2168
Home > Detailed Technical Analysis Report Of Poisonfang Ransomware
Detailed Technical Analysis Report of PoisonFang Ransomware Detailed Technical Analysis Report of PoisonFang Ransomware
Ransomware,Malware Analysis | 07/12/2018

Detailed Technical Analysis Report of PoisonFang Ransomware


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

Poison Fang Ransomware Overview

Recently, security researcher has found the new ransomware “Poison Fang Ransomware”. As per the file information this ransomware is created for academic research (educational) purposes but still ransomware is ransomware.

This ransomware is different from others ransomware because it comes with extra bundled features like Spreading techniques, downloading additional files, Gaining Browsers Passwords, Creating IPC Server, Crypto Mining Technique, Hide & Seek Game, deleting volume shadow copies or system restore point and finally Encrypting the victim system and demand for ransom. Soon, we will discuss all these techniques further in details.

This ransomware appends the filename of affected file by adding .FANG extension in the last.

Once the encryption has been completed it shows the ransom note UI on the screen with different modules which includes (Mining, Play Game (Free decryption of 2 files), Pay Ransom etc).

As per the ransom note it demands for 1 BTC in exchange of decryption.

Even if this ransomware is created for academic research (educational) purpose only but still anyone can misuse it by doing some improvement and thereafter it can be spread via Email Spam, Unprotected RDP configuration, Fake Updater, Exploit etc.

Free Checkup & fix for your PC! Get rid of malicious programs instantly!

Free Malware Scan & Fix Limited time offer*

 Flowchart

Flow Chart

Technical Analysis of Poison Fang Ransomware

File Name: Poison.exe

MD5: E5631D61CD04AF0E8BB0E4DC252EACB6

SHA1: 22FC3BD9E234B78D1244B30E2BF3EC3864992DE9

SHA256: 60EC60033665F4DA6FD0D9BD0FEFD44897C68A94BC3F6C97CFA08FA6DDF7EED3

File Type: .EXE

 See also: Detailed Technical Analysis Report of RaRansomware Ransomware Attack

Detail Description of Poison Fang Ransomware with Screenshots

On execution of this ransomware it first disables the Windows Defender and create/modifies the following registry entries

HKLM\Software\Policies\Microsoft\Windows Defender

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

 

Thereafter, it looks for security services on the system and try to stop them with the help of net command (comes with every windows operating system).

As shown below, creator of this ransomware used the base64 encoding technique to hide the security services name.

Security Services

Figure 1 Security Services Name in Base64 String

Following is the table of base64 encoded and decoded string of security services

 

Base64Encoded String

Base64Decoded String

Description

U2VwTWFzdGVyU2VydmljZQ==

SepMasterService

Symantec Endpoint Protection

U21jU2VydmljZQ==

SmcService

Symantec Management Client

U05BQw==

SNAC

Symantec Network Access Control

bWNzaGllbGQ=

mcshield

McAfee On-Access Antivirus Scanner

d2luZGVmZW5k

windefend

Microsoft Windows Defender

bXNtcHN2Yw==

msmpsvc

Microsoft Protection Service

bXNtcGVuZw==

msmpeng

Windows Defender Core Service

c2F2c2VydmljZQ==

savservice

Sophos Antivirus

YXZlc2VydmljZQ==

aveservice

Avira GmbH AntiVir AVE Service

XCJhdmFzdCEgYW50aXZpcnVzXCI=

\"avast! antivirus\"

Avast Antivirus

aW1tdW5ldHByb3RlY3Q=

immunetprotect

Immunet Antivirus

ZnNtYQ==

fsma

Fsecure

YW50aXZpcnNlcnZpY2U=

antivirservice

Antivir Service

YXZndWFyZA==

avguard

Avira Free Antivirus

ZnBhdnNlcnZlcg==

fpavserver

F-PROT Antivirus system service

cHNob3N0

pshost

Panda Host Service

cGF2c3J2

pavsrv

Panda Antivirus Service

YmRzcw==

bdss

Bitdefender Scan Server

YWJtYWluc3Y=

Abmainsv

ArcaBit Main Service

aWthcnVzLWd1YXJkeA==

ikarus-guardx

Ikarus Antivirus

ZWtybg==

ekrn

Eset Nod32

YXZrcHJveHk=

avkproxy

G Data AntiVirus Proxy

a2xibG1haW4=

klblmain

Kaspersky Anti-Virus Service

dmJzZXJ2cHJvZg==

Vbservprof

VirusBuster

Y2xhbWF2

clamav

ClamAV antivirus

U0JBTVN2Yw==

SBAMSvc

Sunbelt Software Anti Malware Service

bmF2YXBzdmM=

Navapsvc

Norton AntiVirus Auto-Protect Service

QVZQ

AVP

Kaspersky Internet Security

YmRhZ2VudA==

Bdagent

Bitdefender Agent

YmR3eHRhZw==

bdwxtag

bitdefender wallet agent

 

As shown below, this ransomware stops the security services

Process Tree

Figure 2 Process Tree

Kills the backup process

Thereupon, it kills the onedrive.exe and disable the file sync process of OneDrive and try to uninstall the OneDrive from the system.

