Skip Navigation
BlackBerry Blog

Petya Returns as Goldeneye Strikes Germany

A new variant of the notorious ransomware Petya is back - again - and with yet another James Bond reference for a name: Goldeneye. Presumably from the same author of Petya, which was first seen in December 2015, and the Petya-Mischa combo, which hit users back in July 2016, Janus Cybercrime Solution’s latest creation is another step in the evolution of their ransomware-as-a-service expansion.

Petya is a form of ransomware that overwrites the master boot record (MBR) in order to block access to both the user’s files and operating system. Safe Mode access is also disabled. Once Petya executes, the user’s machine will crash, restart, and show a skull-and-crossbones animation before displaying a ransom note asking for payment in bitcoin (BTC) in order to decrypt the system.

VIDEO: Watch CylancePROTECT® do battle with live Goldeneye ransomware and block it, pre-execution.

VIDEO: CylancePROTECT vs. Goldeneye Ransomware

In this past week, the new Goldeneye ransomware variant has been seen for the first time, almost exclusively attacking hosts in Germany. Numerous organizations and enterprises have already been hit. Starting with a highly common infection vector, Goldeneye infects hosts via malicious email attachments. 

Here is one case that masquerades as a job application:

excel.png

Figure 1: Image Text Above Translates to: “Please activate the editing function to display this profile correctly.” 

(Translation Via Online Translation Engines).

Text displayed reads: “Bitte aktivieren Sie die Bearbeitungsfunktion um das Kompetenzprofil anzuzeigen.”

As with most malicious Microsoft Office documents, before the embedded macro can execute, user intervention is required. All MS Office documents since MS Office 2007 containing macros present a security warning to the user as default, so the malware author provides the text in the above image in an attempt to fool the user into clicking the “Enable Content” button.

 

enable content.png

Figure 2: Microsoft Office Document Displaying a Macro Warning

Once enabled, the macro executes using the Workbook_Open function. The macro itself is also obfuscated, using a series of DIM declarations to store the malicious code and script. As you can see in the below image, the DIM statements are randomly ordered and assembled in the correct order only once run.

This macro contains several large portions of code obfuscated in the same way, each assembling a portion of code:

macro_full.png

Figure 3: DIM Statement Displayed in Random Order Prior to Execution

Once this first stage of code assembly is completed, the main function of the macro assembles each of these large chunks into the malicious binary. Summing up to ~8,000 lines of code, this contains the Goldeneye PE payload. 

macro_end.png

Main Function Assembling and Executing Binary

This main function also contains the obfuscated code for creation of the Jscript object that will execute the payload. In the middle of this function is the code handling of the variable “AH2”. The first of which is the variable assignment obfuscated by using the concatenated results of the “Chr()” function. This function takes in raw ascii codes and translates them back to ascii text. The second use of the “AH2” variable also uses the obfuscation technique, and they both translate to:

Set AH2 = CreateObject(MSScriptControl.ScriptControl)
AH2.Language = Jscript

Once the malicious binary is assembled from the macro, it is executed using the “eval()” statement. This starts the next stage of Goldeneye: local file encryption.

How Goldeneye Encrypts Files

Similar to the Petya-Mischa combo, Goldeneye has the ability to encrypt files locally as well as overwrite the MBR. In Petya-Mischa however, Mischa’s encryption of local files only takes place in case of failure of the Petya MBR ransomware. In Goldeneye, the local files are encrypted before the MBR is overwritten, typically resulting in the system being hit by two doses of ransomware.

goldeneye ransom note.png

Figure 5: Goldeneye Ransom Note

Once the local files are encrypted, the Goldeneye ransom note appears for only moments before the MBR ransomware stage of Goldeneye overwrites the MBR, and restarts the machine to the usual fake “Check Disk” screen that is typical of Petya: 

chkdisk.png

Figure 6: Petya’s Fake Checkdisk Screen

Once restarted or allowed to complete, the infected machine then goes to the iconic skull and crossbones ascii art of classic Petya, this time in ‘gold’ (yellow) text, and then displays the MBR ransom note.

skullandbones.png

Figure 7: Updated Petya ‘Golden’ Skull and Crossbones Ascii Art

ransom address.png 

Figure 8: Goldeneye Ransom Note

Both the local file ransomware as well as the MBR ransomware come with a ransom of ~$1,000 USD. This is payable through the typical TOR address starting with “golden” and using bitcoin for anonymity.

paysite.png bitconin.png

Figures 8 and 9: Goldeneye Ransom Payment Options Screens

CylancePROTECT vs. Goldeneye Ransomware

Cylance’s Research team tested over 300 samples of the Goldeneye ransomware against our flagship endpoint protection product, CylancePROTECT. Our artificial intelligence based mathematical model was able to prevent the execution of Goldeneye right out of the gate, stopping it dead pre-execution. The Goldeneye ransomware was no match for our math based technology.

