badrabbit | 83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0

Resubmissions

24-11-2024 00:19

241124-amn9zazrdk 10

03-05-2024 16:55

240503-vffz8sec77 10

15-04-2024 14:29

240415-rtx9wsgf63 10

10-04-2024 15:57

240410-td2cqadc92 10

Analysis

max time kernel
48s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 16:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Computer Raper.exe
Size

85.4MB
MD5

bdb24ed9f869fcd462b316148514fc5b
SHA1

83935122b626378a3149e9036cd751514add4b52
SHA256

83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
SHA512

12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
SSDEEP

1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97

Score

10^/10

badrabbit chimera cryptolocker gandcrab mimikatz backdoor bootkit defense_evasion evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\e9470325\PZIUMRKN-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PZIUMRKN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/630bc4a4cec04c85 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAACKD08ELJ6uhyehuKwGSAvQ7xoMj/6JBcgK4CKkkiw36x/SpNDUBmdiVAYZulWqRRRfRMP3Cj598leBWOiwgltn6e0Q5QecVmRHI8/F8WoZJ0y92VI291312NzpjzZr1R48PsNLa2FN2cDoppvMGPSuHEVwlliXptgs1YttC7DLlQ1gYPIwgd5kL1jbnWNwpp47xY3SHMjx5kKLQyb7QostWhspLdhqIWBrYyN7BiUbvrCyhd5IkidbKBIXxQTDv6svMlhjrVDD0u/G+NGiAuX/nr2r8x/FDdD6qsv9VQGExQqFd0Ph5vXHU/L8oLbOg9axHEV8Ja3YWaGP/3CFOzChD2HrYl5H42BLxET/59jnxiEv5g+oGB7iwBlUjC0SWc7dxZ93PrS+8/d1wYYJ4XsI4qsJhBWnGsAJs3wanoVDHxWj9a7S2cjQn6cH9wMx8BQjnULJUTgLBZ0UwnpXzPCt2pLlYCkysGKmlUSJT3irr+uW/1bQWpLDRg6MGVcPocZkw6Cc9L5TkFhK623HIrVYM9oN/AvXJQa+CDX5Sr/tggwNxx7qvkhJoXc/4/PouLQEpY0InfxBpBM4MEJHQxl0GjAM3SHu774ImW+vWDfKCyMZE7LmXb/pTMhE1Fozpn+No3Sq/0YHVUBQrTAM213LhjBQwocrdli4nLSfhYvnLHVBnpECju2foRGYzvqpDU6jrK0rDBMMgpd7m4KmwPA2gX8yaZIG2eTBZWTKowKjdO8d7M/rMsJ12oJPGfor7ZxShPf/9TwsEvp4lR6+LqumdL5hAvnH/66mZzB99o/XBQ9wOpKVqZycgMztAgAxCdFAuEptaYx5KtwzgHhtPlp98hEeiY+dMSA2+7rUmxjTniJQuiPfs255vySHPN5mX72UPZMLB5mRM3M83UAPvyQ+Rfd/NICuuiEDqMkEqhH5I5yC7kHsdhI3/UJO/uo2BIZqxWgNo1cRRlruHKgpkJNje4EjQUU+wZA+mFtCPX2P7b9grfC06BHHxvFSUeOOvH0xP62AI3ZIzvdKjNfJT9xjvK4fxmgdxcesBLiLtK+75ROa5gIvFgJ3ptU2ZgcrgucqSYrKCXr4YxVy2U/MXHt369ABhhi7AiwTtkRrmp5xKs+CfX2NfAVOB8TDN1jAjiuclGmiqDSdv8lO+4etz+WTEpIefM3XHaCWzOzIVcUC22BCL04s4z74TmcwZ+xtWnHYuLqFGKdX4VMWa2fvF6XO+4iL9NBN4nxTo6zsa8o+AytEbiXb/5ZRp/4YcWn95G9HmMLnXRyBa9HQex5f0uLeKNNviq2KqaU164ueOD3NzqkWLw5rr3WqFGI5jbuQfuzHTQJBJjUq2Jm3neWK8VjLzIQbsVBZPnUobr3/7Wwu5e2/XdLYfE356vAO12v9JEP4r801Pgzo/OAT082FwSFt6/0Hwtt4gbrGUMs/+HBQlaYVjGLiZiaPVqYFpQhD4p2j3UuxEShquQCcxgki8BX1aaGlP2uCiLxsZvBF6nw8MOMSu6S8btck6CXgP0ktrd4iUpRjFW31UPKFvAqk+j7CsIjuCgLmJYxap1Y5rMUYgkjmsyTASxkpZwsPbMjJuewZYkslQqkrN5UBjI3otM/mC2O1D5fDEf7J9mvUTRd/bGmpBpG/Lbk7HgDOmHfDMDQF2AEScOQJDgd9S4jOjcTQIBTA6k7CpqpJJCJJK1v7lJyMCO5KHwRZDk0DaDUr08H5KIjvENcrLCjB5t5aVPm2W2qtn/l6v5aBxlevpJsmQlcW8l8Bxzqf/ublNrVf/C2c3Wrf3Mc8Edsu47/PA82VWrBHMFzRDR6qAxDlSiSWSxlwnsQb8SwKzUAXwPCCq/jzMPJTJzTTdYsZD0Acm1yMGrhtYfAaj/obn02wt5XwYU8NxzO86uYFGyKDz9IjaZ7N8A29TJhUVNdJSyqK62wFRAcpbH7GMnHZFEl9Cp44YaCVyHjQeH9ZkAeAfSzfJ5EQe37UF/tn2KD9vwhuUaaPjqSIwXcigQ2nMPjm3PjF/JAc4rVxWJcC910PSHH1c28x6o+4xnV271m6ZL+sDpXiy4piOz2PQWpuXaB7VHFTJw8zMeuxns080biWaea39BkF1j2f9wQygbq947UXujMlW1xipEX4TFYn0vEvX+iGXCMK3mDazZq9QdAxf80oEXsTogpev3g5v2+kM81CVsj+fx3j0uK8TeIbNsCAXs5RhqqxPnmP9Mh9sc/LZCeDmLFbxXoI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDv9NTJKJDAAvWVpODTRXHIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJe9AOBiRq/MZtR+S3YLHImYeR2UfTP9ny+PM2LLzjXKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8C1f6lVjmT7qt4BOwwgTGwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/630bc4a4cec04c85