As shown below, it also deletes the Volume Shadow Copies & disables the system restore point from the system.

Kills One Drive

Figure 3 Kill OneDrive & Delete VSS / Recovery Option

Disables Other Security Components & Event Logs

As shown below, thereafter this ransomware disables the other security components of Windows Operating System like (Windows Security Center, Windows Update, Background Intelligent Transfer Service & Event Logs) with the help of net command.

Disables Window Security Component

Figure 4 Disables Windows Security Component & Event Logs

Download Additional Components of Poison Fang Ransomware

As shown below, first it attempts to connect their C&C Server which is base64 encoded, if its alive then its download the Fang.ico file into C:\Windows

Thereafter, it creates a folder at specific location C:\Windows\P0150N.

Then again it tries to attempts to connects their C&C Server & download the additional components of Poison Fang Service in archive format (Poisondrop.zip) into C:\Windows\P0150N

Once the archive file is downloaded into C:\Windows\P0150N then its extracts the archive file at C:\Windows\P0150N

Download PoisonFang Archive

Figure 5 Download Poison Fang Additional Components

PoisonFangFiles

Figure 6 Extracted the Components of Archive Format

 

Uninstall & Install Poison Fang Service

Once the zip content is extracted thereafter, it attempts to uninstall & install the poison fang service with the help of installutil.exe (Basically, installutil.exe is a command line utility and trusted Microsoft Application it allows the users to install and uninstall the server resources) on the victim machine.

InstallingPoisonFang Service

Figure 7 Installing & Uninstalling Poison Fang Service

 

Extracts the Credentials from the Browser

Once the service is started then it starts the another process of PoisonBrowserExtractor.exe which extracts the credentials from the browser.

ProcessTree

Figure 8 Poison Fang Process Tree

As shown below, this ransomware attempts to gather the password from the Login Data (SQLite) file of google chrome and create the tempDb in %temp%

Get Password

Figure 9 Gather Password From the Browser

 Once the data is gathered then it attempts to transfer the data through Pipe Channel in JSON format

Sending Data

Figure 10 Sending Extracted Password

 

Spread via Hacking Facebook Account

 

While the ransomware service is running in the background, it tries to spread itself via facebook by hacking the facebook credentials, getting the list of all the connected users and send the messages with time interval.

 

First they send the Watcher Friend Name and waits for 5 seconds

 

Then it sends the following message “I found this new degree planner and I would like to share it with you :”

 

Then it waits for another 3 seconds and sends the malicious link (hxxps://tinyurl[.]com/y7uugdlu) to the victim facebook friend.

 

Then again it waits for another 1.5 Seconds sends the another message (“Enjoy”)

 

As shown below, it also maintain logs of its activities.

 

Hack Facebook

Figure 11 Hack Facebook & Spread Itself

Once the facebook user clicks on the malicious message link then it downloads macro spreadsheet on the victim machine.

 

SpreadSheet

Figure 12 Spreadsheet with Macro Enabled

As shown above filename is written the hebrew language which means (“General_technology_technology_description”) .

 

While opening the excel spreadsheet microsoft office opens the spreadsheet by default in protected mode.

 

Macros Disabled

Figure 13 Macros Are Disabled

Once the user enabled the macro content it downloads the drop file (Poison Fang Ransomware) on the victim machine.

As shown below, Macro code contains the Workbook_Open Function which means on opening the excel spreadsheet it will execute the code inside the workbook_open function.

 

Macro Code

Figure 14 Macro Code

As shown below, it saves the drop file into %Appdata%\Roaming\Microsoft\Windows\Template and also modifies the Chrome.Lnk file which points to the malicious chrome.exe (poison fang ransomware)

Macro Shortcut

Figure 15 Malicious Chrome Path

 

Spread Via USB

While the service is running in the background, if the victim plugs the USB on the infected machine then this ransomware also tries to infect the removable media by downloading the Poison Fang ransomware into the removalble media and also writes the autorun.inf into the USB.