Watch CylancePROTECT go head-to-head with Goldeneye in this video created by our Research team.

To make things more challenging, we are not actually using the latest version of CylancePROTECT in our demo. Here, we demonstrate the predictive nature of Cylance by using a version of CylancePROTECT created a full year before Goldeneye was even released. You will see in the demo that the version of CylancePROTECT we are using was built in October 2015  - version 1.2.1320.56.

Ask yourself this: would you trust your existing security solution to keep you fully protected after not updating it for a year? What about a week?

Watch the video, and decide for yourself. 

Video Transcript

Demo System: Windows 7

CylancePROTECT Version: 1.2.1320.56 (1 year old build)

Demo 1: Goldeneye Executing on an Unprotected System

In this first demo, we used a ‘vanilla’ Windows 7 system without any sort of protection on it. As Goldeneye has typically been delivered via an extensive email campaign, we used an email delivery system to show the typical sequence of infection.

As you’ll see in the video, the attack begins with a seemingly innocent email being sent to the intended victim. Attached are several files, one of which is a spreadsheet. Before the user opens the spreadsheet to view the contents, they must first enable macros. When macros are enabled, a VBScript runs in the background to run the malicious Goldeneye executable.

Within a few seconds of the user enabling macros, the system will automatically reboot and Goldeneye will begin encrypting the MBR and the rest of the file system. The user is then given information on how to purchase the decryptor key. Goldeneye claims another victim.

Demo 2: Goldeneye Attempting to Execute on a System Protected by CylancePROTECT

Now that we’ve demonstrated what happen when Goldeneye executes on an unprotected system, let’s run through the same steps on a system protected by CylancePROTECT.

CylancePROTECT is configured with Script Control disabled. This is because we actually want to show you how CylancePROTECT fares against the Goldeneye dropper – not just the VBScript. Cylance’s Script Control would have prevented the VBScript from running in the first place.

In the video, we run through exactly the same steps as before on the unprotected system. However, this time, after enabling macros in EXCEL and allowing the VBScript to run, we see that instead of the user’s hard drive winding up encrypted, CylancePROTECT automatically quarantines the downloaded Goldeneye dropper file before it can execute.

With most legacy AV solutions, it may take days to weeks to provide signature protection against this specific attack. In the meantime, many users will become victims of the Goldeneye ransomware.

Even though the version of CylancePROTECT we’re using is one year old, it has completely prevented the VBScript from executing the Goldeneye dropper and has protected the system from this ransomware.

But don’t just take our word for it. If you’d like to try out CylancePROTECT in your environment, test it for yourself and let us know what you think. Contact a Cylance expert to get started.



Indicators of Compromise (IOCs):

Goldeneye SHA256 Hashes:

520c507b7f0343c612ed30844d470542a04560625651019db22dc7e516096255
71080f7b6ebb130affaebda2bc5c32d99779f019970405301385ffae896ad2e6
ea677e756966f221b622ca3a5a7e6c810e2491d1ead05b6712d6f90417f104e4
196c05948482a55d9b9f44c96b2390f1378acdfc214f46f3f8e0a7c1726362a7
7968f249fe3472931cc0795bcd951e88de6d0611395c7f2a436a30a563007ed8
7c8201efb2861bedffcc19eb91caef89c426bb4cb10dace6f13863a7a55f3396
48cad7d3696ea2c37d9f5b2744cc518d49209d5eb38744020c047c3179fae942
a07463f4165e41efc224d16498843533d293ff73f54eee1eddb26fca2b2433de
b5cf3676e56370d859f2d1f4a38978e7d55605efdcb6b992c9e95fc8e3e0ae87
929d8ebd6c1bd49e2103e9866b98a49c92f8fff7a456704977cf12196c7d7778
8b78d4122c571b391f7cce03d6e7de8c5cab4b2a1aec6adc2b72350a9051b2c1
b3b03935bc755e6444f907effa69d30b05ba994d67b7fe43bd12d5f2c1f8ed9b
5be3851cf4b63fcfbace4c967558f56350005c5b9413640bbacc9821acafc335
f0bb60343c08151e1cc2589a63ce2cb573dcf93181ae8228ffbcd4aaf06dd277
6b45d829035d916cc3c05f8150e1380832de243e5c2336fc6b50668dedc05b31
42a7b7e9e3943e5dc3c9139698bf0b455d37521094c5968b2eadb127c46afaf2
2a00ddfb883b40c9acff6dc35e52063b38663a17cd1f971c12ca675b2e11c774
bd49984c005a1d37bae0c4f600f29eff12841bec297b34458e228c5357ee6abf
0e0f72408d58405f9b09cc4f9dd828bd57e285bd3d099de7e36178a95114f070
1db193aeb389ad578cc0c3e6934b8f0d5e8683d1352437f78bfaaae53156ae5a
68eae10474f79966f74accb7487da30d673d6c5c1040a0ed5f58ae7860814981
e44adbd70a7f82a37e63d4cb1b18f1e0df3da2720062d914d1be695c555e5b7f
fc69b5f0a2bc6a83b226c5a1520eee973a46ece3479f14c61c1733e84d8bc369
e40ed47ace9afea91702ba6f70ba1bae0f3d0a6c3942c8dd218a59c2a09726f0
db847340786c8a949c80a78de4fb757dcdaace78717c3b1e59416948d5b508a0
cafa6fa8eb56c5a3cc34c2215618d30696493f191885021f35ae683265632751
10bf8972bc8de948aa7918461dd6bd1ab44349e563aa821cac4d1f32d633bb2e
2320d4232ee80cc90bacd768ba52374a21d0773c39895b88cdcaa7782e16c441
51db7151ea3e53376234d696ab3c17eaf532a839bb586eac5e58eaa4c89ec4f0
2bb64ef0c20168207d2133fd538d96e70b235dca640cccab512251c21eaf0889
c7ea3ed20a6934d13765b461ffa0bd493fa81c4b5f6ed26f8a4ec4152982731f
11fb0a42a14042fefce9b2879d93609faef5294507e93671f4056e939b91874f
d2dce1614d5d8e2b6d3aa5aba102ee5d360ff855848686385e8e7d133220937d
2f8579354b4ed65d292b15e64f91c9722d939587abf8d0cf4f695a4e370d5182
b1bf065e03d5faf74322d9ddda083a2f4c5d12f4d6080a791ec69ed0b709b3c8
cb4ba70ff52f16586033e5dc923754d493c8c897bd14848e9cb2417298790667
115be7d5d31c5494128cf7dd2ddb4eb1196f83cc95b1a118c97fbce89fd4b4a0
10ab73d8ecdc7d7d3ec01059347ce5e7aab5e3a8b64f0eea268fde044e806155
9c20d24705b3186ee6dd68d4291964b259b55c1b990a0e02099927580b4f3141
60d5b0c8a0815414badbb38a90abecd412105321cac0a6b71e5fc949d0e5d926
dc816988967417b79182c7691d6c882c38c9bc97ceee647ddf7075a811da52e6
0aa1bdad5b13decd65bed0514f0778d6ff9ba2337a5b5d4cdef1e84dd0b20b0c
0db3c3a5720792720d548c3b47f9eaac5d2d483a361a6ea40b26aac40e64ae66
051fa691b68b468e5a8862f05ebddcc83bcff6ddffeab143113ecd6625c96dd4
61c73c1610ff2c82e2d800ff2b0bbafa0d7d2460fb8fbf7358711eb5f559c26f
caa7ccdabc5738a149e14dc280008f736a2f8e67c80f501be2b49cb70e61b66c
45349981e919db14460cac23b290204903d4d6a7e13630f5069463d37fc0f2b7
75f5243ef823d8fcb924b16832e279bc89985bfb60ed439837548f68994619d2
5af79ce1172b27241374e0205453e56c5ddff1524337a8274f6ad3c756961ae3
9083aca9cc63f096e9580742a326424476f6757f668e1dc2beda8c7bc81e5dd3