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Chimera 58 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	pid	Process
File created		C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Crashpad\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Common Files\microsoft shared\ClickToRun\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
	27	ip-addr.es		Process not Found
	31	ip-addr.es		Process not Found
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
			2572	taskkill.exe
File created		C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
	20	bot.whatismyipaddress.com		Process not Found
File created		C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Java\jre-1.8\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML		AgentTesla.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/4712-59-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Birele.exe"	Birele.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023bdb-507.dat	mimikatz

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4152	netsh.exe
1136	NetSh.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP"	Annabelle.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	Computer Raper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	Dharma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	Annabelle.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9470325.exe.07247F129D4BA3884371B6B94F4E1B0D12EFF1945C102E93E61AF0C456DD88B1	InfinityCrypt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9470325.exe	explorer.exe

Executes dropped EXE 44 IoCs

pid	Process
3020	AgentTesla.exe
4712	HawkEye.exe
664	butterflyondesktop.exe
376	$uckyLocker.exe
1852	butterflyondesktop.tmp
4380	7ev3n.exe
2228	Annabelle.exe
2856	BadRabbit.exe
636	Birele.exe
3404	Cerber5.exe
2192	CryptoLocker.exe
2960	CoronaVirus.exe
4616	CryptoWall.exe
3300	DeriaLock.exe
2640	CryptoLocker.exe
3512	Dharma.exe
3252	Fantom.exe
2600	GandCrab.exe
4780	InfinityCrypt.exe
4328	Krotten.exe
5288	NoMoreRansom.exe
5388	NotPetya.exe
5500	Petya.A.exe
5572	PolyRansom.exe
5688	system.exe
5748	PowerPoint.exe
5876	sys3.exe
5920	JeIEAMgw.exe
5940	oucgUQYg.exe
5984	RedBoot.exe
5200	70AC.tmp
5560	nc123.exe
5192	mssql.exe
5524	RedEye.exe
5576	mssql2.exe
5252	8BE4.tmp
5744	PolyRansom.exe
852	JeIEAMgw.exe
5112	oucgUQYg.exe
5628	PolyRansom.exe
2572	PolyRansom.exe
5684	PolyRansom.exe
5468	PolyRansom.exe
5844	PolyRansom.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	rundll32.exe
5188	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/636-124-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/636-133-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/files/0x000a000000023b9e-114.dat	upx
behavioral1/files/0x000a000000023bd4-447.dat	upx
behavioral1/memory/5984-490-0x0000000000A00000-0x0000000000C8E000-memory.dmp	upx
behavioral1/memory/636-592-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/5984-587-0x0000000000A00000-0x0000000000C8E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JeIEAMgw.exe = "C:\\Users\\Admin\\CkgcksAs\\JeIEAMgw.exe"	JeIEAMgw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JeIEAMgw.exe = "C:\\Users\\Admin\\CkgcksAs\\JeIEAMgw.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Roaming\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Roaming\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e9470325 = "C:\\Users\\Admin\\AppData\\Roaming\\e9470325.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucgUQYg.exe = "C:\\ProgramData\\MSYoogwM\\oucgUQYg.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucgUQYg.exe = "C:\\ProgramData\\MSYoogwM\\oucgUQYg.exe"	oucgUQYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucgUQYg.exe = "C:\\ProgramData\\MSYoogwM\\oucgUQYg.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Roaming\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*9470325 = "C:\\Users\\Admin\\AppData\\Roaming\\e9470325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\Birele.exe"	Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JeIEAMgw.exe = "C:\\Users\\Admin\\CkgcksAs\\JeIEAMgw.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JeIEAMgw.exe = "C:\\Users\\Admin\\CkgcksAs\\JeIEAMgw.exe"	JeIEAMgw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\CryptoLocker.exe"	CryptoLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e947032 = "C:\\e9470325\\e9470325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*947032 = "C:\\e9470325\\e9470325.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oucgUQYg.exe = "C:\\ProgramData\\MSYoogwM\\oucgUQYg.exe"	oucgUQYg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	bot.whatismyipaddress.com
27	ip-addr.es
31	ip-addr.es