 

As shown below, ransomware creator encoded the autorun.inf content with base64 encoding.

 

USB Spread

Figure 16 Spread Via USB

Following is the Base64 decoded content of the autorun.inf

 

[autorun]

UseAutoPlay=1

open=drop.exe

shell\open\command=drop.exe

shell\explore\command=drop.exe

 

Mining Capabilities

This ransomware contains the mining capabilities while the ransomware service is running in the background, it does mining on the victim system

 Mining Code

Figure 17 Run Mining in Background

 

Mining Credentials

Figure 18 Mining Credentials

 

.Fang Extension

As shown below, this ransomware modifies the affected filename by appending the filename and adding .Fang extension in the last.

File Extension

Figure 19 Encrypted File Extensions

File Extensions

This ransomware attempts to encrypt only specific files that matches with its extension criteria. It has more than 175+ Files Extensions.

.123,.3dm,.3ds,.3g2,.3gp,.602,.7z,.ARC,.PAQ,.accdb,.aes,.ai,.asc,.asf,.asm,.asp,.avi,.backup,.bak,.bat,.bmp,.brd,.bz2,.cgm,.class,.cmd,.cpp,.crt,.csr,.csv,.db,.dbf,.dch,.der,.dif,.dip,.djvu,.doc,.docb,.docm,.docx,.dot,.dotm,.dotx,.dwg,.edb,.eml,.fla,.flv,.frm,.gif,.gpg,.gz,.hwp,.ibd,.iso,.jar,.java,.jpeg,.jpg,.js,.jsp,.key,.lay,.lay6,.ldf,.m3u,.m4u,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mp3,.mp4,.mpeg,.mpg,.msg,.myd,.myi,.nef,.odb,.odg,.odp,.ods,.odt,.onetoc2,.ost,.otg,.otp,.ots,.ott,.p12,.pas,.pdf,.pem,.pfx,.php,.pl,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.ps1,.psd,.pst,.rar,.raw,.rb,.rtf,.sch,.sh,.sldm,.sldx,.slk,.sln,.snt,.sql,.sqlite3,.sqlitedb,.stc,.std,.sti,.stw,.suo,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.vb,.vbs,.vcd,.vdi,.vmdk,.vmx,.vob,.vsd,.vsdx,.wav,.wb2,.wk1,.wks,.wma,.wmv,.xlc,.xlm,.xls,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.zip,.c,.py,.st

 

 

Remove Special Folders

As shown below, this ransomware removes the following folders from the system so, that the victim can’t access these folders anymore.

 Remove Special Folders

Figure 20 Remove Special Folders

As shown below, while accessing Documents it throws the error message box

Special Folders Error

Figure 21 No Longer Accessible

 

Checks for Internet Connection

As shown below, this ransomware checks for the internet connection, if there is no active internet connection it waits for 10 seconds and again check the internet connection and also maintain its log activity.

Check Internet Connection

Figure 22 Check Internet Connection

Collects Geolocation & IP Address

As shown below, this ransomware also collects the Geolocation & IP Address of the victim

Collects Geo Location

Figure 23 Collects Geolocation

Ransom Note UI with Different Tabs

Once the encryption has been completed it shows the Ransom Note UI Screen with different tabs.

As shown below, ransomware creator demands for 1 Bitcoin in exchange of decrypt data at following bitcoin address: Jtjoy2VeFRtseq4mTyHgtisaEqAT4Sidw

As per the below note it clearly says the it also has keylogging capabilities which we already discussed above.

Ransom Note

Figure 24 Ransom Note

Upon clicking on the Miner tab it shows the following screen, which warns the user that this ransomware will do mining on the victim system till it doesn’t pay the ransom amount to the ransomware creator. And also it shows the Progress Bar with Time Left.

PoisonFang Mining

Figure 25 Ransom Note Miner Note with Progress Bar

Upon clicking on the next tab (“Payment), it shows the following screen to the victim which says that if the victim has decided to pay the ransom amount to the ransomware creator then it tells the procedure how they pay to the ransomware creator.

This time ransomware creator has approaches the new method to obtaining the ransom amount from the victim.

As per the ransom note victim first has to buy the 1 BTC and add it to their personal wallet.

Thereafter, victim has to share his Bitcoin Wallet’s Private Key with the ransomware creator.

Ransom Payment

Figure 26 Ransom Payment

Upon Clicking on the next tab (“Payment), it shows the following screen to the victim. As per the following ransom note. Victim can decrypt 2 files at free of cost but for that they have to play the mini game by finding the secret file, which is dropped by the ransomware at random location.

