I have a system with this ransomware, looking in the internet seems that it's very similar to this: https://blog.cylance.com/cracking-ransomware#. I've spotted a few differences with my client's case, the random values in \ProgramData\svcfnmainstvestvs\stppthmainfv.dll are all numbers, and they don't look random.
Let me know if you need more information.
Yes, I noticed the fake DLL while debugging. I'm not sure what the numbers mean yet.
Thanks for the link to that article. I remember reading it before... this is starting to look a lot like a resurgence of that same ransomware perhaps. I saw almost everything the same when I was looking at it - I just am not experienced enough to have put the pieces together the same as they did.
Edited by Demonslay335, 07 June 2016 - 03:47 PM.