Analysis Overview
SHA256
75f2278a58d14d126c9bce4e31b527cd258bf00ff36ea128374a5f2bf0f86e5c
Threat Level: Known bad
The file RNSM00483.7z was found to be: Known bad.
Malicious Activity Summary
MafiaWare666 Ransomware
Detect MafiaWare666 ransomware
Modifies WinLogon for persistence
Avoslocker Ransomware
Gandcrab
GandCrab payload
Renames multiple (361) files with added filename extension
Deletes shadow copies
Renames multiple (161) files with added filename extension
Modifies Windows Firewall
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Drops startup file
Credentials from Password Stores: Windows Credential Manager
UPX packed file
ASPack v2.12-2.42
Uses Tor communications
Enumerates connected drives
Adds Run key to start application
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Gathers network information
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-14 13:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-14 13:49
Reported
2024-09-14 13:51
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
135s
Command Line
Signatures
Avoslocker Ransomware
Detect MafiaWare666 ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
MafiaWare666 Ransomware
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
Deletes shadow copies
Renames multiple (161) files with added filename extension
Renames multiple (361) files with added filename extension
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\System32\netsh.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\c13cc70bc13cc0e916.lock | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payload.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igmhk5hbmq = "C:\\Users\\Admin\\Desktop\\00483\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe" | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\adr = "C:\\Users\\Admin\\Desktop\\00483\\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates connected drives
Uses Tor communications
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad.exe.exe | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\917284472.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2720 set thread context of 5992 | N/A | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00483.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00483.7z"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe
HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Gen.gen-a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90.exe
HEUR-Trojan-Ransom.MSIL.Gen.gen-a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90.exe
C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe
HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe
HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93.exe
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();shell=new%20ActiveXObject("wscript.shell");shell.regwrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\adr","C:\\Users\\Admin\\Desktop\\00483\\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe");
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe
HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe
C:\Users\Admin\Documents\Hacı Ahmet.exe
"C:\Users\Admin\Documents\Hacı Ahmet.exe"
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptor.gen-be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
HEUR-Trojan-Ransom.Win32.Cryptor.gen-be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
"C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe"
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5992 -ip 5992
C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe
"C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe" C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 472
C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe
HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe
C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\917284472.png /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set opmode disable
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set opmode disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\explorerkiller.bat" "
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set opmode disable
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set opmode disable
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set opmode disable
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /release
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set opmode disable
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 88.221.135.33:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 33.135.221.88.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.billerimpex.com | udp |
| US | 8.8.8.8:53 | www.macartegrise.eu | udp |
| US | 104.21.63.109:80 | www.macartegrise.eu | tcp |
| US | 104.21.63.109:443 | www.macartegrise.eu | tcp |
| US | 8.8.8.8:53 | 109.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.poketeg.com | udp |
| US | 107.178.223.183:80 | www.poketeg.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 107.178.223.183:80 | www.poketeg.com | tcp |
| GB | 88.221.135.33:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | perovaphoto.ru | udp |
| US | 8.8.8.8:53 | asl-company.ru | udp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| RU | 87.236.16.243:80 | asl-company.ru | tcp |
| US | 8.8.8.8:53 | www.fabbfoundation.gm | udp |
| US | 66.235.200.146:80 | www.fabbfoundation.gm | tcp |
| US | 8.8.8.8:53 | 243.16.236.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.200.235.66.in-addr.arpa | udp |
| US | 66.235.200.146:443 | www.fabbfoundation.gm | tcp |
| US | 8.8.8.8:53 | www.perfectfunnelblueprint.com | udp |
| US | 8.8.8.8:53 | www.wash-wear.com | udp |
| US | 104.21.40.198:80 | www.wash-wear.com | tcp |
| US | 8.8.8.8:53 | 198.40.21.104.in-addr.arpa | udp |
| US | 198.98.51.220:9001 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 220.51.98.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.219.218.216.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 11.35.66.45.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zEC5EABEE7\00483\Trojan-Ransom.Win32.Blocker.ndgg-c910c9901ea9ff059e3596cf1e49c16c3b757176397c961760f06d6dad553472.exe
| MD5 | d79d945d07bc09c8386943bd6d4bb307 |
| SHA1 | a461cfa215b5540db195354b1cad3e68d790668e |
| SHA256 | c910c9901ea9ff059e3596cf1e49c16c3b757176397c961760f06d6dad553472 |
| SHA512 | 4e8277bd8177e76bc36675d336457d03032866c6c78772059e2992e19d9b96642c30f66e71023f461445c14f28dc1890f1a07a15f00f26b973da5a6ed627e3cc |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vqcaxl2.ac3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4716-143-0x000001DD72F70000-0x000001DD72F92000-memory.dmp
memory/4716-144-0x000001DD73680000-0x000001DD736C4000-memory.dmp
memory/4716-145-0x000001DD73750000-0x000001DD737C6000-memory.dmp
memory/4716-147-0x000001DD73020000-0x000001DD7323C000-memory.dmp
memory/1400-150-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-151-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-152-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-162-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-161-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-160-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-159-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-158-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-157-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
memory/1400-156-0x000001EFBA530000-0x000001EFBA531000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98.exe
| MD5 | 1b9a97649cccdfd5d9b7f708338d8e40 |
| SHA1 | 4cd9d158874ef995627ca0fbdd08157f20bff8a0 |
| SHA256 | 16538c2862415ff55840f6dbdc28ade7a59724f518fdb315b671237852a59e98 |