Decrypt

Figure 27 Decrypt Files

As shown below, while pressing on the “START” button it will show the following message box

OnclickStart

Figure 28 Are You Ready

Once clicking on the “OK” button it opens the windows explorer with the blue color border as per the above ransom note.

Blue Border

Figure 29 Blue Border Far Away From the File

 Upon clicking on the last Tab (“About US”), it shows the following screen, which contains the contact information of the ransomware creator.

As per the below screen it clearly states that this ransomware has been developed by Omer Cohen & Tal Porat.

As per the ransom note it says that this software is for academic research purposes only but still ransomware is ransomware and this kind of ransomware motivates the other bad actors.

Ransom note also contains site link and Project supervisor name with E-mail ID.

About US

Figure 30 Poison Fang About US

 

 

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Free PC Checkup & fix

 Know More About: Ransomware - howtoremoveit 

IOC’s

Associated File Names & Hashes:

Filename:chrome.exe

MD5:E5631D61CD04AF0E8BB0E4DC252EACB6

SHA1:22FC3BD9E234B78D1244B30E2BF3EC3864992DE9

CRC32:7041BBE4

SHA-256:60EC60033665F4DA6FD0D9BD0FEFD44897C68A94BC3F6C97CFA08FA6DDF7EED3

 

Filename:AngleSharp.dll

MD5:BF331AB2E9BB06D900929DE29C659AE8

SHA1:DE373ADDB4F889E950E875766028471937D91055

CRC32:E3F0094C

SHA-256:0B6D37C6113914DECB8AE2142DEE7CF476206036806821AC6DC63D69269F827B

 

Filename:Bunifu_UI_v1.5.3.dll

MD5:2ECB51AB00C5F340380ECF849291DBCF

SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931

CRC32:8476A72A

SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF

 

Filename:EntityFramework.dll

MD5:D1EF8A55B6AB94E98D41FD7DBD436137

SHA1:4E750E1DFE71FFE73E127173331089E5FA1FC882

CRC32:650F4FE2

SHA-256:304FE4D831A79C45D746FF0F6D03C807FA339D7C78E842183988DBF67436512F

 

Filename:EntityFramework.SqlServer.dll

MD5:5E35A19A47D2E11FD5D261EEB00CB90A

SHA1:7FD09921BA2B905B930229B87B1CAD0D2ACF99EC

CRC32:98844D31

SHA-256:894D83057B842789797B6529D5AD9078D06F99D5876E107DD5CC0CA62FE9F0D7

 

Filename:NamedPipeWrapper.dll

MD5:0235528803E970122C0785E3B0F78F12

SHA1:C45FBF4B10C6F511750A918B4DCECCEBBF5DD6FB

CRC32:01594D3A

SHA-256:7AA1DB626F20B0FFD3AD169490E2BB7ACF7167874573ABBB3C68A35DE0004E63

 

Filename:Newtonsoft.Json.dll

MD5:5AFDA7C7D4F7085E744C2E7599279DB3

SHA1:3A833EB7C6BE203F16799D7B7CCD8B8C9D439261

CRC32:810C77D6

SHA-256:F58C374FFCAAE4E36D740D90FBF7FE70D0ABB7328CD9AF3A0A7B70803E994BA4

 

Filename:PoisonBrowserExtractor.exe

MD5:2148983BCBB43B0731F0C672D9B80D44

SHA1:077917BBAE350531F41E20C29D7047062350CAF0

CRC32:8AC81616

SHA-256:29ED0EF3B91D524A22C16F9ADE6B8A705A79046F7A631A96C542021EDF710515

 

Filename:Poisondrop.zip

MD5:E8C4B2266C05AC3AA32FD42938E58448

SHA1:DB887ECEA73F7F58AC2D9B45FD4C7780006F269E

CRC32:0C0BAB07

SHA-256:BDEA561EFBD52D174AD48D1C6382704D0313CF7CFB7354CAB126E61BCEBD6CC0

 

Filename:PoisonfangService.exe

MD5:0DF05645A61A2A85C238DDF225196181

SHA1:3A5A95805BB3EED61C1DB0C984AC6804856C10C5

CRC32:2471D581

SHA-256:84378218297BF160A8B680DD00887D39B437F89E3CD5D2D09EA0FDA5D704957C

 

Filename:PoisonfangService.InstallLog

MD5:CDEE7E60E1491C44E76FA9BA26537A53

SHA1:6AD37D6AB55CA372DAC7D431AC11F9E9D89D825E

CRC32:D7E8EDA3

SHA-256:DE2F46C89BF4A3A86109C9C01E9E74A6387E40C1191A7C4270E92F05BB63273E

 