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/5984-587-0x0000000000A00000-0x0000000000C8E000-memory.dmp	autoit_exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-3.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-100.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-RTL.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\GetRename.ppt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.07247F129D4BA3884371B6B94F4E1B0D12EFF1945C102E93E61AF0C456DD88B1	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\30.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\19.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page2.jpg	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	AgentTesla.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat	AgentTesla.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	AgentTesla.exe
File opened for modification	C:\Program Files\OptimizeImport.odt	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\hero.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	AgentTesla.exe
File created	C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	AgentTesla.exe
File created	C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	AgentTesla.exe
File created	C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FR_Back_Landscape_Med_1920x1080.jpg	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar	AgentTesla.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File created	C:\Windows\rescache\_merged\2229298842\3708605641.pri	LogonUI.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File opened for modification	C:\Windows\70AC.tmp	rundll32.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe
File created	C:\Windows\dllhost.dat	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5816	SCHTASKS.exe
5752	schtasks.exe
5784	schtasks.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5908	vssadmin.exe
5004	vssadmin.exe
5556	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2572	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

Modifies registry key 1 TTPs 21 IoCs

Modify Registry

T1112

pid	Process
4316	reg.exe
3096	reg.exe
5792	reg.exe
5736	reg.exe
4008	reg.exe
1652	reg.exe
4144	reg.exe
1572	reg.exe
2120	reg.exe
5264	reg.exe
856	reg.exe
5628	reg.exe
2856	reg.exe
3420	reg.exe
4464	reg.exe
2780	reg.exe
5280	reg.exe
4960	reg.exe
2092	reg.exe
5140	reg.exe
3300	reg.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
2600	GandCrab.exe
2600	GandCrab.exe
2600	GandCrab.exe
2600	GandCrab.exe
5572	PolyRansom.exe
5572	PolyRansom.exe
5572	PolyRansom.exe
5572	PolyRansom.exe
5188	rundll32.exe
5188	rundll32.exe
5744	PolyRansom.exe
5744	PolyRansom.exe
5744	PolyRansom.exe
5744	PolyRansom.exe
5628	PolyRansom.exe
5628	PolyRansom.exe
5628	PolyRansom.exe
5628	PolyRansom.exe
2572	PolyRansom.exe
2572	PolyRansom.exe
2572	PolyRansom.exe
2572	PolyRansom.exe
5684	PolyRansom.exe
5684	PolyRansom.exe
5684	PolyRansom.exe
5684	PolyRansom.exe
5468	PolyRansom.exe
5468	PolyRansom.exe
5468	PolyRansom.exe
5468	PolyRansom.exe
5844	PolyRansom.exe
5844	PolyRansom.exe
5844	PolyRansom.exe
5844	PolyRansom.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4616	CryptoWall.exe
1272	explorer.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	HawkEye.exe
Token: SeShutdownPrivilege	1044	rundll32.exe
Token: SeDebugPrivilege	1044	rundll32.exe
Token: SeTcbPrivilege	1044	rundll32.exe
Token: SeSystemtimePrivilege	4328	Krotten.exe
Token: SeDebugPrivilege	3252	Fantom.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	3300	DeriaLock.exe
Token: SeShutdownPrivilege	5876	sys3.exe
Token: SeSystemtimePrivilege	4328	Krotten.exe
Token: SeSystemtimePrivilege	4328	Krotten.exe
Token: SeShutdownPrivilege	5188	rundll32.exe
Token: SeDebugPrivilege	5188	rundll32.exe
Token: SeTcbPrivilege	5188	rundll32.exe
Token: SeBackupPrivilege	5100	vssvc.exe
Token: SeRestorePrivilege	5100	vssvc.exe
Token: SeAuditPrivilege	5100	vssvc.exe
Token: SeShutdownPrivilege	5712	shutdown.exe
