The Trojan enters the systems and starts its execution at the following location,

%ProgramFiles%\Startup\[THREAT FILE NAME].exe

1. After clicking the link, the Trojan prompts a download file,

%UserProfile%\Application Data\pic.bmp

1. The following Registry sub keys are created by the trojan,

HKEY_CURRENT_USER\Software\Licenses\CLSID

HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks\Armadillo\CLSID

This is done in order to run the ransomware even when the device is restarted. Then the ransomware starts to scan the entire Pc of the victim , it does not encrypt all the files but it targets some specific files and encrypts them.

The Trojan encrypts the following,

   .1cd, .7z, .accdb, .arj, .cer, .csv, .db3, .dbf,   .doc, .docx, .dt,   .dwg,   .gsf,   .jpeg, .jpg,     .key, .kwm, .mdb, .mov,   .mpeg, .odt, .pdf, .ppsx,     .ppt,   .pptx, .psd, .rar, .rtf, .xls, .xlsm, .xlsx,   .zip

Once the encryption is done successfully then it changes the extension of the file. When the victim tries to open the encrypted file it demands the ransom. A readme.txt file is placed on the location of encrypted file, In which the description for retrieving back the encrypted files are given.