count: 108
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 24, 2017

%WINDIR%\System32\inter2811_bandugan_1.exe

File name: inter2811_bandugan_1.exe
Size: 332.8 KB (332800 bytes)
MD5: 703c42e5456731444cf68cc27fdfbe96
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32
Group: Malware file
Last Updated: December 2, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe

File name: explorer.exe
Size: 224.3 KB (224308 bytes)
MD5: 674bfb3719ce1b9d30dd906c20251090
Detection count: 47
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 24, 2017

%APPDATA%\setap28.exe

File name: setap28.exe
Size: 310.58 KB (310581 bytes)
MD5: 1e1bf7697917466739cb5d8c9b31f7d3
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload(1)_c.exe

File name: Payload(1)_c.exe
Size: 214.32 KB (214322 bytes)
MD5: 7fb036338464c8dcf226c8b269227b65
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload2.exe

File name: Payload2.exe
Size: 338.19 KB (338197 bytes)
MD5: a9f94a2a8501bf15d8ac1eef95cce3e4
Detection count: 37
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload0.exe

File name: Payload0.exe
Size: 324.4 KB (324400 bytes)
MD5: 17bf92deca1953c6ebf2aafb5bf8ebf1
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

File name: Info.hta
Size: 13.93 KB (13931 bytes)
MD5: 6dddb8c4f20b570a0200beca9bb1f7f2
Detection count: 28
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017

payload.exe

File name: payload.exe
Size: 386.04 KB (386048 bytes)
MD5: d1487253cee49b68aebae1481e34f8fd
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%SystemDrive%\Users\<username>\AppData\Roaming\Payload31.exe

File name: Payload31.exe
Size: 326.51 KB (326513 bytes)
MD5: db2a372dfcaa0dbba4aaff2eaeb5e516
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload30.exe

File name: Payload30.exe
Size: 343.3 KB (343308 bytes)
MD5: f6fafa7b9508f9f03ed6c8e4f43f3bb4
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload12.exe

File name: Payload12.exe
Size: 343.85 KB (343856 bytes)
MD5: d8f6ff36e853b4ea86b7d8b771ea2a89
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\payload_CHKS26_c.exe

File name: payload_CHKS26_c.exe
Size: 378.19 KB (378193 bytes)
MD5: 52d740c82f8d0437cf877d688c7a91a7
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payloadn_c.exe

File name: Payloadn_c.exe
Size: 344.06 KB (344064 bytes)
MD5: 8d88bb7595cc40e311740c9487684020
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload03.exe

File name: Payload03.exe
Size: 337.71 KB (337711 bytes)
MD5: cdc19024a2e99c62987dc2c29b7c4322
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\setap_c.exe

File name: setap_c.exe
Size: 506.2 KB (506209 bytes)
MD5: 72ec9b3d1079d3236481a626295a9bb6
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: December 7, 2016

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setap00.exe

File name: setap00.exe
Size: 235.86 KB (235860 bytes)
MD5: 5c2fda3a416193055cc02a6cc6876ca7
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016

%SYSTEMDRIVE%\Users\<username>\desktop\1801.exe

File name: 1801.exe
Size: 399.87 KB (399872 bytes)
MD5: 44d550f8ac8711121fe76400727176df
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\desktop
Group: Malware file
Last Updated: February 11, 2019

More files