user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Ransom:Win32/Cryptolocker!dha
Ransom:Win32/Cryptolocker!dha - Windows Defender threat signature analysis

Ransom:Win32/Cryptolocker!dha - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Ransom:Win32/Cryptolocker!dha
Classification:
Type:Ransom
Platform:Win32
Family:Cryptolocker
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!dha
Caught by dynamic heuristic behavioral analysis
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family Cryptolocker

Summary:

This threat is a concrete detection of Ransom:Win32/Cryptolocker!dha, a variant of the notorious Cryptolocker ransomware family. It encrypts user files, appending extensions like .Encode or .Lock, and displays a ransom note (e.g., Cryptolocker.txt, How To Decrypt Files.txt) demanding Bitcoin payment. The malware also attempts to delete shadow volume copies using 'vssadmin.exe Delete Shadows /All /Quiet' to prevent data recovery.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - Advanced Ransi\Advanced Ransi\obj\Debug\Advanced Ransi.pdb (PEHSTR_EXT)
 - Your Computer Got Sniped by AcroWare Cryptolocker! (PEHSTR_EXT)
 - Advanced_Ransi. (PEHSTR_EXT)
 - Advanced Ransi.exe (PEHSTR_EXT)
 - YOUR COMPUTER GOT LOCKED (PEHSTR_EXT)
 - https://bitpay.com/pay-with-bitcoin (PEHSTR_EXT)
 - Cryptolocker.txt (PEHSTR_EXT)
 - Help to decrypt.txt (PEHSTR_EXT)
 - \SOFTWARE\Lucy (PEHSTR_EXT)
 - *.txt (PEHSTR_EXT)
 - /*.odt (PEHSTR_EXT)
 - /*.wps (PEHSTR_EXT)
 - Cryptolocker (PEHSTR_EXT)
 - .Encode (PEHSTR_EXT)
 - File.Lusy (PEHSTR_EXT)
 - key2.ico (PEHSTR_EXT)
 - Rasomware2.0 (PEHSTR_EXT)
 - AlbCry 2.0 (PEHSTR_EXT)
 - AlbCry.g.resources (PEHSTR_EXT)
 - How To Decrypt Files.txt (PEHSTR_EXT)
 - .Lock (PEHSTR_EXT)
 - Encryption Complete (PEHSTR_EXT)
 - Ransomware2.0 (PEHSTR_EXT)
 - Rasomware2._0.Properties.Resources (PEHSTR_EXT)
 - Your computer files have been encrypted (PEHSTR_EXT)
 - vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
 - .[Crimsonware@protonmail.ch] (PEHSTR_EXT)
 - INFO.hta (PEHSTR_EXT)
 - .jcrypt (PEHSTR_EXT)
 - .cryptshield (PEHSTR_EXT)
 - .birbb (PEHSTR_EXT)
 - ransom.Properties.Resources (PEHSTR_EXT)
 - Baddy.Resources (PEHSTR_EXT)
 - .baddy (PEHSTR_EXT)
 - Wrong.Hahaha. (PEHSTR_EXT)
 - Crapsomware.Properties (PEHSTR_EXT)
 - cryptolocker (PEHSTR_EXT)
 - KEY.cryptolocker (PEHSTR_EXT)
 - Recovery Information.txt (PEHSTR_EXT)
 - .WeSt Net Fake (PEHSTR_EXT)
 - ransom.jpg (PEHSTR_EXT)
 - @protonmail.com (PEHSTR_EXT)
 - .onion (PEHSTR_EXT)
 - Decryption Program for Cryptolocker (PEHSTR_EXT)
 - cryptolocker.exe (PEHSTR_EXT)
 - Please_Read.txt (PEHSTR_EXT)
 - @mail.com (PEHSTR_EXT)
 - .cring (PEHSTR_EXT)
 - deReadMe!!!.txt (PEHSTR_EXT)
 - .locked (PEHSTR_EXT)
 - Annabelle.exe (PEHSTR_EXT)
 - encrypted_sound.wav (PEHSTR_EXT)
 - .crypt (PEHSTR_EXT)
 - .HANTA (PEHSTR_EXT)
 - RSAKey.txt (PEHSTR_EXT)
 - .Encrypted (PEHSTR_EXT)
 - .encrypted (PEHSTR_EXT)
 - locked.zip (PEHSTR_EXT)
 - Ionic.Zlib (PEHSTR_EXT)
 - randomkey.bin (PEHSTR_EXT)
 - .RENSENWARE (PEHSTR_EXT)
 - .Crypted (PEHSTR_EXT)
 - .ncovid (PEHSTR_EXT)
 - /C sc delete VSS (PEHSTR_EXT)
 - kWYZrzIYZR.html (PEHSTR_EXT)
 - rdpunlocker1@cock.li (PEHSTR_EXT)
 - /C vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
 - covid.Properties (PEHSTR_EXT)
 - Encryption Completed (PEHSTR_EXT)
 - EncryptionNotComplet (PEHSTR_EXT)
 - .wnry (PEHSTR_EXT)
 - RECYCLER\__empty (PEHSTR_EXT)
 - System Volume Information\__empty (PEHSTR_EXT)
 - vssadmin.exe delete shadows /all /Quiet (PEHSTR_EXT)
 - /c vssadmin.exe delete shadows /quiet /all (PEHSTR_EXT)
 - @tutanota.com (PEHSTR_EXT)
 - .CrYpTeD (PEHSTR_EXT)
 - /c vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
 - READ_IT.txt.locked (PEHSTR_EXT)
 - Ransomware.dll (PEHSTR_EXT)
 - .test (PEHSTR_EXT)
 - .DARXIS (PEHSTR_EXT)
 - .DcRat (PEHSTR_EXT)
 - FridayProject.Properties (PEHSTR_EXT)
 - encKey.aes (PEHSTR_EXT)
 - SAYGOODBYE.exe2 (PEHSTR_EXT)
 - ___RECOVER__FILES__.heart.txt (PEHSTR_EXT)
 - .kanmani (PEHSTR_EXT)
 - \Heartbeat\keys.json (PEHSTR_EXT)
 - DECRYPTION_LOG.txt (PEHSTR_EXT)
 - .crypted (PEHSTR_EXT)
 - DECRYPT_ReadMe1.TXT (PEHSTR_EXT)
 - .hjgkdf (PEHSTR_EXT)
 - .NotStonks (PEHSTR_EXT)
 - DeletedFilesAmmount.txt (PEHSTR_EXT)
 - friendly.cyber.criminal2 (PEHSTR_EXT)
 - This computer has been hacked (PEHSTR_EXT)
 - .givemenitro (PEHSTR_EXT)
 - .deria (PEHSTR_EXT)
 - vssadmin Delete shadows /all /quiet2 (PEHSTR_EXT)
 - aaa_TouchMeNot_.txt (PEHSTR_EXT)
 - .amogus (PEHSTR_EXT)
 - del /s /f /q C:\*.VHD (PEHSTR_EXT)
 - window.bat (PEHSTR_EXT)
 - UnlockYourFiles.Login (PEHSTR_EXT)
 - UnlockYourFiles.Properties.Resources (PEHSTR_EXT)
 - V2._0.Properties2 (PEHSTR_EXT)
 - insane_uriel_by_urielstock_4.jpg (PEHSTR_EXT)
 - .kuru (PEHSTR_EXT)
 - .henry217 (PEHSTR_EXT)
 - desktop.ini (PEHSTR_EXT)
 - Executioner Ransomware (PEHSTR_EXT)
 - .Kern (PEHSTR_EXT)
 - Runcount.cry2 (PEHSTR_EXT)
 - checkip.dyndns.org (PEHSTR_EXT)
 - .dolphin (PEHSTR_EXT)
 - hidden_tear.Properties (PEHSTR_EXT)
 - .matryoshka2 (PEHSTR_EXT)
 - .Baphomet2 (PEHSTR_EXT)
 - bapho.jpg (PEHSTR_EXT)
 - yourkey.key (PEHSTR_EXT)
 - ipinfo.io (PEHSTR_EXT)
 - READ_ME.crypted.txt (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet & wmic shadowcopy delete (PEHSTR_EXT)
 - read_it.txt (PEHSTR_EXT)
 - .palestine2 (PEHSTR_EXT)
 - Rasomware2.02 (PEHSTR_EXT)
 - UrFile.TXT (PEHSTR_EXT)
 - .army (PEHSTR_EXT)
 - .arsium (PEHSTR_EXT)
 - Rasomware2._0 (PEHSTR_EXT)
 - friendly.cyber.criminal (PEHSTR_EXT)
 - .AES64 (PEHSTR_EXT)
 - Your computer has been infected2 (PEHSTR_EXT)
 - .rsjon (PEHSTR_EXT)
 - .jasmin (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet (PEHSTR_EXT)
 - READ_ME_PLZ.txt (PEHSTR_EXT)
 - .malki (PEHSTR_EXT)
 - LockScreen (PEHSTR_EXT)
 - .sick (PEHSTR_EXT)
 - warning.BackgroundImage (PEHSTR_EXT)
 - .firecrypt (PEHSTR_EXT)
 - .chaos (PEHSTR_EXT)
 - .DarkCry (PEHSTR_EXT)
 - @sigaint.org (PEHSTR_EXT)
 - Ransomware.exe2 (PEHSTR_EXT)
 - Stub.Properties.Resources (PEHSTR_EXT)
 - .DEDSEC (PEHSTR_EXT)
 - .deadsecure (PEHSTR_EXT)
 - NoCry.pdb (PEHSTR_EXT)
 - NitroRansomware. (PEHSTR_EXT)
 - .resources (PEHSTR_EXT)
 - .FancyLeaks (PEHSTR_EXT)
 - LegionLocker4._0 (PEHSTR_EXT)
 - protonmail.com (PEHSTR_EXT)
 - IMPORTANT READ ME.html (PEHSTR_EXT)
 - mimikatz_trunk.zip (PEHSTR_EXT)
 - vssadmin Delete Shadows /all /quiet (PEHSTR_EXT)
 - .Legion (PEHSTR_EXT)
 - Your important files videos, music, images, documents ... etc are encrypted with encryption (PEHSTR_EXT)
 - .fucking (PEHSTR_EXT)
 - decryptor.exe2 (PEHSTR_EXT)
 - RSA_Keys.pub (PEHSTR_EXT)
 - All of your files have been encrypted. (PEHSTR_EXT)
 - No files to FUCK. (PEHSTR_EXT)
 - READ_THIS_TO_DECRYPT. (PEHSTR_EXT)
 - RansomeWare.Form1.resources (PEHSTR_EXT)
 - rk-2.exe2 (PEHSTR_EXT)
 - /C icacls %USERPROFILE%\Documents\* /grant Everyone:F /T /C /Q (PEHSTR_EXT)
 - Test\READ_IT.txt (PEHSTR_EXT)
 - Your important files videos, music, images, documents ... etc are encrypted with encryption2 (PEHSTR_EXT)
 - YJSNPIL0cker (PEHSTR_EXT)
 - Message.txt (PEHSTR_EXT)
 - Tor\explorer.exe (PEHSTR_EXT)
 - bcdedit /set {default} recoveryenabled no (PEHSTR_EXT)
 - ranso4.jpg (PEHSTR_EXT)
 - .deltapaymentbitcoin (PEHSTR_EXT)
 - killer@killercom (PEHSTR_EXT)
 - unlock your files.lnk (PEHSTR_EXT)
 - what_happened_to_my_music.txt (PEHSTR_EXT)
 - files/alertmsg.zip (PEHSTR_EXT)
 - ro@tb@la@u.@eu@:1@53 (PEHSTR_EXT)
 - Your computer has been infected by a Ransomware (PEHSTR_EXT)
 - @tutanota.com  (PEHSTR_EXT)
 - \Windows\Temp\Magix.exe (PEHSTR_EXT)
 - video_pro_x.exe (PEHSTR_EXT)
 - /_/_/_/_/_/ (PEHSTR_EXT)
 - RansomwarePOC.covidblo (PEHSTR_EXT)
 - .porn.txt (PEHSTR_EXT)
 - Pussie Locker.pdb (PEHSTR_EXT)
 - $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length) (PEHSTR_EXT)
 - powershell -ExecutionPolicy ByPass -File (PEHSTR_EXT)
 - -Suffix '.locked' -RemoveSource (PEHSTR_EXT)
 - Readme_now.txt (PEHSTR_EXT)
 - cry.ps1 (PEHSTR_EXT)
 - /C kill.bat (PEHSTR_EXT)
 - biorain@protonmail.com (PEHSTR_EXT)
 - \Antivirus.bat (PEHSTR_EXT)
 - taskkill /IM mspub.exe /F (PEHSTR_EXT)
 - net stop BMR Boot Service /y (PEHSTR_EXT)
 - bcdedit /set {default} recoveryenabled No (PEHSTR_EXT)
 - Nominatus_ToxicBattery.pdb (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet && wmic shadowcopy delete && net users  (PEHSTR_EXT)
 - SOFTWARE\Malwarebytes\Ekati\ (PEHSTR_EXT)
 - /c vssadmin.exe delete shadows (PEHSTR_EXT)
 - .sick2 (PEHSTR_EXT)
 - ghostbin.com (PEHSTR_EXT)
 - HELP.txt (PEHSTR_EXT)
 - Payload.LockForm.resources (PEHSTR_EXT)
 - Crypto Locker\Payload\obj\Release\Payload.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 6aa4462ebef6c7eddf40e88f082e1f5c0f9df9ee3b6a845694397d8eb678b370
6aa4462ebef6c7eddf40e88f082e1f5c0f9df9ee3b6a845694397d8eb678b370
04/01/2026
Filename: ca66d96b074b784b8a3cbd9492053e56e2cb630ed1a929cfc94f412d7a54cc40
ca66d96b074b784b8a3cbd9492053e56e2cb630ed1a929cfc94f412d7a54cc40
04/01/2026
Filename: bae676adf235b1ec80ef24c7db5531ce7ac1a3c74124bbe405e9f4c98d358624
bae676adf235b1ec80ef24c7db5531ce7ac1a3c74124bbe405e9f4c98d358624
04/01/2026
Filename: fe17f27ea3a8a8c0e02e9728779227c247b11753674d0552301283fca8d5c7fa
fe17f27ea3a8a8c0e02e9728779227c247b11753674d0552301283fca8d5c7fa
04/01/2026
Filename: 9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85
9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85
04/01/2026
Remediation Steps:
Immediately isolate the infected machine from all networks. Perform a full system scan with updated antivirus software to remove the malware. Restore encrypted files from recent, verified clean backups, and under no circumstances pay the ransom. Implement robust backup strategies and conduct user awareness training to prevent future infections.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/01/2026. Do you want to analyze it again?
$ ls available-commands/
user@threatcheck.sh:~$