chaos | 083f1d249b006db1d48ae65b2be283b457cc3d91ff99727847425398eee698ea

Analysis

max time kernel
212s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00473.7z
Size

67.0MB
MD5

d5d5de530fbb720527c68dccdc430d74
SHA1

4dc21d744b484a6e27c3b9951826a1c21696266f
SHA256

083f1d249b006db1d48ae65b2be283b457cc3d91ff99727847425398eee698ea
SHA512

565d07e7060a435fdf6003ce94b32ef96fe5dd377a396c7c3a21a5f0af2a0c8bd36c618ac9342f76cece56c61ad23d1b8ed55a1390b5c8bf44b121b087cbebcc
SSDEEP

1572864:uLesVc87NdbYvuKYoh9a8KmH4XZDlvPE82nxVtR+q:uLK8NBYvuKho8KhXZZPE8kxnD

Score

10^/10

chaos mafiaware666 vanillarat discovery persistence ransomware rat upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Generic-0d683d2e4fa69e5a5780ffcec285131df7d3467d0f5483ad7d1e918160817886.exe	family_chaos

Detect MafiaWare666 ransomware 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe	family_mafiaware666
behavioral1/memory/2032-203-0x00000000005F0000-0x0000000000644000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat
Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Vanilla Rat payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe	vanillarat
behavioral1/memory/2364-195-0x0000000000910000-0x0000000000930000-memory.dmp	vanillarat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exewmisecure64.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	wmisecure64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe

Executes dropped EXE 20 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exeHEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exeHEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exeDesktop.exewmiintegrator.exewmihostwin.exewmimic.exeHEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exewmisecure.exewmisecure64.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exeTrojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe

pid	process
1800	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
2364	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
2712	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
1016	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
3236	HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
2032	HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
3212	HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
4872	Desktop.exe
4464	wmiintegrator.exe
452	wmihostwin.exe
4568	wmimic.exe
184	HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
3448	wmisecure.exe
2560	wmisecure64.exe
5000	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
1836	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
392	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
3676	Trojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe

Loads dropped DLL 42 IoCs

Processes:

Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe

pid	process
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exereg.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exereg.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766 = "C:\\Users\\Admin\\AppData\\Roaming\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Povlsomware = "\"C:\\Users\\Admin\\Desktop\\00473\\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe\""	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe"	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

54 pastebin.com
55 pastebin.com

flow	ioc
54	pastebin.com
55	pastebin.com

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-347610517728fa8820a913fcd7f2762d9d4018182a4c7ad98871d3ca83463343.exe	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exereg.exereg.execmd.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exeDesktop.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exereg.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exereg.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exeHEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exereg.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exewmiintegrator.exewmihostwin.exewmimic.exewmisecure.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exereg.exewmisecure64.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exetimeout.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiintegrator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmihostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1952 timeout.exe

pid	process
1952	timeout.exe

Modifies registry class 4 IoCs

Processes:

cmd.exeOpenWith.exeDesktop.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	Desktop.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exetaskmgr.exe

pid	process
3216	powershell.exe
3216	powershell.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid process

3248 7zFM.exe
2992 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7zFM.exepowershell.exetaskmgr.exetaskmgr.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exevssvc.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exeTrojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe

description	pid	process
Token: SeRestorePrivilege	3248	7zFM.exe
Token: 35	3248	7zFM.exe
Token: SeSecurityPrivilege	3248	7zFM.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	1124	taskmgr.exe
Token: SeSystemProfilePrivilege	1124	taskmgr.exe
Token: SeCreateGlobalPrivilege	1124	taskmgr.exe
Token: SeDebugPrivilege	2992	taskmgr.exe
Token: SeSystemProfilePrivilege	2992	taskmgr.exe
Token: SeCreateGlobalPrivilege	2992	taskmgr.exe
Token: 33	1124	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1124	taskmgr.exe
Token: SeDebugPrivilege	2712	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
Token: SeDebugPrivilege	2364	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Token: SeBackupPrivilege	1768	vssvc.exe
Token: SeRestorePrivilege	1768	vssvc.exe
Token: SeAuditPrivilege	1768	vssvc.exe
Token: SeDebugPrivilege	5000	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Token: SeDebugPrivilege	1016	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
Token: 35	116	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Token: 35	4396	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
3248	7zFM.exe
3248	7zFM.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
1124	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exeHEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exeTrojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe

pid	process
4100	OpenWith.exe
1016	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
3676	Trojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe
3676	Trojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exeDesktop.exewmiintegrator.exewmihostwin.exewmimic.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exewmisecure64.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.execmd.exe