| SHA512 | 1de788c66e5449eba56967414b80810ee0fb5d6812e661c9f1b7b3aeae16eed64d77b24e5a584e66196dfe1a25b899c6c53b6cbaa03aa7124079eaaca284a8eb |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Blocker.gen-825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7.exe
| MD5 | 5dc74da8b3b3258c94ab980a9577a219 |
| SHA1 | ccf4dc5e49e317c941ca1274cf6f5b6d8b851b64 |
| SHA256 | 825dce976a7a66947289d1c6e0486248266c83a1ff9c74fd7e5d991769b3ecf7 |
| SHA512 | e7af1c84dbaf54f140c5a957c1b900fea961ed8219ce7b92257d18158b7f937c0299b91069c6963debe17ec62e4ea0af14a959915d353862ed7fe351dcef58f6 |
memory/1128-184-0x0000000000100000-0x0000000000108000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Encoder.gen-184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2.exe
| MD5 | 4c0c842fe006a14361e1ecff30a90754 |
| SHA1 | f57efbc22c381feec88b7d82e167b8e2eb1dca1d |
| SHA256 | 184d344b757eaf6c7397e2486d28b98983eab107683d5a7ee17a1f4dc1cf65d2 |
| SHA512 | 851d096c83c3284af635cdd029736e93bb2abd32cb0c7dab1985f46ff5c3eb3ea84120fb27802d4045608ee967a75d8f347466e68a7fe782d79dd36eef730604 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.MSIL.Gen.gen-a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90.exe
| MD5 | 52c527df9e7554e940c3c45b4e9b3e30 |
| SHA1 | ae182f41baae6a5f3c05803933ba77578772233c |
| SHA256 | a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90 |
| SHA512 | eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c |
memory/4396-200-0x000000001C510000-0x000000001C9DE000-memory.dmp
memory/4396-201-0x000000001BF30000-0x000000001BFCC000-memory.dmp
memory/2772-209-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1732-206-0x00000000006B0000-0x00000000006F0000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d.exe
| MD5 | d28016f1314390c3472db9a375236fbe |
| SHA1 | 2d7cca420a24f1d20c5258e321f8fcb7381f9418 |
| SHA256 | 94fbafab9e4f3df2e89731cf8c05f9c549c3d803a01a97fd29c7d680049ba78d |
| SHA512 | 7860668d65294daef45f8749e58db932e8352bf452b0f04c9e5edc5ba24155a91561daa0a3ecec78a636fd5bae51a1ee769f7bacee349c583963dbc60f376db3 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Blocker.pef-dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2.exe
| MD5 | 919bfbc3dd8239dd7ac114dbe97d2ffd |
| SHA1 | 944fb4424e95cdc947137e48dd11788b0a086f5f |
| SHA256 | dee74cdae069253f4b57314d02d9b89470e1f931a061074d3ec724dcca1910b2 |
| SHA512 | 935d4c02e167b604d1d4a238702639932e487b9be67529f033ba378906be029069913ed193d85db92946f4b0d2f1e8846f46f169d16d703bd9254d648c7c1b3c |
memory/4396-217-0x0000000001850000-0x0000000001858000-memory.dmp
memory/1732-216-0x00000000055D0000-0x0000000005B74000-memory.dmp
memory/1168-219-0x0000000000420000-0x00000000004B0000-memory.dmp
memory/1732-218-0x0000000005020000-0x00000000050B2000-memory.dmp
memory/4856-215-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3084-214-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
| MD5 | 9b289da45db35a863bbf2775b118fb38 |
| SHA1 | 346293a7405d87157c1b24b32b44882601417458 |
| SHA256 | 49e38c04215f4f1b570681c5df8135ba972194ad2abbe28576440a1e14468872 |
| SHA512 | c74e175f1ff4f664068af03345e30fe3d87f999ab8c87b5b3cf79d99112d9a0140c20dce26289f6c711ca31b8b9bc587d5fba274fb6dbe35dfc588c8698f42ed |
\??\c:\users\admin\desktop\00483\heur-trojan-ransom.win32.crypmodadv.vho-d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93.exe
| MD5 | c380626d5678779650426785725236cb |
| SHA1 | fdd6b743d71b1f84f957e9132457a89d372c2998 |
| SHA256 | d629d70868620681a7bd1e3bc49dfce91ac0bb4cd64a6358bcdeef1acf0d3a93 |
| SHA512 | dc6f3fbfbc941e576d3bc186f01d496d4845e65ec7c44dec27af523748f033c8bdbab5ae6143f374440650ec0b6114a5fd167865bedba8e1d3565eada2c8b71c |
memory/1168-225-0x0000000004D60000-0x0000000004D6A000-memory.dmp
memory/2964-237-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4076-239-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4856-236-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2772-241-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48.exe