Token: SeRemoteShutdownPrivilege	5712	shutdown.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5192	mssql.exe
2180	LogonUI.exe
2180	LogonUI.exe
5164	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 3020	2768	Computer Raper.exe	89
PID 2768 wrote to memory of 3020	2768	Computer Raper.exe	89
PID 2768 wrote to memory of 3020	2768	Computer Raper.exe	89
PID 2768 wrote to memory of 4712	2768	Computer Raper.exe	90
PID 2768 wrote to memory of 4712	2768	Computer Raper.exe	90
PID 2768 wrote to memory of 4712	2768	Computer Raper.exe	90
PID 2768 wrote to memory of 664	2768	Computer Raper.exe	91
PID 2768 wrote to memory of 664	2768	Computer Raper.exe	91
PID 2768 wrote to memory of 664	2768	Computer Raper.exe	91
PID 2768 wrote to memory of 376	2768	Computer Raper.exe	92
PID 2768 wrote to memory of 376	2768	Computer Raper.exe	92
PID 2768 wrote to memory of 376	2768	Computer Raper.exe	92
PID 664 wrote to memory of 1852	664	butterflyondesktop.exe	93
PID 664 wrote to memory of 1852	664	butterflyondesktop.exe	93
PID 664 wrote to memory of 1852	664	butterflyondesktop.exe	93
PID 2768 wrote to memory of 4380	2768	Computer Raper.exe	94
PID 2768 wrote to memory of 4380	2768	Computer Raper.exe	94
PID 2768 wrote to memory of 4380	2768	Computer Raper.exe	94
PID 4712 wrote to memory of 3020	4712	HawkEye.exe	89
PID 4712 wrote to memory of 3020	4712	HawkEye.exe	89
PID 2768 wrote to memory of 2228	2768	Computer Raper.exe	95
PID 2768 wrote to memory of 2228	2768	Computer Raper.exe	95
PID 2768 wrote to memory of 2856	2768	Computer Raper.exe	148
PID 2768 wrote to memory of 2856	2768	Computer Raper.exe	148
PID 2768 wrote to memory of 2856	2768	Computer Raper.exe	148
PID 2768 wrote to memory of 636	2768	Computer Raper.exe	97
PID 2768 wrote to memory of 636	2768	Computer Raper.exe	97
PID 2768 wrote to memory of 636	2768	Computer Raper.exe	97
PID 2768 wrote to memory of 3404	2768	Computer Raper.exe	99
PID 2768 wrote to memory of 3404	2768	Computer Raper.exe	99
PID 2768 wrote to memory of 3404	2768	Computer Raper.exe	99
PID 2768 wrote to memory of 2960	2768	Computer Raper.exe	100
PID 2768 wrote to memory of 2960	2768	Computer Raper.exe	100
PID 2768 wrote to memory of 2960	2768	Computer Raper.exe	100
PID 2768 wrote to memory of 2192	2768	Computer Raper.exe	101
PID 2768 wrote to memory of 2192	2768	Computer Raper.exe	101
PID 2768 wrote to memory of 2192	2768	Computer Raper.exe	101
PID 2768 wrote to memory of 4616	2768	Computer Raper.exe	102
PID 2768 wrote to memory of 4616	2768	Computer Raper.exe	102
PID 2768 wrote to memory of 4616	2768	Computer Raper.exe	102
PID 2768 wrote to memory of 3300	2768	Computer Raper.exe	235
PID 2768 wrote to memory of 3300	2768	Computer Raper.exe	235
PID 2768 wrote to memory of 3300	2768	Computer Raper.exe	235
PID 4616 wrote to memory of 1272	4616	CryptoWall.exe	104
PID 4616 wrote to memory of 1272	4616	CryptoWall.exe	104
PID 4616 wrote to memory of 1272	4616	CryptoWall.exe	104
PID 2192 wrote to memory of 2640	2192	CryptoLocker.exe	105
PID 2192 wrote to memory of 2640	2192	CryptoLocker.exe	105
PID 2192 wrote to memory of 2640	2192	CryptoLocker.exe	105
PID 2856 wrote to memory of 1044	2856	BadRabbit.exe	107
PID 2856 wrote to memory of 1044	2856	BadRabbit.exe	107
PID 2856 wrote to memory of 1044	2856	BadRabbit.exe	107
PID 2768 wrote to memory of 3512	2768	Computer Raper.exe	108
PID 2768 wrote to memory of 3512	2768	Computer Raper.exe	108
PID 2768 wrote to memory of 3512	2768	Computer Raper.exe	108
PID 636 wrote to memory of 2572	636	Birele.exe	205
PID 636 wrote to memory of 2572	636	Birele.exe	205
PID 636 wrote to memory of 2572	636	Birele.exe	205
PID 1272 wrote to memory of 3560	1272	explorer.exe	111
PID 1272 wrote to memory of 3560	1272	explorer.exe	111
PID 1272 wrote to memory of 3560	1272	explorer.exe	111
PID 2768 wrote to memory of 3252	2768	Computer Raper.exe	112
PID 2768 wrote to memory of 3252	2768	Computer Raper.exe	112
PID 2768 wrote to memory of 3252	2768	Computer Raper.exe	112