5f3a07471409327d4dbc348d34601a8fbd5a0193a01750241af1021503d8bda9
e40a1a0ccb3bc30954416fddf4c5421cbd0d4ccc2f34a58fa4e648311a4068e8
6e59301b48103d96a9df61b033077fabb3fecb03a82a26995d1609681174afb7
936a1b72132d16b12e659c6c2a3371019486bfc579696c5612cc7555e40c1589
7f082e5c680716e934201461cbac987f169a64da1dd6108f506cdf4d4a87f833
871a331b9f92c7aeb97862d01f2c8cc92449ea06b1a62b0bed6e7add04046d53
c5dfdb1a2d55ad1f9218c3636448de9c899750a073e2e12206d33863b17d864c
fb58221d8d3c9b3ce61f47dea76c7ef70c9a68eaf685736f038638f5367c21ec
46461f829a51036bf143d5de6ce033a8be7000d6174e8a8f413ff38a08ba6628
5e90ec9900d87e36554eacb0ab45a797f5656edb0a010787ac7eac5b056e4e77
d31b1ada7c2a573624f10c542a69ed4b69d8ba63b933533213f1f1a9281b6b2f
82c74b02177b0f53ea5d16208d1f7ce5c90a945bc57396ac51c4a4baaded5a00
187bf89130622b170a51342405af0b911073da58434cbac0c0d86570f1002f67
9eb90ea2f55af7bc7cbb67290ec6d98272b63a597124637b3abedd24c5fd7e32
957dfa81b455c1a5e3584f88977e9a063d13fa4e85d7dedc1294529367677a3f
bcd8e3da91724796369a813fac4074674ac6cd37bf9306f536d745529a631803
7703805115f3614131961b1c709c6ba1ab6a2e2010c677fa822e16b134b02df6
aa777449e1deb36df600d8e16001d96bb82e756f125db2677c3f8469b4b61164
296f1738fbf1b1d27c56cacd2534cc61d056cd6fc61f2f3df609f6e001ebc2fa
cbc32680b9dc22714fd3cab27bf1069ee80e9f58deecd5cf04ae4c273b54fea8
4ad17b072dd6fbcbe6a3b10abf52a5ea26080dd3d96fbe4397488c46c8cee357
3e5e6f5b04757e7ca70b5103ec04b4c7914773357d5d728919f624d988c0321a
48caf5a32c2c8422c1abbc3c7f80d432b59db5c494cc21837189e1df361c7a10
2f211001f89cc71cbf29203999267c56aa68abb4208e604dabf7770c0070a7b5
9c081281e605d32fd2343efbecd08481d38e51aed8451baef3d866919d502a07
956fda741b03de19fb23afb24aee683b9ff441282f3f7b79d3e2d466d054aa8c
2dd153bc47f32a2c5b5e116fd146f986a4311d1da785c5fce7b5400fcba014a3
55ca2ce46d2a246cbc9dc504eb61e0a7a6767cbad958e0959762c3038d923ee5
138ef01b5df30d36770abde53a86f43593647ffabda13a2f95865380397b61f1
cd14894cb57a600606823fa9b6b8ed44cafabad805b4752f78790b888cdf0954
f079663117066b46d3f53d077d594e063d98bc4852d73f2279c4d9cfb25eff22
4e717ff0db9425b144d6be5e7152854652207b6b3dfcd914f1e8288830dde65c
c66e9d536e2b0a56bad088b92f44cdabb16ae6017e4eeae4eb0d194cbbb4eec0
6afa248e8392c28814eb26790fe5b338c6c980096e7619a3b2fa8d2799fb1097
30e8e179d8cdf77312322b3d9521c1ed664ae3ecd830a91538f3e09c92d8e108
deeecaa3a7866c3618ce4f21d0b98b6d7a174f741a8fb955b8161bde62f39da0
3daf8a25136eab32c126a73d2790afb0fe8d67d19cff30b0c1a6fc52afc0b0ad
421329327183608b7a2bf1bce83a839a1673e083ac9c86cb34d310cd9b1d4160
93935a4e927449ff728e963ad7d121956914b323658392207251e77b55b5e624
a0238dd66435c44cdb3e5ac361fa3ab59242b53fa26ebb917a9a9a7fd4a5987c
3ff2047460dd5261ce48c183151be33ee739fcf5bb2044a385560c2660c58304
239d93c3b7325666a0fc072791ad7b3d10d5862c57bee9d485d4e7b9a6feaea8
947768b85774ae11bd6487be74347b57069371c4c8e5a282410f201105b08ef4
6a876d1c0c9c67baeb6fbe4358bcfb58d95bffbdb5324496f14d39e2f9aa03a9
6d40cbac0065c7958d776bf27f6058c13dad43be7b381c035622acc8f15d7245
3feb336e6e4cab92765b8a4c79c039fd6b21c14642010210080fe9a0fdc3f1d0
21ebbe73b6ea5abaa6ef670dae7dc49618458522e856071a3455e5e80dbbe682
1bbef0d8934b6bd2190ada7e8d12cbfd1e3369edef129ffe619813915a93504b
e496359fb2d493daac6b9d7e6f0db670b7828e4a064a449f9c619c0440380ce5
a29819cc703e34cf89cc4f10b47296ff3d4164caec2ec6e053f4eff0ea14c16f
 
Goldeneye MD5 Hashes:

991a9fe9a76616699e29f909c7c5c3dc
d1efba25f4737556ccbff817c4684e81
22bd74b23c681a16e2390bcf69bba89c
7425d582473246b78d431b2709ce6734
e34600ef7ba677be5f805706a8d07bd8
ad79cb5828fba093134c35531f7c9215
e7dce8ecd38d550c231083c748ed9732
b32bf69955a36ac292e704b06ab044d9
234e5a2e704460060c0b7151b9530e76
b58d40537c54da4570c84571445c50bd
4da8dc9ca76bbbb81354b57aa165aac0
7236e770aeac15f237c9febc17ae64e4
6b160857daa1c515a12eff83513b7b9d
2c2f29cb501acf30db4d923904b6ac62
cbbb650fdf8bc1ceaa9407244f00f28b
dba35a3b30082d3f675b4082a168ecc8
cdb5f27da4cee39fc516beece0ca20ec
1554ada6364b9611e608575af9c46ba3
5c0382ec155f6a4dcf7777897e9e48c2
c65fab983e5f47e0d2eb74047b560b83
a20371dc3e0dd5fcdf9076ff591ceff5
bc5c7f3b583e2df16302825af4c235cc
4e80bbba8f88d751849c2ad231e7e3dc
af813168402e60cfdf7c78a0d70d86e9
7385a72641ca3e5c6bcb1e371f3c8b1f
da50fbc0552834869f467d5d3263b35c
8855dee52ba475c5287af576853a08f3
698c92594fc689c2b161daa5cbb5f445
e2ad29c71f3ce97601425cb538ebd041
97960518fac0ccfa080c668b1e1d6f7e
14dfbfca0a1f92263d0783739aa7532a
feb442aec8dc21abcdb49cd4d660cfa6
ae32d15a0f725a063831fa16bb4bab25
5364ebc5610fa7f87e218648cd832ccc
c2c9cd43ce5a6ef920778e5f66099edf
0aefc4d0b999557adb154af5f385d40b
83c7102a5067ecc9106b0ab6435feeec
17f4816ed0aa80b9cc559f26bdd5c09c
fde0ec504b4171218fdc25074d913887
8be9e8618a61c9052a916c1ec8095475
b231884cf0e4f33d84912e7a452d3a10
db18f4d58ea1406078a0ce3097455311
a4a98d88b8788020cc59e49753a04c7a
f1a858d35d42d5a57ef402121aced606
7b53ce64d575f0967130ca6f6dcd6b87
9207db63add726bf47f39f542187ed2d
51691037c4a521181494710ade1c7ff8
630a5e90257b3762f304e02368ab68ef
e6be88fd1942fca6de0c3adf7266e41f
0486775b5852fa55de45d080088dc189
5c123b6936b4bf0b29375fbf7411f5fd
a130d1b7ea18cf5be76e8fc76babfa08
911a54e80d925f88065a4c1aa205753f
baabdf9f58f8cbc482a47f10d95ae4be
3587e8f6c25c1f623951427dbbe57335
0c0ded5a76094db5fb47a5bf6b5168a7
4759d42b58a31d8563d5c3dcc0790467
66f54129ab00e04fe4ec1de65119df86
9e364db35a1cde6140d287143cef2c4f
9f35f48fb190be4257eb67ee5b12dadc
75649ec76079a925fffbeed3f31b40eb
10b438456d1085e776620a484379f5b9
a66a68cca92bcc8d8341fa42376d79ac
619d869e9503bb35ecc8515e69f01cb5
bc46dc609e94785c526b396236d6ca48
e1641c297d8c5d60f0f699f10f7a3b49
acc279b46d2e2dcb53bf7506a121b271
76c6659f71aedfdf8db573810160709d
a33399fd1a6586946658679e9b56888f
83322160d48b16602ae93c3cf161521a
0db960b5be45e5bd7ce143cef9e3ef06
fb81e7444838052a45c28d5af88a9dd2
26230a627d11766656e522007032e1b8
571502e5e49229bedc7159d7aaa9a29d
0119f6b5573f502c6259c2d9a90cae3f
42b581bc4e0c20202d44f7476e0899d0
b68d8bb4d7d119a717aea69320c1a597
07e8c721b6169741bf37b26f009e87e4
d8126f7fdfefb144b194230290670efe
f4e7d52e7ec7b3702fbaa00c2426f58f
8badc9fdc551e84c1a610cb8e8ce02a6
d7b7c0263b9827660536d56f0031dc06
19b06f1cb3da5182e6223a7c701ef879
2c219e996afb64954ccd792d38ae809e
2cf8960b838c4971b9f8cd939c2d90a1
7f05e7b9ef465ffacef3be8a070be489
56bca96efa93f11bc31e650b08ef3f30
0a79350220c915e79d161718a208343d
3b3697d6e087c26d02534158c55bd2b2
ea24f966619555245c821ab60e420595
abf084a4016e6cff2e56a1bc4f1873bb
8ae6f29cc144d8d17c330995c5441ebb
97fda4418069cc1a51b1d9ffc20b11ae
25625a587afb3a6518f384ffb8a4d058
7985c87a6dd3e791ca13fb7cf764249a
55da8ad4fa4cecc5e40ed19a2d3deb30
6cf778f34a104669ec4f640576588388
d3f7b820183dadb9731405216970b745
6a002eea2075ffa0bdca872ffa544a21
dd3fd44dae57b93d2f15b3a23c4b6604

Goldeneye SHA1 Hashes:

54197008baf7e50d9e3e3776bc53e59ca75c43a1
d7b43c71e8e126c46d57c2f5de5c5ffb0ef1481b
6098b3a242fe0ef6e9d99449245b75371ce936b7
958764cb5a5748711a6dbecf227a2cd307a7255d
7554438af2f6a323b41755e6ff487510592e6603
494cb85fea9f0f42d53cc9e5517acae81455cb9f
ed23c13bc41faf717bee8827d0d7000effaad42d
68571ea4dff73336f6c0329ee3f98df16274e0f1
b47630f887c06e059a8f2f34dcf142fb254f34b4
79130e360270449dd3da69f02424e1b34a941f11
e9b1ca9c548a790c2146c88fcb4b478ba4f89644
d05aafe3d18056d04740880d4100ce736117a19c
1531d7038ab9f4941730732d15ab617d574c30e2
9abcb88cf3b77923678b5e5d2b9661d7337e8e12
8b3747ac57b556117dccda4856d524985d7f3de9
098044e650cdb17f9a569edcc7d923cbeb092f79
ad949ffb61abb2162644a6921ef25f947a15d4b8
f6f3be1d9c20cf049f36f8ce01dd7c995bc6dfab
e85a2c96c38cc46b5f9220d18a3e874e7c7039d4
ea1d80bbd81904a22b2385c96ac16f85fee65c0a
f2cedff7f366254e8ee022f5bef19b33138f4916
ea142b9682e81fe520f9938e21656ea9e195b5ab
724266993c04e31a9e1cb0e760eff547b968e1ab
0b2c0dc4aacaced8a98b7771602755855e639f7b
b66876c67bc2169699a55030a17923f840f2f4cc
2928053abc53f3e6d5beb9ecd695e65b489cec96
83da0314e2cb89fd21d084c1462dee9e4659a079
2e2382c4fd60eae176abdedd7507d793b53263ff
c240043b4c2c6967df3666ddb53d0c759e3dc57c
09889894087323b4f9ac9512ec0e184095fc7cb8
1a0f22cc230c0231dd9167997792cffcfbeda7e4
45d7feed50c239e6f44c79984dfd19784a2d10f4
b2ec3b42a84ac09442f4c78c437282489e24c706
b3eaca92aac693904e295010526d4481151ec830
1f2cccee6e70b4fc279bf9a159bbdd2953898c22
2d667b894afada90310e932670418f34ca155037
4051420e93cda31e107d897b457bb82efe8ef256
5d1417841961c0414cd3624bc840d960c4fa6b54
cf81f00acded351e2f3531f915ec8c5890cd7c9e
5cfc87b40c79848a3e3ad07d30e5880270acf2f1
46790d76765ce1a5e01de1d619068670bd145a3b
daedcf065156b912c11aca5a668849ade94bc5ef
9d54614b9bca23b5e8a7f7e15e3e9450338e324f
357327e076d7261847ea55acc40754d18fe523fc
de06b07dc4215c440825e02fd69dd852b585f8fc
c9288e51c292e93f3b2d4705d99a5128bafc1ec3
75bc75ae58ec4984d86476eee9f520542d7c256b
2d7120ef4423b5b39df8a45ae6e0ed461c440b8f
355e3686e4dbe3238d5b221934ff5caea7af6987
2e2f0559d77e4daad69268ba58ae2cf12c47cb99
de257bcdd4ac079f44abae2e6e776ca6a08716d3
87441837d278f5586110abbbb21fc045ec92181a
03467c5e831d317bfc38d92208629f926861ea7a
ad290a75d9c9a38f4ac416ca2abcbee182ceed6e
a91b2e1fdc418edc43f16f70d9d9282b9443f24c
225a8c43041b889350d8a8cba5bafee91431a036
7982e7a445f16213e19393e845ac75f5947c194c
61a8f476e586c2238492f9cb0c726d91edb05c90
3ecd71c38a447137574ff94979b0ebd43aab7de6
9c4dd6f4313b62fb163326824579a9ffad17fde0
fdab60ae7211e7100114f06afdaa5df5ad45decb
4971ccd0daf81932f62c29264d7fd7861671c035
5f2e1a8b827bae72221f9f9c7f1339480dab20db
e1013592825622747bec40ab4dae5709e40d8eac
914c3d1aef910531619d57d18acce416787fb535
04bd86128ebc48dcdc36fa101e3b71fa854efc4c
bd0b612301ee843631f9a350917a7b690dbfd061
f83d3710d9c78fc792e2d588df7f25c5a64ed9ad
119f54487c1b71ff0eab9feacd71b0ddc9da730b
360783a252c1f004b7b82f815fcdb75daf68f777
17c12489129f016aee605e8813a8436b0482279b
db9384e6c8b4be285cbd083ff8750d7f122666a6
01866ca38b896abb1ed476258f01627b0e842a44
e5ce733ac5f0c784829a04292b3103428615bdba
3923b560b9fc00b36bed4d4cbb308b53b9b40eaf
d09574a6ee9a75faba460e5c1080730b800e102a
b7809637b12f34dd5b500f97cd4950bf34544ba0
534c52337006cb1c341d9468210828277a794798
5977e9c188f921ef1b0ddf0dc5402fb7a45df63a
a27873c3fb5d292109ab44e9d534276bd784f75c
176b2a9b4159b1c38554532564abe2292b0a9c0a
93fc5f95e8e96d73daed4b57e5912224759f9629
5a55ff57b608b544beb7783b27d19f140d5a1926
acf1e71a37c45018c3729a4410f5c0e685196cc6
6546e9171b61d1bc51a5a1a161b8c69f28cb6fb7
a4927799876b3e8189c44405b9b4bfe9346c934d
e617755a2504a912f13c077c6567f83f4ebe1199
917df70b9d3bbcbadb5fbff13e9bdcd0a7dfbfb4
62dfc954dc78975dc057df6460254b04e135ffa4
7df34fea6ef65c7f8b3346e948c69c6131b709eb
39b1370f8bb4ad2cf0c221a80a1b88af519cf564
ecf9c24902421ed00e53dd7537da7bb56f4a6d0a
836b07f203dc0f1466fd382116f4548ac9c241bd
b002b797966f9247d46b6a7888e39ee5b073b8f5
a587270226db34be191ce733ab50667a4d80e97f
7354ff3d47e6c041ecd6c6687fdb8c346b6481d5
9d3045f8cd145dae5fe0857b19a22ed479824193
62463db3b9064039463a188998ee54c635f4b2d2
4bbc55d60eb3a7103a3f6e57e91e8eab91a5cf31
efa92b80ed431e876fad859be713bd65072bf053

The Cylance Research and Intelligence Team

About The Cylance Research and Intelligence Team

Exploring the boundaries of the information security field

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the forefront of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.