description	pid	process	target process
PID 1124 wrote to memory of 2992	1124	taskmgr.exe	taskmgr.exe
PID 1124 wrote to memory of 2992	1124	taskmgr.exe	taskmgr.exe
PID 3216 wrote to memory of 4428	3216	powershell.exe	cmd.exe
PID 3216 wrote to memory of 4428	3216	powershell.exe	cmd.exe
PID 4428 wrote to memory of 1800	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
PID 4428 wrote to memory of 1800	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
PID 4428 wrote to memory of 1800	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
PID 4428 wrote to memory of 2364	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
PID 4428 wrote to memory of 2364	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
PID 4428 wrote to memory of 2364	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
PID 4428 wrote to memory of 2712	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
PID 4428 wrote to memory of 2712	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
PID 4428 wrote to memory of 1016	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
PID 4428 wrote to memory of 1016	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
PID 4428 wrote to memory of 1016	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
PID 4428 wrote to memory of 3236	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
PID 4428 wrote to memory of 3236	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
PID 4428 wrote to memory of 2032	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
PID 4428 wrote to memory of 2032	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
PID 4428 wrote to memory of 2032	4428	cmd.exe	HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
PID 1800 wrote to memory of 4872	1800	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe	Desktop.exe
PID 1800 wrote to memory of 4872	1800	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe	Desktop.exe
PID 1800 wrote to memory of 4872	1800	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe	Desktop.exe
PID 4428 wrote to memory of 3212	4428	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
PID 4428 wrote to memory of 3212	4428	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
PID 4428 wrote to memory of 3212	4428	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
PID 4872 wrote to memory of 4464	4872	Desktop.exe	wmiintegrator.exe
PID 4872 wrote to memory of 4464	4872	Desktop.exe	wmiintegrator.exe
PID 4872 wrote to memory of 4464	4872	Desktop.exe	wmiintegrator.exe
PID 4464 wrote to memory of 452	4464	wmiintegrator.exe	wmihostwin.exe
PID 4464 wrote to memory of 452	4464	wmiintegrator.exe	wmihostwin.exe
PID 4464 wrote to memory of 452	4464	wmiintegrator.exe	wmihostwin.exe
PID 452 wrote to memory of 4568	452	wmihostwin.exe	wmimic.exe
PID 452 wrote to memory of 4568	452	wmihostwin.exe	wmimic.exe
PID 452 wrote to memory of 4568	452	wmihostwin.exe	wmimic.exe
PID 4428 wrote to memory of 184	4428	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
PID 4428 wrote to memory of 184	4428	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
PID 4428 wrote to memory of 184	4428	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
PID 4568 wrote to memory of 3448	4568	wmimic.exe	wmisecure.exe
PID 4568 wrote to memory of 3448	4568	wmimic.exe	wmisecure.exe
PID 4568 wrote to memory of 3448	4568	wmimic.exe	wmisecure.exe
PID 4568 wrote to memory of 2560	4568	wmimic.exe	wmisecure64.exe
PID 4568 wrote to memory of 2560	4568	wmimic.exe	wmisecure64.exe
PID 4568 wrote to memory of 2560	4568	wmimic.exe	wmisecure64.exe
PID 2364 wrote to memory of 5000	2364	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
PID 2364 wrote to memory of 5000	2364	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
PID 2364 wrote to memory of 5000	2364	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
PID 2560 wrote to memory of 764	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 764	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 764	2560	wmisecure64.exe	reg.exe
PID 3236 wrote to memory of 232	3236	HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe	cmd.exe
PID 3236 wrote to memory of 232	3236	HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe	cmd.exe
PID 232 wrote to memory of 2976	232	cmd.exe	choice.exe
PID 232 wrote to memory of 2976	232	cmd.exe	choice.exe
PID 2560 wrote to memory of 2380	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 2380	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 2380	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 4984	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 4984	2560	wmisecure64.exe	reg.exe
PID 2560 wrote to memory of 4984	2560	wmisecure64.exe	reg.exe
PID 4428 wrote to memory of 1836	4428	cmd.exe	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
PID 4428 wrote to memory of 1836	4428	cmd.exe	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
PID 4428 wrote to memory of 1836	4428	cmd.exe	Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
PID 2560 wrote to memory of 2708	2560	wmisecure64.exe	reg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00473.7z
1⤵
- Modifies registry class
PID:892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00473.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\Desktop.exe
"C:\Users\Admin\AppData\Roaming\Desktop.exe" C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3584

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
"C:\Users\Admin\AppData\Roaming\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2976

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3212

C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:184

C:\Users\Admin\Desktop\00473\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1836

C:\Users\Admin\Desktop\00473\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "timeout 2 & move /y C:\Users\Admin\Desktop\00473\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe C:\Users\Admin\AppData\Local\Temp\winupdate\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe & cd /d C:\Users\Admin\AppData\Local\Temp\winupdate\ & C:\Users\Admin\AppData\Local\Temp\winupdate\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe"
5⤵
- System Location Discovery: System Language Discovery
PID:2548

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1952

C:\Users\Admin\AppData\Local\Temp\winupdate\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
C:\Users\Admin\AppData\Local\Temp\winupdate\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392

C:\Users\Admin\AppData\Local\Temp\winupdate\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
C:\Users\Admin\AppData\Local\Temp\winupdate\Trojan-Ransom.Win32.Blocker.nbxr-b13ecd91daa96757e779948f53767c99e36f08239ce15024d6ffad03dd8d3987.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\Desktop\00473\Trojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe
Trojan-Ransom.Win32.Instructions.wu-7327337dd14ea53a4d403c0e7119ea5ffa3c07f03ce8d85d04ec83138136a0d9.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
2⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8895bcb9378e4740b0d5672aed7613ac /t 316 /p 3676
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3922\altgraph-0.17.2.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2uulpgjf.h2b.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Desktop.exe
Filesize
259KB

MD5
0da8e3c78bef1462bb8d5c837b8ca2bc

SHA1
ef1bcc01ecbb764a20e5484c1ec6e1c1d2efe305

SHA256
57b04fd7491dd627a68b1fa4570f02cdd4e89f3254cf950dcbdd5785c4925476

SHA512
5d5f16402b8a2a5ca25508e0d3ede63c61f8edd6ffb64f8c9265a2953557737522d9ea73d73f905e44e5f241cf615491791b2f03271bbfe88f9cdde9abce7e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
Filesize
259KB

MD5
bedc4d2f12a1996f92e1a58bcd39354c

SHA1
2c6a7a956d46ce025e9193c18bcb45aaeb48c3d5

SHA256
2e78e8c5d7c13b9b4cd3397091eb81435ed1d0acf7989d7a6e1b512aea7de8bd

SHA512
d77557f605d045fc509e2d5bc6bd17ccce1014f1da7eb02ce8492b44df6d2980718377657fcef9c17599415373f656b0526f5e5d574f75ff6b317f4f9876772e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
Filesize
259KB

MD5
59d42d826fd921055f27da5c2afc7fe6

SHA1
2f22cab502e07b683c4ad7cd00f92ea616618129

SHA256
f81fd0c0ac158c52e378fdf96fca7bcda6cb1083de3144b8f73f3f4ac6da281d

SHA512
214ca7b322b47e1a3e4ef8a97a500e9d7e96825302a79eb9b15496949bef0bfd70732a06ef1b44020d99f83055911430f491b9bf66c861b1d1e87ecb88d16bcb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
Filesize
259KB

MD5
f4f4ed7e81e6df0f83753df3f94e15d9

SHA1
309d94b7fa702c9f35a817dd4f702a91ee10ba94

SHA256
96323e824bf3891da38cbddd2143927d9bf7a6f0ad1e28bf1a9a7807eaa74a02

SHA512
0c82306f6b4c223e358fc7f4eb85b87b9693bc8ea9933fbc709cace80fa6f264f87ae37d8419c89603046c5e562f6f3490bb84ffdf66a7c004eff978d60405d4

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1.exe
Filesize
259KB

MD5
bcc817c41d613477d6a768f548285334

SHA1
584681437e693fd9bbeaeafd8b2c11b5f202943f

SHA256
3e152c8ec40fa2824dfa8c1489b8c2b1ea9bad41ba6fb46d36a0b9804c0adff1

SHA512
f465640cc39283dec1f641e9abf7303930e861bd095c86000f77ccd3a4176cae2a18270f08f126faa792648297436f47e9fb3ee6f3a2dea351b7a86b97af56f3

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766.exe
Filesize
106KB

MD5
bb5f95223d6fb24f991459bbd0a3e7ed

SHA1
c529913c8be222e0a3e4cae8c9c1d6cf4ba94c96

SHA256
9588bf13dbad12ceaba6c90e593eea194fcd4751746657285a36db0058598766

SHA512
3cd626b86ee3080f85dcf9c5769a2796d6bdc9c083f4e9d2acbbe95f00be94ddbd8490da4539e441490b4e1851944a456343ebcf2189a3bfc55d9ea1cf0d7865

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a.exe
Filesize
383KB

MD5
00108ad07a427eff9c68fcadcdf2b53f

SHA1
cdbdc4cfe7e29d8cbe91a15c17d04eb52a01fc8a

SHA256
c76e6d28e7784fddeb0ef90cdb2874e18df6b0ae13c4ad34cc3cc3999610008a

SHA512
fece90d9e15c6a12b77645c8e38695cdc14c3cc4d1a16582fa28068e2a88d5f0de8db52fa9a6f6f202b90d9fa2d773989081dac839fc20cc76cb73e3bfd4fa45

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438.exe
Filesize
104KB

MD5
c68ce464274cab6d38b3c05ddfddd25b

SHA1
c8d2b9420e1c437effe30695aef47e97b14a5f77

SHA256
8a893c4619b0d4f322fc70058457191b5f8aad9ac6a1f368fe8ae5153def9438

SHA512
466df1092b13b65d3f3df80c25bfe3c3d19a36e2cad4d0af8b103b0e6870f2d5b6c71e48bbe061dbb06dcd43e039b14a5c63c7f8608470da064808acf2d7b335

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Encoder.gen-55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511.exe
Filesize
229KB

MD5
b3a80cbb3efaa6ea526572502ed7a4db

SHA1
4b900d1cb1308fe232ddd957d2caf1c69a8f01b0

SHA256
55baeccd74e3d5091bb6e9bd828ae0395142d3a631a182aeca12bc6dce716511

SHA512
bf8f4c8ece17f87413f14a899cf1c892b6b75a0bb3117d24370ded6b868c7342341933cb64b9d39ff49ecb27cb50744db729ba672867b56f740435883131c972

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.MSIL.Gen.gen-04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea.exe
Filesize
313KB

MD5
db464f279deac4f005b38f1950b12b60

SHA1
ce607f75046ff6a9f2552cd7df502e912f93d4d5

SHA256
04b0cd32c1cba271626510e1112c37eacf385568c8804a47ce42181b7cc015ea

SHA512
0c45f63a2112074974061dd3167ab8e93210ab636ee752579ec57495cc84a64c6593b3e469264a8a67c1e9d6ed0c0ee6f60174f2876f4f528b361e25dee0ad8e

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Agent.gen-7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403.exe
Filesize
2.0MB

MD5
62c504ee6b9db445ab376db25dd667d3

SHA1
f1a935ada9cd21798f91dc43015b961c426e9c5f

SHA256
7a673b18b6f2c79a4d93248ea04fbdb700e97f730cce484dc52d0323a6160403

SHA512
bbdebcf49ba7a119a61e3448d6599608c11404870bd0f633a2657ba0a3fcade2a7d4e68d20f767b534c7cff7ffbb5532d363f33fed8700062a8dd390bc3e0b43

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Agent.pef-012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618.exe
Filesize
97KB

MD5
ac9b5526ec3764c4bc9bcb29f1ddf9da

SHA1
432b696b3724d6944b3e6573ac2b1efa1da1e97c

SHA256
012716f9ffa04fc20ff24972ec6b84cc5323885268962d449aff9a41f7ee5618

SHA512
1ffbb640477f3f7f6dbf98cc88e9f83988dec860073a65fd57a347e9f99db681e6b919a7937f8f05dc4df26535ca3f7befd1bad092e80ae09a0db865ed99c4d4

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Blocker.pef-3d685eedb2a5d85216381f654b6a80413f6a4d0e428cbb376d51354abd05d3a0.exe
Filesize
51KB

MD5
4161e24e3611ced725fbb79199d32bbf

SHA1
c6ef84419bdcda6bb92a2982a53ef8e5257e6d65

SHA256
3d685eedb2a5d85216381f654b6a80413f6a4d0e428cbb376d51354abd05d3a0

SHA512
75294baad54827266a7bf2094b7624da3e0eff43dd6e05b83b3dd54d44acb5c34f68e2228f82022c366be6a1c2f42231a5da5ab349940329025562b70a001c1e

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Convagent.gen-fb9b5c996b556a11a7bf315febae7dd518eca601d454d33f6f745a1e2a14cf5c.exe
Filesize
385KB

MD5
5e198902334fd392b071a80af037f267

SHA1
295850ed74c4951b2fcf55946266a7ffea644759

SHA256
fb9b5c996b556a11a7bf315febae7dd518eca601d454d33f6f745a1e2a14cf5c

SHA512
66fe51cf6af4c479b75bfdc9a8efbc7c6603eb78f37eb2e1e2533f20d4ccdbbd7460204198503024b480dad02e9f26619c46b683b0cc4066db797cad23b7d936

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-347610517728fa8820a913fcd7f2762d9d4018182a4c7ad98871d3ca83463343.exe
Filesize
1.8MB

MD5
08b020b33c6a400d89329e21c07ddfb4

SHA1
f20e9e71b39885c7973573bffa00e472200c06a9

SHA256
347610517728fa8820a913fcd7f2762d9d4018182a4c7ad98871d3ca83463343

SHA512
7533b8502fdaed0d1c6940f61dc96150dcb4d1e868497d915c63245715382badacaa597930a31516ca4cdf4041571f74dccdb22130d13f910ebc8ac144b3caf7

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-2ad7113bb113899dfb9e28d8a78b52be44a3700318e87f23b6a68243aea2463c.exe
Filesize
130KB

MD5
80b179c30916faa911aa510cb983f642

SHA1
cff238bb0ead9010d532794976161bbc2687b6bb

SHA256
2ad7113bb113899dfb9e28d8a78b52be44a3700318e87f23b6a68243aea2463c

SHA512
956f23ca2fab9a947c26f17db65943a290373fbc6c0ac9816c6bf00a236e949bd2f3d9ebd93cfd2e959c5382987887651c1dbf203287c33e4fed965f2d5f1930

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Encoder.vho-c5494652f4600fec59d81df3e937fbdba19844efe4b0fd51082c175cab7c647b.exe
Filesize
266KB

MD5
910807a587787a5828981aae73d3b0dc

SHA1
6680cdef9e11955867673612898954a5727f576b

SHA256
c5494652f4600fec59d81df3e937fbdba19844efe4b0fd51082c175cab7c647b

SHA512
1dd2bb0eeaf635f9676b706b2fdccf98eb64169b226aaca6185e4bb04327f2cac0e307571a3d80ea982dbcb2081fba2f3bc971a1a2e77db9f11c46a42336ff34

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.ExPetr.gen-36754f10a0f51cea3906c78181d862274e84bedfe4d4f60c3e85a8de2ab81ac5.exe
Filesize
293KB

MD5
d8227f4d4339930e727f1e24066f8cd6

SHA1
29361a04854c403c96976ea3dd1658ff305c0b81

SHA256
36754f10a0f51cea3906c78181d862274e84bedfe4d4f60c3e85a8de2ab81ac5

SHA512
0557aa44c35b5b5b440c8da030a89b5ff1da798e673be5f0573585dc12341a2f0177a13704aebd94f00780f26034b1c190014fc3b3c06199beba5028307d7b57

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-f1780d2813dc4012ee708bec41ff3488db8d12707430fda1486fc6c04c41cbfa.exe
Filesize
250KB

MD5
c79c1a25213fa8bd9d32625aefa20d48

SHA1
f7d93ba3aa72d323754ac98532cb5a4c5f8f7927

SHA256
f1780d2813dc4012ee708bec41ff3488db8d12707430fda1486fc6c04c41cbfa

SHA512
3b6e9d8c95277fd0a646ecf99df9d2b25dc29621b95933d3b6961df18e5cf4eefe792cd14ef6f262eb697c54d08f44bc6da8ff827bffcd89de0a31e992992515

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-7371b99567c585788bbf00b02993eb1d897fc275e092fffb378be5d2ccdeb26a.exe
Filesize
321KB

MD5
f6c6397bf4fb437b89e79cf8ef3ec00b

SHA1
754e9ff2637e83d2b6cc343804b06401effe43c4

SHA256
7371b99567c585788bbf00b02993eb1d897fc275e092fffb378be5d2ccdeb26a

SHA512
1a1274e1de056077296dbffc7b902ee797ef5856fbc85195402b8792d3c6d6393286400ba4e73225ed656cf217b0e0d5d6e2956e2d5fe02883878aec6940cac1

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-e1cfbb49371fca715b4efb8161b2f214012d73eb8a57cafd7e6beb81de3a6f5f.exe
Filesize
89KB

MD5
4646ab64f1e1aac84a2172efbffec0c2

SHA1
eb1d0e4894fa53a7e7e9b9724216330ff807d91a

SHA256
e1cfbb49371fca715b4efb8161b2f214012d73eb8a57cafd7e6beb81de3a6f5f

SHA512
bae35b90ce457c902e2fa167e596c323b9e29bc830d6b00dc178895104a4ef4e5a4b190bfc56ac0b2bf489b604a34b4d371bf86bbe72c0d13db3766023aa212d

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Generic-0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290.exe
Filesize
545KB

MD5
0a7c4d3e00285907574ed93105e7cbd0

SHA1
f5acb2a4339b7c0adc7b952a28a6e25a550ace90

SHA256
0c5c72f6b371e157babb410027a947c70555a1f9bf4e1900664249f4d51e3290

SHA512
622c50dc8641170f9b32068e40759971095c324f85c35dd8cee6df60196f4d6390f3728820cf373a60d7b98e9402d3f00ef3cd15cfcfe9267e0bcf3d3bee231f

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Generic-0d683d2e4fa69e5a5780ffcec285131df7d3467d0f5483ad7d1e918160817886.exe
Filesize
2.2MB

MD5
5b61e933fb4b526837a23637ff6bef7e

SHA1
34056a337b596b2bf2682df0ec1247b0ad14a972

SHA256
0d683d2e4fa69e5a5780ffcec285131df7d3467d0f5483ad7d1e918160817886

SHA512
2f7ec6cfac3a671334e900d59dd8cd7e66d8ce8ff61e71ac47d805f17e7ccc0ad2066e8c477a0597d318a6802b1a9e7fdcf1890ac08ba45b0cb8cfc938498ea0

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Generic-43271dbcd6d7cf2ae3b7a1bcb953aca730548807d36b7396961d7f46f9b31e31.exe
Filesize
798KB

MD5
0df3dcb3c91940b57e3b7b0266a19ed7

SHA1
114d49827cbddb871f5eb0de2bd6ffaa6f372d31

SHA256
43271dbcd6d7cf2ae3b7a1bcb953aca730548807d36b7396961d7f46f9b31e31

SHA512
7a1ede5ace9bf634733023082e5b396b38361bf67be5b7040bde3e831645b3747505f88ace8bf48ce21c44b87f4dde1ab12ac222b2b6026b158207aaa275ae51

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Generic-6dd9e90e57b2e2498abd6147399c56e774149a8835d1a9209e9cb66308147b8f.exe
Filesize
993KB

MD5
ea0745414a4646183f4ad097f7df05cb

SHA1
a2c26d3bd8fd853859fec5806b3977502f5301aa

SHA256
6dd9e90e57b2e2498abd6147399c56e774149a8835d1a9209e9cb66308147b8f

SHA512
7dbfc96a582cd0e60097abfadb1d6b85a80186bcde5484b99725dcac9379918fe15399e3f7068981c10adac26e24b504c4e8695e90123c21803fbd21904bfbc1

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Generic-d65f4e89103a733d61fc20689412e56a94b9f5fdb3ad06da6b7a30a83df3a4bc.exe
Filesize
122KB

MD5
c1e4ef42dd2f043182f9633ae810eb95

SHA1
59f2152cb54aa8beec146322bc1245dbe8ff9f7b

SHA256
d65f4e89103a733d61fc20689412e56a94b9f5fdb3ad06da6b7a30a83df3a4bc

SHA512
5f8acfbc5521bbf571528fee0d7856f434f58cf9cb31b5af92287c341822d49732f503e4d2d4314e40a4223cb57c5e5ca3e8a607a72d9a12149306b1c626fbdd

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-735b806b05c30cb8d8a007e836f2642574bb455bb95f481ae170ba3785ae6517.exe
Filesize
4.9MB

MD5
04a862514cc943efa31be6ae206b6370

SHA1
32b904a833a570886523e319a89cf3c8a2dcc5df

SHA256
735b806b05c30cb8d8a007e836f2642574bb455bb95f481ae170ba3785ae6517

SHA512
31c648ac125ad4b83d4e5aaf8a850541fc3121981d7e9eac9cfda674984e789103b139366defae2189cb030d4f517ab29fea9a3f8d771a0344099992c62a110b

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Stop.gen-c83075a8214e1b1631c4090ec9bb3b98e27bedc042c972bd780b054aedbe6c26.exe
Filesize
764KB

MD5
170b683757518766ed40481d89e6ab14

SHA1
a95fdba84733674ceb5e9424db0f0a69d50cdf9a

SHA256
c83075a8214e1b1631c4090ec9bb3b98e27bedc042c972bd780b054aedbe6c26

SHA512
37c0a17385726069254ec2115ce96c328cbd2584d48c2cd3afaa62492983952bd997dfa5f7728ec4f80139d4953132857f2fe1e01d26eb9b05420d2e8118cd69

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Stop.gen-d96ab3e264fbcea0556fb18e3c507cd551b9b79a01bd3894ef06e45f839023a0.exe
Filesize
381KB

MD5
eecb1c9f360ad32a6d12ca4d13f37c7d

SHA1
8b805e63b11336d8fc222ab00819fe3b445096dc

SHA256
d96ab3e264fbcea0556fb18e3c507cd551b9b79a01bd3894ef06e45f839023a0

SHA512
ab195d758976efa77b65fdc029432f598624629320c23fd92c0fa9b3d599769d7976ee3642e9f103fe51781cadc48e827a95470282b2609a855ca7073dc75a83

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan-Ransom.Win32.Stop.gen-e5e5e93bc86a2a51d68a00708a2caf531a77f6f40c8124c38ee29b9d3942cc65.exe
Filesize
730KB

MD5
5cbd1411264a5dda8726977bd9cc1fcf

SHA1
81e9fa799cf0269b205245d69dbfb2a363db4ba4

SHA256
e5e5e93bc86a2a51d68a00708a2caf531a77f6f40c8124c38ee29b9d3942cc65

SHA512
1217faf0630b0076583e0dbd310135c785366a220a3f18dd7b7abe7f323afdabada9c69f30875fb24301cebcd292d176ae7f2d8886587ce2c0db19c3b87c67b8

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-2dbfdbcac412f915fe1837b77fde449cac15d501ddf416c569ee50ded31cb806.exe
Filesize
168KB

MD5
456887551b403aceb4bdc4ecf679a776

SHA1
8fd5421235600d6a858ce5500555c73451a502b2

SHA256
2dbfdbcac412f915fe1837b77fde449cac15d501ddf416c569ee50ded31cb806

SHA512
b30876f02b0dc1d59a5f90fbd634b95e354f5a0769153d76b05767a8abd6c685aa87265fcbb3e80d870c5153dc4c58485b23dff05ba4dd9c4535e0ac1c79eeb1

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-408afc5c3b5fc434089109264de35d4239077cf689b58ea528fff7e215a1e1f9.exe
Filesize
1.2MB

MD5
4607486d1d4fc9425d8daacbb526cbf7

SHA1
b170d13fd18ac50f4caeca8dc9fe0b4260ee8f13

SHA256
408afc5c3b5fc434089109264de35d4239077cf689b58ea528fff7e215a1e1f9

SHA512
32818c57555893e6db88603e421cd75cd658991dca1eac0fe50ba0d173f95bd0ebbc7a5ab5ee2698357554a0d76caf5b5c7dd0f0d1e92a6b6f58a17cc2e60a80

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-58867455d98e39c30cd1ed1e8893f7f295aac11a09dbd8c9eaf81ac031139e3e.exe
Filesize
377KB

MD5
58d99f56eaf5b4199785f72936a8b8ac

SHA1
4cfc93da39bf7598705e5fe4173686d85aa184b5

SHA256
58867455d98e39c30cd1ed1e8893f7f295aac11a09dbd8c9eaf81ac031139e3e

SHA512
193b95410184e0a4596b040d96551bad8a6274ce7e5ca4358988f871f8a281c6af415ae33b142c05c12222da6b1ddbac76b4d27b9cdfd3e70726062b3580ec94

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-69436489634b0c0e6c3a9b85a7c34dd59eb1832e099af96208b6b9d4c1bb4c71.exe
Filesize
261KB

MD5
e5dc463d4f7105bbf641a955f679d3bc

SHA1
0851172a4bc43e18f940771d0bc0124eb201c664

SHA256
69436489634b0c0e6c3a9b85a7c34dd59eb1832e099af96208b6b9d4c1bb4c71

SHA512
85e0b71e42fb05aab55aa0e1e031e3321dd77ef550d3b225d6c1638c3864893072eb6285e38e41ffb1454d1ebcb012c30ffe2defc8e66ac5d4a4553a7d23692b

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe
Filesize
92KB

MD5
d136709b5b24d88ea5e2f42821a5a996

SHA1
ce1371e3e78173266a95370856ad24412aaa9b23

SHA256
864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a

SHA512
5642bef456efcb67dc7788a7af5296e5c856d66a10e31a0ff140641226f176d6c573e848bc3ad1680b8279f9a92bef6c7683f1a62b92df6f4883299df2c0bc6a

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-87fd7121780e1eae3db580cccebe3deb19d7f616fde386df68b9d39139440db0.exe
Filesize
390KB

MD5
45d9a079aa9c5a1517499b3009647769

SHA1
84040cd9756313b388735b2927d393804455ab8d

SHA256
87fd7121780e1eae3db580cccebe3deb19d7f616fde386df68b9d39139440db0

SHA512
790c3085c9f9a3429254883ed1e4d051747074daec7b2f5d5518e7862c9f8bb67d03178be8f98329781714ab801b72a0c70511a8239c9713d1fe452ed7c86771

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-a5290e9e8ade5a265186dc7c03c1c757aa188f3e0ba5c7cb7639c522a4bcdc97.exe
Filesize
2.1MB

MD5
480f546b81bbc609c952380caae43f4d

SHA1
ce87315f6dbecac4f9a31de4ac7cc2567224f5b9

SHA256
a5290e9e8ade5a265186dc7c03c1c757aa188f3e0ba5c7cb7639c522a4bcdc97

SHA512
c2c5e075f8cfaa756d4de90b7c8ececc777cac1eb03506240319e43c11e77a0531cce625f4c542ffb68fcccea2648f1b3c7f32afb1a4060279a51140227d0558

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-b79442cddc2c748ebd3e0490c4904c0d16787a8ca2828b68cdc4e0caf1f2d461.exe
Filesize
859KB

MD5
115538418cf91447a7bdc273e8100745

SHA1
dfd795f9e7e7a1c8db503019addcadf6d7800881

SHA256
b79442cddc2c748ebd3e0490c4904c0d16787a8ca2828b68cdc4e0caf1f2d461

SHA512
86083bb6ef56c5c68df6017b4a0829f0070d205042ea4708200b8e2054104f877a43622fd0a5efda872594d264abbf1461c48a093ca412d902ee656dfbd2823b

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-b8d8f4fe00ff499c7e486a34aa290ee24975d523e09da4464c7a6e983b11d74d.exe
Filesize
104KB