System policy modification 1 TTPs 46 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Computer Raper.exe
"C:\Users\Admin\AppData\Local\Temp\Computer Raper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Roaming\AgentTesla.exe
  "C:\Users\Admin\AppData\Roaming\AgentTesla.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3020
- C:\Users\Admin\AppData\Roaming\HawkEye.exe
  "C:\Users\Admin\AppData\Roaming\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4712
- C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe
  "C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\is-OGS5O.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-OGS5O.tmp\butterflyondesktop.tmp" /SL5="$B0042,2719719,54272,C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    PID:1852
- C:\Users\Admin\AppData\Roaming\$uckyLocker.exe
  "C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:376
- C:\Users\Admin\AppData\Roaming\7ev3n.exe
  "C:\Users\Admin\AppData\Roaming\7ev3n.exe"
  2⤵
  - Executes dropped EXE
  PID:4380
- - C:\Users\Admin\AppData\Local\system.exe
    "C:\Users\Admin\AppData\Local\system.exe"
    3⤵
    - Executes dropped EXE
    PID:5688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
      4⤵
      PID:5804
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:5816
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:2876
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:5116
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:3628
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
        5⤵
        
        PID:5720
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:3248
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      PID:1884
- C:\Users\Admin\AppData\Roaming\Annabelle.exe
  "C:\Users\Admin\AppData\Roaming\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:2228
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5556
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5004
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5908
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5752
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1136
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5712
- C:\Users\Admin\AppData\Roaming\BadRabbit.exe
  "C:\Users\Admin\AppData\Roaming\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:3120
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3630754365 && exit"
      4⤵
      PID:5680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3630754365 && exit"
        5⤵
        Creates scheduled task(s)
        
        PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:14:00
      4⤵
      PID:6032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:14:00
        5⤵
        Creates scheduled task(s)
        
        PID:5784
  - - C:\Windows\70AC.tmp
      "C:\Windows\70AC.tmp" \\.\pipe\{723E2831-F566-4CCB-9B6E-220408FCF5F6}
      4⤵
      Executes dropped EXE
      PID:5200
- C:\Users\Admin\AppData\Roaming\Birele.exe
  "C:\Users\Admin\AppData\Roaming\Birele.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Chimera
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Users\Admin\AppData\Roaming\Cerber5.exe
  "C:\Users\Admin\AppData\Roaming\Cerber5.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:3404
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:4152
- C:\Users\Admin\AppData\Roaming\CoronaVirus.exe
  "C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Users\Admin\AppData\Roaming\CryptoLocker.exe
  "C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Roaming\CryptoLocker.exe
    "C:\Users\Admin\AppData\Roaming\CryptoLocker.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    PID:2640
- C:\Users\Admin\AppData\Roaming\CryptoWall.exe
  "C:\Users\Admin\AppData\Roaming\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      PID:3560
- C:\Users\Admin\AppData\Roaming\DeriaLock.exe
  "C:\Users\Admin\AppData\Roaming\DeriaLock.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Users\Admin\AppData\Roaming\Dharma.exe
  "C:\Users\Admin\AppData\Roaming\Dharma.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe
    "C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe
    "C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5192
- - C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe
    "C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    PID:5576
- C:\Users\Admin\AppData\Roaming\Fantom.exe
  "C:\Users\Admin\AppData\Roaming\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Users\Admin\AppData\Roaming\GandCrab.exe
  "C:\Users\Admin\AppData\Roaming\GandCrab.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe
  "C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Checks processor information in registry
  PID:4780
- C:\Users\Admin\AppData\Roaming\Krotten.exe
  "C:\Users\Admin\AppData\Roaming\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4328
- C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe
  "C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  PID:5288
- C:\Users\Admin\AppData\Roaming\NotPetya.exe
  "C:\Users\Admin\AppData\Roaming\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5388
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5188
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:59
      4⤵
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\8BE4.tmp
      "C:\Users\Admin\AppData\Local\Temp\8BE4.tmp" \\.\pipe\{23D00530-0DD6-432B-B21A-226BCD97B592}
      4⤵
      Executes dropped EXE
      PID:5252
- C:\Users\Admin\AppData\Roaming\Petya.A.exe
  "C:\Users\Admin\AppData\Roaming\Petya.A.exe"
  2⤵
  - Executes dropped EXE
  PID:5500
- C:\Users\Admin\AppData\Roaming\PolyRansom.exe
  "C:\Users\Admin\AppData\Roaming\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5572
- - C:\Users\Admin\CkgcksAs\JeIEAMgw.exe
    "C:\Users\Admin\CkgcksAs\JeIEAMgw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5920
- - C:\ProgramData\MSYoogwM\oucgUQYg.exe
    "C:\ProgramData\MSYoogwM\oucgUQYg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
    3⤵
    PID:5964
  - - C:\Users\Admin\AppData\Roaming\PolyRansom.exe
      C:\Users\Admin\AppData\Roaming\PolyRansom
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:5744
    - - C:\Users\Admin\CkgcksAs\JeIEAMgw.exe
        