| MD5 | bf3a4bb4e42c26f585159f7aa103bc73 |
| SHA1 | d513c1fe0b0d89eef5a2c4bbfbca9d7e9043901c |
| SHA256 | 0a2e2efc45013ca8549874984968cd615117c08783018becfe03774fe68edb48 |
| SHA512 | bdb0a4088f3b3f556d86d12996502980f7db41811e2c42355ad7d1678ce1a32fd5ab1cdb61ec95e5c5903a4deee7401f05676f214c8b208f83bf76dbeae974b2 |
C:\Program Files\7-Zip\7-zip.chm.exe
| MD5 | 2d98246fc6843d1192a16aeee63f967b |
| SHA1 | d52077ca006ee8fcc4ab43e3761c0d19314bbba9 |
| SHA256 | 85fc44e0778027b9c2ed50c8cebefe108773b4f587b1c9be15e6f5d5cc64b904 |
| SHA512 | dab48fc9715cca602488d71968627ecfb1e2e3aedd4e16270ca1a118046f98e355fab7e226edd97dccba42c1da7e05831100fa0473266e0913032bdc68888652 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Cryptor.gen-be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
| MD5 | 075cb88f83fbe4ad2ae0f553697e7bdf |
| SHA1 | 773dce7c01a42e8371cf49ceda07f26cba0907b9 |
| SHA256 | be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70 |
| SHA512 | 3f0a503acbfffc79eed37597d59e313c31f6b5451fdad79eacd611119ec17a4a245928079993689811a5695ad310951a282b1c493d08bdb31aa2b5fdbf63bf67 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87.exe
| MD5 | 97f1152d4d5d5a0167dc4b948221cbc2 |
| SHA1 | f053ef59d29b7a7db43269bc2d4e66720a0deea0 |
| SHA256 | 4d2cac113e243d728e7d4ffb37ccca9bf1fbc96a7381ff7ab98cdad0955f5c87 |
| SHA512 | ef8133995dbea229d3a8134b00bce0cca716863742cb8beae7361cea69cd7fdfa7d9d2161fb85763cb4b2306111f03e54d81b628360d80268a90f76e5962a25b |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9.exe
| MD5 | a6d71c7aad5ca942f7bec9203077982e |
| SHA1 | e6373b1fa7244272dca1ab1ffa6d9f4db12e2d63 |
| SHA256 | 000a2a66d5f9b234b871eed3906e1d2da12bce6e6b8e6fbd4a1cca3042c01ce9 |
| SHA512 | 529cdab3691ebe5270a42abba95a61eadf0d58bc38089aab084dd125fad2d1ccd260ae7440a93bfa0b51762521818168aca02dfe7d16153f11da87ebcd520430 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c.exe
| MD5 | f71627946236be60b9d37d1b0864df0d |
| SHA1 | 820d02f1620abb69fe549f28d6b709594f706934 |
| SHA256 | 021e563e197adb919596fd3f6ab0b6c58615506287574504ef26fc0536df9a2c |
| SHA512 | 598732b27d1cf7117462756cdad11968f302bb07bbb209585b4aa0ece2adef444d09de0e729c4777fa163cf07291bfb88afc3c15b505929a7e057b454de22316 |
C:\Users\Admin\Desktop\Encrypted----------.som
| MD5 | 2bad1ceab30b97c27cd18228a117e239 |
| SHA1 | 4128c35ca3566bb2e01d9a2f322c3be1c3220d37 |
| SHA256 | ed2cae6c0c173001f3bffadfbf3c10cf1dafff4ad0e270f3bfa13b4d6abca244 |
| SHA512 | ad11c1209e1fcbc27b20f42f549f350fc003497564beb71e1982d3c123a1c979df394fad73fa6a18e5c6e3b462ddd63a02e4def64940efe0d4daf5be92ab9a58 |
C:\Users\Admin\Desktop\Encrypted-------.som
| MD5 | 14dad6353afcd59a64bdaf7f069fb8df |
| SHA1 | 53ba34886c5a89d06e07725792697fd3ed40febe |
| SHA256 | 76a8fb873fe8c6963e82593dab555bea1c87a840fddd0edef34ed393b7e56fc0 |
| SHA512 | 0818fd024ef89440858bea7eef0bcccc08b368a4804769d41ac096369208d58f43b9415d83bf73a1a6c8c9a8284412b447087151e3ffe3de912f2de359373301 |
C:\Users\Admin\Desktop\Encrypted--------.som
| MD5 | 3a0b0f2afd73d6816343e71488adf3ed |
| SHA1 | 6af38b3945f7a08c970facdd4a19a50f8be10597 |
| SHA256 | f3d4137b9215203d5f2d4d4f5f7dbeeb65caaffebe2cab9028df29bb16799aec |
| SHA512 | 1b26e763a76994fbe4c29e92430815975fb380f57408ec006c27fcea14bb998afa331a529fa9f051ea7c28af4db86f4dcd635f1f5915b1208b12e226eaa58675 |
C:\Users\Admin\Desktop\Encrypted---------.som
| MD5 | c069dc352ae25426adcedac87644fd8f |
| SHA1 | c5d0813c919c99bcb09d0af8dfa1a2c007a081da |
| SHA256 | c9637c2d353bfe6f6e55a6ae01782caa8fe83ef248228007ee12bc7a297379c9 |
| SHA512 | af7d04ab7d98f3f3cdad86f12ecca4d6abb36e1dcd048fd884265a56125fb324d512bd10ef269886630935ee7df20888855a142e4a1a1f5a8696ab42713e55ac |
C:\Users\Admin\Desktop\Encrypted-----------.som
| MD5 | 0e1491df58568d33a5b3e0b851569869 |
| SHA1 | dd6574747ae096f1237f0b9e97b2ffeeacc4d2c5 |
| SHA256 | 53524ef716f4eef3948036896a52b96a536214287c76555461bb2203bdcdab47 |
| SHA512 | 7f251998091093914d5deb42a283361c83f56a7b3366ad1acb7fca44966b1b5671415b9ab71ce3d51201c6e06efd701ad17edc059978b221e5180170cb9d2e80 |
C:\GET_YOUR_FILES_BACK.txt
| MD5 | d90d05a5fea9c28b3bf2b55f808c3a45 |
| SHA1 | 7774c79c85b4401acfc56002f9e8a3e10e8a7b60 |
| SHA256 | 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec |
| SHA512 | 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a |
C:\Windows\win.ini
| MD5 | 7bd45b4353c2eb076cb800af6794c74c |
| SHA1 | 8b43110b86ab342a3a50fba1101af23e58afb81f |
| SHA256 | 46768646ca5a5742bd66e10f807c7d85c06d67f34d01e1da68c0ed585e81c74d |
| SHA512 | a41d292080b01fa6884140f0aab6a9a45310ff8eccf850715d5b373c8aeaf0a57ed060e12475621372876ccf05d64278f89ec9b458d3c1af4cc60b5999f735f3 |
memory/5992-1001-0x0000000000790000-0x00000000007B7000-memory.dmp
memory/7068-1005-0x0000000004DE0000-0x0000000004E16000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Generic-c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07.exe
| MD5 | bc5e7222161a863eeb51a73a4612bd0c |
| SHA1 | c97e0ae4ff536bf2c4f110d0a4e211d9e160501d |
| SHA256 | c21cf0ef3e5c699150f2804de3360459b1da2c3613fc0c4390d0148e6146be07 |
| SHA512 | 2ecb08e49cc223ccf6afa502a1fba1d8e28e5f67481be62ca8b5925f0402216389d8ab19e7a7b9aaf8a6d67503612c963f291fea7a9c6f704f9cf7d61c879646 |
memory/7068-1010-0x0000000005500000-0x0000000005B28000-memory.dmp
memory/5992-1003-0x0000000000790000-0x00000000007B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Dados Trabalho.exe
| MD5 | e9a4ab847a556bcf559a3a357c5f2795 |
| SHA1 | 43645de5c291c690309901cd0a6858490b5bcabd |
| SHA256 | b48f1bf5e248bcfa3c95315ebec854f08f91e129e31ea62fb2173ca074d569b9 |
| SHA512 | 3842b9b28e1d26b0a50755b0cea35193aecbbdbba85579c7b306475c363de7846fd5df4875341bcee36ae972dc75befe420f9c27a322f3bd9a1b0bd087c122b1 |
memory/4076-1023-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2964-1022-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2096-1016-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/2096-1017-0x0000000000C10000-0x0000000000C27000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
| MD5 | 4622764c28edb773090f9674c9005731 |
| SHA1 | ca923fbf2055e1bd8776d01969ff72c1fe620168 |
| SHA256 | 7629c82901a855836022d416fc3dcc316ca6b98940f0bcb2db1a453d76c5d827 |
| SHA512 | d6f0045971d68a7cde12950a936a3f3ac1aee3300068281ada086445e0cc68fb91f1d2ce97c9b51f24ce97a47a7c28ec2a446efa794c039e0e96aa7a33aa6798 |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d.exe
| MD5 | 95963c1315d495929e29e5e748cdc719 |
| SHA1 | 3e9bd72a036d2cfa545117d111adfb7bb4246fad |
| SHA256 | a5c8f955e10e33d50296f1ab1d5a78324973a5fcf1182035bf05667bd894af0d |
| SHA512 | 56073dbf3094cf53b7d70a09747ce730bcaf9aed38b30fac25c0984690224be11c83237e9c8e629efd40672c8b20676399dbf10e8b19fd37a53b697d65bd6037 |
memory/7068-1048-0x0000000005EA0000-0x0000000005F06000-memory.dmp
memory/7068-1046-0x0000000005D60000-0x0000000005D82000-memory.dmp
memory/7068-1055-0x0000000005F10000-0x0000000006264000-memory.dmp
C:\Users\Admin\Pictures\AddGrant.pcx.avos2
| MD5 | 78f9b1a6db2f1b90c0a8b6e7f561350a |
| SHA1 | 60a346fc846cdca7f524a4ae9f677c0958ec7ee4 |
| SHA256 | 435065c42ed334eb7ad98e69140edc700a8aaf6c27e2584e94104433339259c2 |
| SHA512 | 86af5463f2f9c82df817d872a8b7775ee6efd269ac00700639c815e61e8edb2999a14506a26dfec2084cece29fe78ed7aa261215673c1a5236ca0182f7715591 |
C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
| MD5 | c194f05400fd0bca323af3abfba469c0 |
| SHA1 | 9990be9c83cb654c41f59b6b9b7e72439911a3f5 |
| SHA256 | 89a7c081bf3c094fd0a466c62d9858603173146923d4ca0d7a945c0a23c92b4b |
| SHA512 | f4fc35b85296306547521226536a9d16556038dbca806e9b4773963a60e7e3c9b203911a66dc0e67590d26b6a0fffdb4c3f4ad966779cf0c4bff1b547c38d685 |
