Overview
overview
10Static
static
103da65a0e61...0e.exe
windows7-x64
103da65a0e61...0e.exe
windows10-2004-x64
10Ransomware...et.exe
windows7-x64
8Ransomware...et.exe
windows10-2004-x64
8Ransomware...er.exe
windows7-x64
1Ransomware...er.exe
windows10-2004-x64
1Ransomware/Cerber.exe
windows7-x64
10Ransomware/Cerber.exe
windows10-2004-x64
10Ransomware...ks.exe
windows7-x64
1Ransomware...ks.exe
windows10-2004-x64
1Ransomware...ER.exe
windows7-x64
10Ransomware...ER.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
9Ransomware...er.exe
windows10-2004-x64
8Ransomware...ey.exe
windows7-x64
10Ransomware...ey.exe
windows10-2004-x64
10Ransomware/Locky.exe
windows7-x64
10Ransomware/Locky.exe
windows10-2004-x64
10Ransomware/Matsnu.exe
windows7-x64
7Ransomware/Matsnu.exe
windows10-2004-x64
3Ransomware/Rex
ubuntu-18.04-amd64
9Ransomware...er.exe
windows7-x64
1Ransomware...er.exe
windows10-2004-x64
1Ransomware...92.exe
windows7-x64
9Ransomware...92.exe
windows10-2004-x64
9Ransomware...ll.exe
windows7-x64
9Ransomware...ll.exe
windows10-2004-x64
3Ransomware/eda2.exe
windows7-x64
1Ransomware/eda2.exe
windows10-2004-x64
1Ransomware/jigsaw.exe
windows7-x64
10Ransomware/jigsaw.exe
windows10-2004-x64
10Ransomware/mamba.exe
windows7-x64
1Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:19
Behavioral task
behavioral1
Sample
3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
3da65a0e613fadcff41992bd4f74b7dc1e71f9cb542339679185f79de6503f0e.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral3
Sample
Ransomware/Alphabet.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral4
Sample
Ransomware/Alphabet.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral5
Sample
Ransomware/Atom Payload Builder.exe
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
Ransomware/Atom Payload Builder.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral7
Sample
Ransomware/Cerber.exe
Resource
win7-20240221-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral8
Sample
Ransomware/Cerber.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral9
Sample
Ransomware/EternalRocks.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
Ransomware/EternalRocks.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
Ransomware/GLOBEIMPOSTER.exe
Resource
win7-20240215-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral12
Sample
Ransomware/GLOBEIMPOSTER.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral13
Sample
Ransomware/GhostCrypter.exe
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral14
Sample
Ransomware/GhostCrypter.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral15
Sample
Ransomware/Golden Eyes - via unikey.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral16
Sample
Ransomware/Golden Eyes - via unikey.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral17
Sample
Ransomware/Locky.exe
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral18
Sample
Ransomware/Locky.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral19
Sample
Ransomware/Matsnu.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral20
Sample
Ransomware/Matsnu.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral21
Sample
Ransomware/Rex
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
5 signatures
150 seconds
Behavioral task
behavioral22
Sample
Ransomware/ShellLocker.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral23
Sample
Ransomware/ShellLocker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral24
Sample
Ransomware/Unlock92.exe
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral25
Sample
Ransomware/Unlock92.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral26
Sample
Ransomware/cryptowall.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral27
Sample
Ransomware/cryptowall.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral28
Sample
Ransomware/eda2.exe
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral29
Sample
Ransomware/eda2.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral30
Sample
Ransomware/jigsaw.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral31
Sample
Ransomware/jigsaw.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral32
Sample
Ransomware/mamba.exe
Resource
win7-20240215-en
windows7-x64
0 signatures
150 seconds
General
-
Target
Ransomware/Unlock92.exe
-
Size
24KB
-
MD5
afe4fa37dbbe91319f0684bc9524e557
-
SHA1
db412ecb113e8f40781105af0d3dbc67760a9461
-
SHA256
639f0ebcb2349caf7ab5f34e0d7c156db660f54f621fa9c2151c9f5795528670
-
SHA512
83d7730a0213c98c4c9d5e8d195eab9c73362824d541df6e68e0106b409be756db4db2317f9ed2796de2e5bb86bdbf9195c0b8c6d91b8986df9ebe58c3603da7
-
SSDEEP
384:TPDGsgnqFmaPJB4hWMhX5fLhMYQJtz0F92nudaTfrnnnwKPjDKcsujYcV6SUwJF9:DDGbQ/8WMN5frVF9qnnfPfZYcV6lw9b
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (661) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 58 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\en-US\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\ja-JP\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\it-IT\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\ja-JP\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\fr-FR\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\ja-JP\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\es-ES\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\UMDF\es-ES\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\it-IT\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\de-DE\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\fr-FR\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\UMDF\fr-FR\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\it-IT\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\UMDF\it-IT\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\de-DE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\es-ES\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\es-ES\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\ja-JP\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\de-DE\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\fr-FR\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\UMDF\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\fr-FR\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\es-ES\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\en-US\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\etc\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\it-IT\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\UMDF\ja-JP\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\es-ES\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\fr-FR\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\en-US\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\de-DE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\drivers\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\it-IT\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\de-DE\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\ja-JP\keyvalue.bin Unlock92.exe File created C:\Windows\System32\drivers\UMDF\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\drivers\UMDF\de-DE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyvalue.bin Unlock92.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\migration\keyvalue.bin Unlock92.exe File created C:\Windows\System32\fr-FR\Licenses\OEM\ProfessionalN\license.rtf Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\fr-FR\Licenses\eval\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\fr-FR\Licenses\eval\Ultimate\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\keyvalue.bin Unlock92.exe File created C:\Windows\System32\it-IT\Licenses\_Default\Enterprise\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasic\keyvalue.bin Unlock92.exe File created C:\Windows\System32\com\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\it-IT\Licenses\OEM\ProfessionalN\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\Setup\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_neutral_84eee4cc19fd00dc\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\migwiz\replacementmanifests\microsoft-activedirectory-webservices\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\Amd64\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\it-IT\Licenses\_Default\HomeBasicN\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\XPSViewer\de-DE\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicN\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\migration\en-US\keyvalue.bin Unlock92.exe File created C:\Windows\System32\0407\keyvalue.bin Unlock92.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\keyvalue.bin Unlock92.exe File created C:\Windows\System32\en-US\Licenses\OEM\EnterpriseE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\de-DE\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\smartcrd.inf_amd64_neutral_6fb75ea318f84fe5\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\en-US\Licenses\eval\StarterN\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalN\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\keyvalue.bin Unlock92.exe File created C:\Windows\System32\de-DE\Licenses\OEM\Ultimate\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\es-ES\Licenses\eval\HomePremiumE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\ja-JP\Licenses\eval\Professional\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_neutral_1c5bc8e71eb90127\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\WinBioPlugIns\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\fr-FR\Licenses\OEM\StarterN\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\ja-JP\Licenses\_Default\HomePremiumE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\winrm\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\migwiz\PostMigRes\Web\base_images\keyvalue.bin Unlock92.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_neutral_1678e66e0cbb04b2\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\keyvalue.bin Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\Amd64\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\es-ES\Licenses\_Default\EnterpriseN\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-StorageMigration\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateE\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumE\license.rtf Unlock92.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\BITSExtensions-Server\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\keyvalue.bin Unlock92.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\ja-JP\keyvalue.bin Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\keyvalue.bin Unlock92.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\VideoLAN\VLC\locale\he\keyvalue.bin Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG Unlock92.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\keyvalue.bin Unlock92.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\keyvalue.bin Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png Unlock92.exe File created C:\Program Files\Windows Photo Viewer\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\keyvalue.bin Unlock92.exe File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg Unlock92.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\keyvalue.bin Unlock92.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\keyvalue.bin Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\keyvalue.bin Unlock92.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\keyvalue.bin Unlock92.exe File created C:\Program Files\Java\jre7\bin\plugin2\keyvalue.bin Unlock92.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\keyvalue.bin Unlock92.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\keyvalue.bin Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp Unlock92.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png Unlock92.exe File created C:\Program Files\Windows Mail\it-IT\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\keyvalue.bin Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG Unlock92.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG Unlock92.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png Unlock92.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG Unlock92.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\keyvalue.bin Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files (x86)\Common Files\System\es-ES\keyvalue.bin Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\keyvalue.bin Unlock92.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\keyvalue.bin Unlock92.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\keyvalue.bin Unlock92.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\keyvalue.bin Unlock92.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png Unlock92.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\keyvalue.bin Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG Unlock92.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\keyvalue.bin Unlock92.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\keyvalue.bin Unlock92.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\keyvalue.bin Unlock92.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\keyvalue.bin Unlock92.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\keyvalue.bin Unlock92.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG Unlock92.exe File created C:\Program Files\DVD Maker\ja-JP\keyvalue.bin Unlock92.exe File created C:\Program Files\Microsoft Games\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files\Windows Media Player\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files (x86)\Common Files\System\msadc\en-US\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\keyvalue.bin Unlock92.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png Unlock92.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png Unlock92.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ff8d5f6972fa091\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_cs-cz_bb6810d0ea0d9d26\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..alization.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d51f2f640908fc2f\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\wow64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b54c2fe3cb59c96e\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasmm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f63bf414d7eedbbf\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-l2na.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fd3091e54ab7119a\keyvalue.bin Unlock92.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Emit.Lightweight\v4.0_4.0.0.0__b03f5f7f11d50a3a\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_server-help-chm.devmgr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c81af0e277697bbc\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..nt-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8bddfe09846c6f83\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_81a6749c9aa1bbea\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-peerdist-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fe3036091073b889\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-themeui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f4d9a515e0249086\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-errorreportingconsole_31bf3856ad364e35_6.1.7601.17514_none_b43336e6398511dc\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\msil_microsoft.web.management.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f2015bcc6dd31617\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-mydocs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_93de816fc41c69d4\keyvalue.bin Unlock92.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_fr_31bf3856ad364e35\keyvalue.bin Unlock92.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\22965e871d3352b6ac09f8907be6a8cf\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_43c31c5f2007aeca\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4dbc16709fc64660\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_wsdprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_88207f23b824c552\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-tapiservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8677909e4323187a\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-dpapi-keys_31bf3856ad364e35_6.1.7600.16385_none_d9c7c4a2e721da7e\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-offlinefiles-shellui_31bf3856ad364e35_6.1.7601.17514_none_0aad8d7ec58cd322\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a1125f8395160405\lipeula.rtf Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..ssmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_83124ea89f770e14\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mountvol.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_81ea4258d1c53617\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a09b210e870195e2\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-xwizards.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e4af727d2ee57dc7\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0af997f2e52ec3ad\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44c69dc0653f7644\keyvalue.bin Unlock92.exe File created C:\Windows\Resources\Themes\Aero\Shell\NormalColor\ja-JP\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..andgroups.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c6a35d1fca7225fc\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..ntication.resources_31bf3856ad364e35_6.1.7600.16385_en-us_af5e48e79454c16d\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ado15-rll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b89bf23ba3693785\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..rojection.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70a6a334bc4b8c36\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_de_b77a5c561934e089\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-devicecenter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b5da57921a2671b1\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_netfx-xpthemes_manifest_b03f5f7f11d50a3a_6.1.7600.16385_none_ab5096c4554b074f\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.IO.Log\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e72192b67124ad43\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-directwrite.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e867c7cf40b24eb3\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0003041e_31bf3856ad364e35_6.1.7600.16385_none_43a1409d46c91ce9\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-msswch_31bf3856ad364e35_6.1.7600.16385_none_2b0f60d7ba2095ee\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_prnrc006.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dbb8e1798958e62c\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_it-it_5508ad2604ca3114\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_abf396ebf0847c31\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-dsrole_31bf3856ad364e35_6.1.7600.16385_none_262bfc1dd810295a\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..i-asyncui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c13d05323e7bea01\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_stexstor.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_48d936c342acf343\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0caa69e5bd4f6426\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_6.1.7600.16385_none_0184794e7b5db540\keyvalue.bin Unlock92.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Tas#\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-hgroupp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6760e5796bff951e\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..kitengine.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_fd49a4b1564bd8ee\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_microsoft-windows-peerdist-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cf2b4ab65354aace\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\amd64_msports.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0684326c3fe0cf31\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\winsxs\x86_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_it-it_aa7d2abb9696333b\!!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt Unlock92.exe File created C:\Windows\assembly\GAC_MSIL\ehshell\keyvalue.bin Unlock92.exe File created C:\Windows\winsxs\amd64_hdaudss.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_50b72899ad6ea025\keyvalue.bin Unlock92.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 2636 net.exe 1656 net.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2052 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1912 Unlock92.exe 1912 Unlock92.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1912 Unlock92.exe Token: SeBackupPrivilege 2652 vssvc.exe Token: SeRestorePrivilege 2652 vssvc.exe Token: SeAuditPrivilege 2652 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2052 1912 Unlock92.exe 28 PID 1912 wrote to memory of 2052 1912 Unlock92.exe 28 PID 1912 wrote to memory of 2052 1912 Unlock92.exe 28 PID 1912 wrote to memory of 2236 1912 Unlock92.exe 30 PID 1912 wrote to memory of 2236 1912 Unlock92.exe 30 PID 1912 wrote to memory of 2236 1912 Unlock92.exe 30 PID 2236 wrote to memory of 2636 2236 cmd.exe 32 PID 2236 wrote to memory of 2636 2236 cmd.exe 32 PID 2236 wrote to memory of 2636 2236 cmd.exe 32 PID 1912 wrote to memory of 2436 1912 Unlock92.exe 35 PID 1912 wrote to memory of 2436 1912 Unlock92.exe 35 PID 1912 wrote to memory of 2436 1912 Unlock92.exe 35 PID 2436 wrote to memory of 1656 2436 cmd.exe 37 PID 2436 wrote to memory of 1656 2436 cmd.exe 37 PID 2436 wrote to memory of 1656 2436 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Unlock92.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Unlock92.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2052
-
-
C:\Windows\system32\cmd.exe"cmd" /C net view2⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:2636
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C net view \\QGTQZTRE2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\net.exenet view \\QGTQZTRE3⤵
- Discovers systems in the same network
PID:1656
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
788B
MD51147e74db47fca6169e4aa7a0d373b1e
SHA157b505607bfb037645a70e91614ee675b2b10698
SHA256a8c359db13c2c23d6a0b18bfab5a0b49888c15dfd76f5ac5bb4e78f3e0860555
SHA512c4353c2c69d45531a1c75163d77f838ba75f055c4c4c96ba35d709151a7981a367bfcec1735ea31b81aee10e3c0d8d44b0fafa2c6056580b6c73d5b7ee806d41
-
Filesize
2KB
MD52aac819d450af56aa6ba8e95b65794df
SHA1a40bd3ebfe54ec9070c983f00580bb4f8c363667
SHA256935ad7c6ad24ca58cd9fac5cc4d5281f06a71deee7b2efd82c660b16ae6d3bae
SHA51222b66a5f9e251805ab8227e9e3ce792a8d964f76645f80465e7e65098957fd6f0f6129b6a844607a235f5f0dd61a22fa28bf8d2ba7382d496e949980fa689d29