        "C:\Users\Admin\CkgcksAs\JeIEAMgw.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:852
    - - C:\ProgramData\MSYoogwM\oucgUQYg.exe
        
        "C:\ProgramData\MSYoogwM\oucgUQYg.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
        5⤵
        
        PID:3732
      - C:\Users\Admin\AppData\Roaming\PolyRansom.exe
        
        C:\Users\Admin\AppData\Roaming\PolyRansom
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
        7⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Roaming\PolyRansom.exe
        
        C:\Users\Admin\AppData\Roaming\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
        9⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\PolyRansom.exe
        
        C:\Users\Admin\AppData\Roaming\PolyRansom
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
        11⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\PolyRansom.exe
        
        C:\Users\Admin\AppData\Roaming\PolyRansom
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
        13⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\PolyRansom.exe
        
        C:\Users\Admin\AppData\Roaming\PolyRansom
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        Modifies registry key
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:5280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        Modifies registry key
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCgIcIUQ.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
        13⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies registry key
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKEowUMQ.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
        11⤵
        
        PID:5868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies registry key
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGoQUMIY.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
        9⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies registry key
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmkMQgEw.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
        7⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:5264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:5792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:5264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmckEswY.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
        5⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2600
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1572
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOAAwMII.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
    3⤵
    PID:3316
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1004
- C:\Users\Admin\AppData\Roaming\PowerPoint.exe
  "C:\Users\Admin\AppData\Roaming\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- C:\Users\Admin\AppData\Roaming\RedBoot.exe
  "C:\Users\Admin\AppData\Roaming\RedBoot.exe"
  2⤵
  - Executes dropped EXE
  PID:5984
- C:\Users\Admin\AppData\Roaming\RedEye.exe
  "C:\Users\Admin\AppData\Roaming\RedEye.exe"
  2⤵
  - Executes dropped EXE
  PID:5524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394e855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3933855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\OKZDdMvPhQTgQT5\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
1256187f769bdab6a1ee4358e33ae1ca

SHA1
eb8d9ac356d2950309d347bcde159bc850e20edf

SHA256
561052a6a90fd24cc699776ad449c949cba0ac6013d537ed8aef7e65312e0478

SHA512
6770889a2d480c326c4161e0e1ad1c9f59b4577d58c1a0229b23a1681972f9aacdac8ce5cc87de300bf6cf936ff0205ed3c5dd8e816391008be9db9b244764ce

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.07247F129D4BA3884371B6B94F4E1B0D12EFF1945C102E93E61AF0C456DD88B1

Filesize
32KB

MD5
4e1551ffec55d9ce0a7827462ba01b2f

SHA1
e6e7388df59111684d12e37820ec4d670a80703d

SHA256
866f1c8ab775674c0b208fd7fe8d2b1ae035b8f0eec08e838bcb1491a462015f

SHA512
6b578b50502b2b38a4f0cce433c2f520670064b40f8825fe4280d420c944061ab6be45bde471ac7388dad91efd59099998a467d6b2ad38bb9eced77867c282d6

Download Submit
C:\ProgramData\MSYoogwM\oucgUQYg.exe

Filesize
177KB

MD5
6c361ec0f12d808e4d06444253ed57b3

SHA1
1c77afba772ec23ea1501f363801a115801c1610

SHA256
158ff56e594081d64406c11d436741afdd8b1ffb7b5b6b88197fa33e689a5ad1

SHA512
7f16c06bbd46cc17a6c67915c6ef04e609bf5f52f7625117ab78bcb43b198c3d4042238b97d71939b2000589ef8ed9cf1bcbc39760ba36231afea953a4d560c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VmkMQgEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGS5O.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
45B