MD5
efe17cfe0fc7b45a8724b2cd6dbbd211

SHA1
19c90581594f322a8a3250c9f8de42ea105abb13

SHA256
b8d8f4fe00ff499c7e486a34aa290ee24975d523e09da4464c7a6e983b11d74d

SHA512
5b443c765a5c2a4d34a47ccde1fdd7d969396dfe116f045c5f8d0af9cfacb11a00a8b21a5b8cecb663c133d3e3d4cc6d69582efbf54908a62617fbca91b50f5b

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-b96d9319d131de965ffca4c9e3ede73783dabf45de05bbe0bf21656f2eb2a32f.exe
Filesize
293KB

MD5
a26b443ea78fd638b20845e33660c17d

SHA1
4aa93eec26752fc3e3907de83fcb1e66ca5a619b

SHA256
b96d9319d131de965ffca4c9e3ede73783dabf45de05bbe0bf21656f2eb2a32f

SHA512
b4931affcfa95845db31b35a65c87f4e1f54364687f8c5aa62bb2f0c3a3e233fc6cbe7f23201b6ea5d32c005bae14de17e2396b727ccffb7df20a94c483c5c13

Download Submit
C:\Users\Admin\Desktop\00473\HEUR-Trojan.MSIL.Crypt.gen-ba80040edc3e1018257d892568789d30e73f3e250f1b59e2424b2e8f903880be.exe
Filesize
259KB

MD5
a89966027ba84be6409d0a8a7b498364

SHA1
cececf1151ac83d7fe84f750f81b2dff15b47790

SHA256
ba80040edc3e1018257d892568789d30e73f3e250f1b59e2424b2e8f903880be

SHA512
c1e294088cd3dfc174456b2ce8b76d5338d6ea74a3ad1028fa405c7968eda7c61468adf6f97e3c69282ce2d60408b1852037c17f8d697a3d74d1794608ba6a40

Download Submit
C:\Users\Admin\Desktop\00473\Trojan-Ransom.Win32.Encoder.ciu-c9d65df896520ad0693ef0b2338b93ebfeccc529100f8b2a70f697db148a71c0.exe
Filesize
270KB

MD5
95db41d017c2fcb3b71296498fdaad20

SHA1
1bdc9e624b9a742898c50291e33f812cc84ae854

SHA256
c9d65df896520ad0693ef0b2338b93ebfeccc529100f8b2a70f697db148a71c0

SHA512
a10067828ffdd4025c951a70ec39edbf1b09576a682983327bf040e8a3c7032bac3e8f50b557a3f5c443adec80613d953703d4c0dfecbc451212c981e3d4c2b8

Download Submit
C:\Users\Admin\Desktop\CompleteConvert_vst.alla2021
Filesize
358KB

MD5
f288d005f60e1b0845384ec54f04fb8e

SHA1
02064bc82d5b3fbfe5eb92c186b9c1ba9202dee5

SHA256
146b03e0c21e915cd8fd530fb06fb1e4bbef73c232d2a053181a7c6c61968123

SHA512
f62650582da73e6d0d2efd18e5f88cda2a178deb1e85c749955960716f95137b13bd7314173bf64300770b7fda569a6421a4794a85d3bdb0b3ff12a04cf80a89

Download Submit
memory/184-461-0x0000000000400000-0x000000000041CF08-memory.dmp

Filesize
115KB

Download
memory/1016-194-0x0000000000740000-0x0000000000764000-memory.dmp

Filesize
144KB

Download
memory/1016-212-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/1016-202-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/1124-154-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-147-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-156-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-149-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-153-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-158-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-159-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-148-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-155-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/1124-157-0x0000025E8D970000-0x0000025E8D971000-memory.dmp

Filesize
4KB

Download
memory/2032-213-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/2032-203-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/2364-198-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/2364-195-0x0000000000910000-0x0000000000930000-memory.dmp

Filesize
128KB

Download
memory/2364-200-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/2712-187-0x0000000000F50000-0x0000000000FBA000-memory.dmp

Filesize
424KB

Download
memory/2712-251-0x000000001BC80000-0x000000001BE10000-memory.dmp

Filesize
1.6MB

Download
memory/3212-449-0x0000000000D80000-0x0000000000F42000-memory.dmp

Filesize
1.8MB

Download
memory/3216-145-0x0000022E1CD90000-0x0000022E1CDD4000-memory.dmp

Filesize
272KB

Download
memory/3216-146-0x0000022E1CE60000-0x0000022E1CED6000-memory.dmp

Filesize
472KB

Download
memory/3216-140-0x0000022E1BE00000-0x0000022E1BE22000-memory.dmp

Filesize
136KB

Download
memory/3236-208-0x000000001B040000-0x000000001B0E6000-memory.dmp

Filesize
664KB

Download
memory/3236-448-0x000000001B690000-0x000000001BB5E000-memory.dmp

Filesize
4.8MB

Download