memory/2096-1068-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/7068-1047-0x0000000005E10000-0x0000000005E76000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
| MD5 | 93e1b8fc79aab4782cc9236439331e09 |
| SHA1 | b9771b3da4357c5a5134aec1e9b9294677fa7d0f |
| SHA256 | 4f6ac271f9bbd731a35dbe68d0e60ca2622340796beaab9f05270c879c6aca86 |
| SHA512 | 220546dbd5dff5c6d38727a5dcb0f71c29329ab576209c6eea79a2a7aa3eb330392d69deaaf6a1510aa157f11da10e6bbe6933961849761f6c3f6e584824a9e8 |
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
| MD5 | bc0d26d4c9eb77869e9a811866a31daf |
| SHA1 | 84353ee49d751564aea0e9c87528c5630ca7736a |
| SHA256 | 1802701cf076ddb0593810e3e736d75cc4501ac5e143311df9131666608550cd |
| SHA512 | 6e579af9b9fee927ebee1b8d137b04b9aa09f7eda0a68150d3d6a66953ddf81b955a708c22df4e84219b55b77809b5b67f2d28eea24cc084340801c4a9086e48 |
memory/7068-1087-0x0000000006380000-0x000000000639E000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-30f5851e3da28ff1b585a286a5a989406b37060ea32bd68acf7769da51edd767.exe
| MD5 | 98648bbc68a9bd40908e86c6ef0071c1 |
| SHA1 | 0293e6a0093bbaf0f39b47190353b988caf4947b |
| SHA256 | 30f5851e3da28ff1b585a286a5a989406b37060ea32bd68acf7769da51edd767 |
| SHA512 | 023a742ed066819d7dfa1f37baee4384146a94df8211430c6bcdb28ae208f0027e986633fbce632bd6ab47ca692cd52e1aaf450195d44813dc5cb85a5faf6662 |
memory/7068-1092-0x00000000063D0000-0x000000000641C000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-12089752956de5e082e810a5d4eb4ffe97a92112cd83244f2269fff76abae196.exe
| MD5 | 67cb0de159aec506bde6957e45292b01 |
| SHA1 | 069622c77628b72ec60a8fc8f783f43076cb83f8 |
| SHA256 | 12089752956de5e082e810a5d4eb4ffe97a92112cd83244f2269fff76abae196 |
| SHA512 | 8f1fc077aa2b6fdad1faa9189253389caca2a3f8dd87e8618a22bf3cbcede757cfb387af3994b9ab919c407721e398241576e7ed3d3e241325cf23e5ebe65f4c |
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-d0926befd5cd69120ff95338e14e74da1ce19291a8c0ee35a852304731bc6560.exe
| MD5 | 64ef237c8ec59df2732b191b54e8e4d9 |
| SHA1 | 4d3a1cde375d47b3fe7d74a9934a7ea5d3d3e9eb |
| SHA256 | d0926befd5cd69120ff95338e14e74da1ce19291a8c0ee35a852304731bc6560 |
| SHA512 | 9ea1352da3229a3b0ef68c3d30da1eb4fc35ea7c659d25f32532edef482143ce5904aa9bf08919d29779c92021407ba8b21d9816e187284f9a6d26196ba86024 |
C:\Users\Admin\Pictures\ApproveOpen.tif.avos2
| MD5 | 3d59d10a293711646ca3466971d0f306 |
| SHA1 | d605f56ba3e828cd3c8f665c3bb4764b24ce239a |
| SHA256 | 37968f2b38205679ab1a3193cfed9df996e73d02991c2d3e1b63c0a1b5174a3f |
| SHA512 | a9328e54a001377cf12ed98bc1e169443ff14ec4ffbedc4e5f0b07c4a79efac745e2f7bf9455d92669d6e468463c3f7b6a0beb7be6d6ce8b040530a701038c22 |
memory/3084-1102-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2448-1105-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\Users\Admin\Desktop\00483\HEUR-Trojan-Ransom.Win32.Stop.gen-e9d4af41d7c3f1f49d3b78f949c23320af1f89199dab79da3eecbac6c5fe02b5.exe
| MD5 | 37c6edc652f5cab6f37f9985b450cb55 |
| SHA1 | 5225d4915cf979c7d6bb51ac9172af1f5f65f3bf |
| SHA256 | e9d4af41d7c3f1f49d3b78f949c23320af1f89199dab79da3eecbac6c5fe02b5 |
| SHA512 | c23af4b0ebf494620f9e6bf3861f633a1f499fbdbc3ae9ffd82e0b1116bcb8f169ca3b1b897469a9eb3f80eba2ccd7394519d4f023ec5fa49b29bbbb6226d61a |
C:\$Recycle.Bin\KRAB-DECRYPT.txt
| MD5 | b5e093f1bcfbca24f1ca57b5c23293ff |
| SHA1 | 56786af5d48f27474db6da8ea32d4acfe42061c4 |
| SHA256 | 1b82c142e4cea3a87bf3daa958249f0416f226921a72bd6ea95a873b6140f531 |
| SHA512 | f2412944b595ffbbb89d9ddd64eff137c4dbf222053c7b902acbfcdd195f74af55150524bfa5e0ddcf930b862605b2438e41e03c6b7b942b36d2e2aabbc756da |
memory/7068-1205-0x00000000068C0000-0x00000000068DA000-memory.dmp
memory/7068-1204-0x00000000079A0000-0x000000000801A000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
memory/3084-2356-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2448-2358-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2448-2383-0x0000000000400000-0x00000000004B3000-memory.dmp