Filename:PoisonfangService.InstallState

MD5:362CE475F5D1E84641BAD999C16727A0

SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812

CRC32:EEE5D758

SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899

 

Filename:PoisonfangUI.exe

MD5:7B2D9ED9B085C362D65429EB4CFFC04E

SHA1:AFDD32B537E072208B0EC18A7D7F817009A8331B

CRC32:B69A2D54

SHA-256:F92B93D465CB1A516D1E37A9897DE54E7FA80D6B99F18D564B4E5AE297337B0E

 

Filename:System.Data.SQLite.dll

MD5:66A3D16000DAE771FB5CD00D33344E8D

SHA1:D33A5EA4F0241001240332C6BA663405D26E6672

CRC32:A4CCA751

SHA-256:54B105FF8AD7AAC149E4F42615A37A063FEC7CE9B3EDD2CD6CDEC1EB6C57E2C0

 

Filename:System.Data.SQLite.EF6.dll

MD5:EF82E54D315B6E42E10971B6C408A0C5

SHA1:F3E8E97C92FD7D40634C4E0554631FCEB85FEF41

CRC32:450936BB

SHA-256:0308E05972184A922BB26B6424986657CDC77523C778AAC3E29A93250CE3BC35

 

Filename:System.Data.SQLite.Linq.dll

MD5:8AAB7F2415C98AF4D9F78D74B112DF4F

SHA1:F877D3A4FD0CD320CD5B682C3816B120A2D523EE

CRC32:75DCB8BC

SHA-256:D7EDD16257D46B0AAB45442F525244A2A1F5665E55B9103EF4AA5AF96F689876

 

Filename:SQLite.Interop.dll

MD5:C8DA46C6C3C7ACB8C0FFCAF41BB79B99

SHA1:61925BD646B73EE72892C6C38FE534332D41AD43

CRC32:5FEC79D6

SHA-256:39809AD358F32118E5EE0C06DB1978C4C2BD1F3FBF84CD969A1F9BBCC6CE0C83

 

Filename:SQLite.Interop.dll

MD5:12E5757B49EB50DDE2C91AEAB1B65C7F

SHA1:7FA3A5D4BD0AE92D0789275FF971C3EBA1EA0D8C

CRC32:247D1AD1

SHA-256:2F629EA1C9790CA1FFDCF790A845AD5A0BC47B66B4F5D3CE09FBE26CEB19E3E2

 

Filename:fang.ico

MD5:C0B753C41A7A9719580FBCA34B3B0890

SHA1:0DC561EA8B86281BBBA886DB9A514D8498BFB1A3

CRC32:4B9D84E4

SHA-256:5FAF91183CBD7B9FADBDA617CCF6A2FA31E339C45CB1D9CF358F83781C9FDE17

 

Filename:תכנון_תואר_וציונים_טכניון_כללי.xlsm

MD5:F6EAAD6EC6AE71A38CAEC6B44753A3C3

SHA1:0FFBA41AAC682FC7464D68281D6B0DAC4685436E

CRC32:A58C061A

SHA-256:3C907C6EBB3110CDF9EC5697620016A27A55727351A9B03E6E4C5F4BC0F4CBBC

 

Associated File Paths:

C:\Windows\P0150N

 

Associated Registry:

HKLM\Software\Policies\Microsoft\Windows Defender

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\

HKLM\Software\Policies\Microsoft\Windows\OneDrive

HKLM\Software\Microsoft\Windows NT\SystemRestore

HKCR\.fang

HKCR\.fang\DefaultIcon

HKLM\Software\Microsoft\Tracing

HKLM\Software\Microsoft\Tracing

HKLM\Software\Microsoft\Tracing\poison_RASAPI32

HKLM\Software\Microsoft\Tracing

HKLM\Software\Microsoft\Tracing\poison_RASMANCS

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKCU\Software\Policies\Microsoft\SystemCertificates\CA\Certificates

HKCU\Software\Policies\Microsoft\SystemCertificates\CA\CRLs

 See Also: Adware Remove Tool - howtoremoveit

Associated Network Info

hxxp://victimblob[.]blob[.]core[.]windows.net/poisondrop/drop

hxxps://tinyurl[.]com/y7uugdlu


Tips to Prevent virus and malware from Infecting Your System:

  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus RemovalTool

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Download now downloads time: less than 1 minute
Is this page helpful?

Also on How To Remove It



1

indicatorImg_logo
fmrtblog2setup
2

3

1

2

3

1

2

3