MD5
8fcca01e206307217ed9887f2f2f6d0b

SHA1
d1799bc509d781dd030834a3da1bcbe941ca979c

SHA256
b48d5d1e1f5adf9cc38025a94df37f3a41549cd08fd14cf0ace5d67d2bd14ac7

SHA512
6c8854439b9ff024c13edee933cef9d800e9d8c577e4335c70b1effa042a0bd8edafab03ba4801e9697fc43b72a9f347fb78dcd0749364711a6f92ca5ff50e8a

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
176277df5d93d5c4f052bb8167b1d061

SHA1
373b82d371b90d5f81efae36604a19431f50c4b4

SHA256
c334c19d66511f00f1de8783aed266279d97ef4d73638ac41fdd227411367677

SHA512
a92f2d070293fcc3b5a1fbf713ab6663f398bc76b34ecc9d212e3ee376ac9913e55119044bbcb571f40698300b69364855b6b9930162cf2763f93c79df25e04f

Download Submit
C:\Users\Admin\AppData\Roaming\$uckyLocker.exe

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\AppData\Roaming\7ev3n.exe

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\AppData\Roaming\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Roaming\Annabelle.exe

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\AppData\Roaming\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Roaming\Birele.exe

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Roaming\Cerber5.exe

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Roaming\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Roaming\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Roaming\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Roaming\Dharma.exe

Filesize
11.5MB

MD5
928e37519022745490d1af1ce6f336f7

SHA1
b7840242393013f2c4c136ac7407e332be075702

SHA256
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

SHA512
8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c

Download Submit
C:\Users\Admin\AppData\Roaming\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Roaming\GandCrab.exe

Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
C:\Users\Admin\AppData\Roaming\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Roaming\Krotten.exe

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Roaming\Locky.AZ.exe

Filesize
181KB

MD5
0826df3aaa157edff9c0325f298850c2

SHA1
ed35b02fa029f1e724ed65c2de5de6e5c04f7042

SHA256
2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b

SHA512
af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6

Download Submit
C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Roaming\NotPetya.exe

Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Users\Admin\AppData\Roaming\Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Roaming\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Roaming\PolyRansom.exe

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Roaming\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Roaming\RedBoot.exe

Filesize
1.2MB

MD5
e0340f456f76993fc047bc715dfdae6a

SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7

SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

Download Submit
C:\Users\Admin\AppData\Roaming\RedEye.exe

Filesize
10.6MB

MD5
e9e5596b42f209cc058b55edc2737a80

SHA1
f30232697b3f54e58af08421da697262c99ec48b

SHA256
9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305

SHA512
e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7

Download Submit
C:\Users\Admin\AppData\Roaming\Rensenware.exe

Filesize
96KB

MD5
60335edf459643a87168da8ed74c2b60

SHA1
61f3e01174a6557f9c0bfc89ae682d37a7e91e2e

SHA256
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

SHA512
b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb

Download Submit
C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\CkgcksAs\JeIEAMgw.exe

Filesize
181KB

MD5
2e21f2c61eaaf57db4876c0ab20d7b3b

SHA1
37287ad6849ca5632cb7501fe9e4653771f797f4

SHA256
8748041d6c5d43fb4508be48107a99b21250d744a114dfc6a763a16e920285da

SHA512
4c5a711795668b508bd09fb6d63f8165712caec232fa16d62b83e43b554dd64afca4e9b5985a6a29c9a6de545ab255dc6537fd0f49ab37c1c1d0f564dc8df9c2

Download Submit
C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML.ANNABELLE

Filesize
4KB

MD5
239acc0d226f000a91c61ff875586e7a

SHA1
3da4327ae9b1a5264b17aca0eb4b2af7c8018f85

SHA256
b04da9bf2654990a5bdcaa9f7b845d918aa394d3d2171160fb0f194e7f212166

SHA512
acbeb4dbe4a47f7c0c0ee6b4edbf48f38e5f5aca348ef5f22a537018ecdff6b142a84aa81b740f9fd3895a9e5dd69a3c95162a4923c40033d045b47d5f57e769

Download Submit
C:\Windows\70AC.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
2b2479fe80dde99dd497a1ca41d5aa23

SHA1
19116ce6ff6d859a91d5a9c7828b6b793c431479

SHA256
a96e54ac864ab635e4b05b29404555c56ec5bcd50183384de3a724c4c80334dd

SHA512
d6ad7e7216073181d36002c704a1ffbe9823ebf8fac85a21f8d98fe21d6d28f0de338fbf7d7e7f857056c04a14729b8406db77a47b3dbd26bc873dd2ff9f4b37

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c29d6253d89ee9c0c872dd377a7a8454

