Spam, Unwanted Advertisements and Ransom Demands
Writes a potential ransom message to disk Show sources
| ransom_file | !#_RESTORE_FILES_#!.inf |
Persistence and Installation Behavior
Installs itself for autorun at Windows startup Show sources
| key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DECRYPTINFO |
| data | "C:\Users\user\AppData\Roaming\!#_RESTORE_FILES_#!.inf" |