SHA1
46be3800684f6b208e0a8c7b120ef8614c22c4b0

SHA256
03f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb

SHA512
50141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
f43e735add22a91af1550a3483e1d97b

SHA1
74f468a5fd205fd591a7db2b8cdaf763d79ec8c9

SHA256
2bbfb1bd2c32ea35c7fdf821f83bc9d780562dcd4f503da09ab6548d6e36f4ab

SHA512
36c5bcffe844ea23dba9aa32d2b12555bc8ae539981b98b2c2499f19a8b2dc97a6f1b0f8a6543d7d3b55ce3430fbff371cb8f3ac6dc8cf944c124dbcab218161

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
C:\e9470325\PZIUMRKN-MANUAL.txt

Filesize
8KB

MD5
d06337001294150803b9fae746c230fe

SHA1
4b1dccb03fbaf06218084bf5e18aed0699a02efe

SHA256
7d8834db0516ddfe9caae49d26c3886d815329271ee04d376f6ac57def6d140b

SHA512
1ffea5ba8ec38e56fefacebb3f5d49d1d9be5955daf2e0d5f24ef973ef61b2da2516ab31ebd4ce4e51ac278e6817eb76763bf0617623bf6e9e94b71776cc6c48

Download Submit
memory/376-71-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/376-70-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/376-66-0x00000000009F0000-0x0000000000A5E000-memory.dmp

Filesize
440KB

Download
memory/376-69-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/636-124-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-592-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/636-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/664-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/852-1610-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/852-845-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1044-238-0x0000000002290000-0x00000000022F8000-memory.dmp

Filesize
416KB

Download
memory/1044-212-0x0000000002290000-0x00000000022F8000-memory.dmp

Filesize
416KB

Download
memory/1272-158-0x0000000000C00000-0x0000000000C25000-memory.dmp

Filesize
148KB

Download
memory/1272-210-0x0000000000C00000-0x0000000000C25000-memory.dmp

Filesize
148KB

Download
memory/2228-1286-0x00000230EE080000-0x00000230EF60E000-memory.dmp

Filesize
21.6MB

Download
memory/2228-140-0x00000230D2A80000-0x00000230D3A74000-memory.dmp

Filesize
16.0MB

Download
memory/2572-1274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-1263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-1-0x00000000005D0000-0x0000000005B46000-memory.dmp

Filesize
85.5MB

Download
memory/2768-0-0x00007FFC09933000-0x00007FFC09935000-memory.dmp

Filesize
8KB

Download
memory/2960-156-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-618-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-67-0x0000000003270000-0x000000000328A000-memory.dmp

Filesize
104KB

Download
memory/3020-63-0x0000000003110000-0x0000000003126000-memory.dmp

Filesize
88KB

Download
memory/3252-315-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-263-0x00000000023C0000-0x00000000023F2000-memory.dmp

Filesize
200KB

Download
memory/3252-251-0x0000000002340000-0x0000000002372000-memory.dmp

Filesize
200KB

Download
memory/3252-274-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-275-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-277-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-279-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-281-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-283-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-285-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-287-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-289-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-291-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-293-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-295-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-313-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-297-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-299-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-301-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-303-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-305-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-307-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-309-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3252-311-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/3300-165-0x00000000008D0000-0x0000000000952000-memory.dmp

Filesize
520KB

Download
memory/3300-169-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/3300-188-0x0000000005500000-0x0000000005556000-memory.dmp

Filesize
344KB

Download
memory/3560-190-0x0000000000830000-0x0000000000855000-memory.dmp

Filesize
148KB

Download
memory/4712-27-0x00000000741A0000-0x0000000074751000-memory.dmp

Filesize
5.7MB

Download
memory/4712-59-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4712-18-0x00000000741A2000-0x00000000741A3000-memory.dmp

Filesize
4KB

Download
memory/4712-34-0x00000000741A0000-0x0000000074751000-memory.dmp

Filesize
5.7MB

Download
memory/4712-65-0x00000000741A0000-0x0000000074751000-memory.dmp

Filesize
5.7MB

Download
memory/4780-262-0x0000000000790000-0x00000000007CC000-memory.dmp

Filesize
240KB

Download
memory/5112-848-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5112-1609-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5468-1287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5468-1295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5572-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5572-521-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5576-599-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/5628-1169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5628-1234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5684-1285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5684-1275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5744-714-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5744-903-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5748-460-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5844-1311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5844-1298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5876-472-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5920-583-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5920-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5940-489-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5940-572-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5984-490-0x0000000000A00000-0x0000000000C8E000-memory.dmp

Filesize
2.6MB

Download
memory/5984-587-0x0000000000A00000-0x0000000000C8E000-memory.dmp

Filesize
2.6MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads