atomsilo | 7c4210c18bbe5b1af9000ae38953c5c52bfe5de023b640492d3f296d0f4caec4

Analysis

max time kernel
166s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00471.7z
Size

77.9MB
MD5

316fa4481b18d738d63477376675a281
SHA1

1c0c3b8661e6033740b6d27021afabfd71f1fb13
SHA256

7c4210c18bbe5b1af9000ae38953c5c52bfe5de023b640492d3f296d0f4caec4
SHA512

260427131dc32da771c403848f51d64470897a39de37bbbae2964099b4b2ef2d4a099af66c3e4c7ef1f7eaaadddc970e71f0100b348502659bdeee50e2dfb1f0
SSDEEP

1572864:yvUoQ9DhK3exOjITTZtcP2EeyBsFFYttMZfL1py:yvUoQphtcuMB6itOA

Score

10^/10

atomsilo urelas vanillarat discovery execution persistence pyinstaller ransomware rat trojan upx vmprotect

Malware Config

Signatures

AtomSilo
Ransomware family first seen in September 2021.
ransomware atomsilo

AtomSilo Ransomware 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win64.LockFile.h-62629512c435acc24b083de1e1d128e66118301cb7be92651d85a8af5fe5b834.exe	family_atomsilo

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\","	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

Urelas
Urelas is a trojan targeting card games.
trojan urelas
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe	vanillarat
behavioral1/memory/5068-154-0x00000000007F0000-0x0000000000812000-memory.dmp	vanillarat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exeWindowsPortableDevices.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WindowsPortableDevices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exeHEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exeWindowsPortableDevices.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exeHEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

pid	process
2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
5068	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
4060	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
2968	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
1408	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
4864	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
2788	WindowsPortableDevices.exe
4972	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
512	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
2300	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
452	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
1868	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
3864	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Encoder.nuv-ae989824f3a7dc8bfc00d840ced60e1685cc0b76d46b36d884c3c4e69841284f.exe	vmprotect
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.nbxl-ab0de3d2c520091f33f2d85d5122c8324b8ce55a148296a8985694e2ead3f5c6.exe	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

USOPrivate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pRd2Dt = "C:\\Users\\Admin\\AppData\\Local\\USOPrivate ver2.37\\USOPrivate.exe"	USOPrivate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2064 powershell.exe

pid	process
2064	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

description	pid	process	target process
PID 2240 set thread context of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-54609563eaf0433f33c6c7bf41e3d937d524aba67171342f8c0ab848eb640226.exe	upx
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.GenericCryptor.cys-9a099577d01da03b07cdbe8ae1fd6e5943a335a38be8ad637d84e08ee14ff957.exe	upx
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Crypmodng.km-b64322209e72abda1b71e10d5e73933d45bbd7337d1b866a3d073605afdfee34.exe	upx
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.nbxf-d94311fc599649d6b3f7113a7c1e23764f3dded3c9a7f6c2e9e838e7a805245b.exe	upx

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.nbxf-d94311fc599649d6b3f7113a7c1e23764f3dded3c9a7f6c2e9e838e7a805245b.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1500	2968	WerFault.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
5248	2300	WerFault.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exeHEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 3 IoCs

Processes:

cmd.exeOpenWith.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1628 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

USOPrivate.exe

pid process

1340 USOPrivate.exe

pid	process
1628	schtasks.exe

pid	process
1340	USOPrivate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exetaskmgr.exe

pid	process
1072	powershell.exe
1072	powershell.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3448 taskmgr.exe

pid	process
3448	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowershell.exetaskmgr.exetaskmgr.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exepowershell.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3192	7zFM.exe
Token: 35	3192	7zFM.exe
Token: SeSecurityPrivilege	3192	7zFM.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1836	taskmgr.exe
Token: SeSystemProfilePrivilege	1836	taskmgr.exe
Token: SeCreateGlobalPrivilege	1836	taskmgr.exe
Token: SeDebugPrivilege	3448	taskmgr.exe
Token: SeSystemProfilePrivilege	3448	taskmgr.exe
Token: SeCreateGlobalPrivilege	3448	taskmgr.exe
Token: 33	1836	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1836	taskmgr.exe
Token: SeDebugPrivilege	4060	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
Token: SeDebugPrivilege	1408	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	2968	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
Token: SeIncreaseQuotaPrivilege	368	powershell.exe
Token: SeSecurityPrivilege	368	powershell.exe
Token: SeTakeOwnershipPrivilege	368	powershell.exe
Token: SeLoadDriverPrivilege	368	powershell.exe
Token: SeSystemProfilePrivilege	368	powershell.exe
Token: SeSystemtimePrivilege	368	powershell.exe
Token: SeProfSingleProcessPrivilege	368	powershell.exe
Token: SeIncBasePriorityPrivilege	368	powershell.exe
Token: SeCreatePagefilePrivilege	368	powershell.exe
Token: SeBackupPrivilege	368	powershell.exe
Token: SeRestorePrivilege	368	powershell.exe
Token: SeShutdownPrivilege	368	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeSystemEnvironmentPrivilege	368	powershell.exe
Token: SeRemoteShutdownPrivilege	368	powershell.exe
Token: SeUndockPrivilege	368	powershell.exe
Token: SeManageVolumePrivilege	368	powershell.exe
Token: 33	368	powershell.exe
Token: 34	368	powershell.exe
Token: 35	368	powershell.exe
Token: 36	368	powershell.exe
Token: SeIncreaseQuotaPrivilege	368	powershell.exe
Token: SeSecurityPrivilege	368	powershell.exe
Token: SeTakeOwnershipPrivilege	368	powershell.exe
Token: SeLoadDriverPrivilege	368	powershell.exe
Token: SeSystemProfilePrivilege	368	powershell.exe
Token: SeSystemtimePrivilege	368	powershell.exe
Token: SeProfSingleProcessPrivilege	368	powershell.exe
Token: SeIncBasePriorityPrivilege	368	powershell.exe
Token: SeCreatePagefilePrivilege	368	powershell.exe
Token: SeBackupPrivilege	368	powershell.exe
Token: SeRestorePrivilege	368	powershell.exe
Token: SeShutdownPrivilege	368	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeSystemEnvironmentPrivilege	368	powershell.exe
Token: SeRemoteShutdownPrivilege	368	powershell.exe
Token: SeUndockPrivilege	368	powershell.exe
Token: SeManageVolumePrivilege	368	powershell.exe
Token: 33	368	powershell.exe
Token: 34	368	powershell.exe
Token: 35	368	powershell.exe
Token: 36	368	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4936	powershell.exe
Token: SeSecurityPrivilege	4936	powershell.exe
Token: SeTakeOwnershipPrivilege	4936	powershell.exe
Token: SeLoadDriverPrivilege	4936	powershell.exe
Token: SeSystemProfilePrivilege	4936	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
3192	7zFM.exe
3192	7zFM.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
1836	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4324 OpenWith.exe

pid	process
4324	OpenWith.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exeUSOPrivate.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exeWScript.exe

description	pid	process	target process
PID 1836 wrote to memory of 3448	1836	taskmgr.exe	taskmgr.exe
PID 1836 wrote to memory of 3448	1836	taskmgr.exe	taskmgr.exe
PID 1072 wrote to memory of 4844	1072	powershell.exe	cmd.exe
PID 1072 wrote to memory of 4844	1072	powershell.exe	cmd.exe
PID 4844 wrote to memory of 2240	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 4844 wrote to memory of 2240	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 4844 wrote to memory of 5068	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
PID 4844 wrote to memory of 5068	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
PID 4844 wrote to memory of 5068	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
PID 4844 wrote to memory of 4060	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
PID 4844 wrote to memory of 4060	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
PID 4844 wrote to memory of 2968	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
PID 4844 wrote to memory of 2968	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
PID 4844 wrote to memory of 2968	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
PID 4844 wrote to memory of 1408	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
PID 4844 wrote to memory of 1408	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
PID 4844 wrote to memory of 1408	4844	cmd.exe	HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
PID 2240 wrote to memory of 368	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 368	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 4844 wrote to memory of 4864	4844	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
PID 4844 wrote to memory of 4864	4844	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
PID 4844 wrote to memory of 4864	4844	cmd.exe	HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
PID 2240 wrote to memory of 4936	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 4936	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 4964	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 4964	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 2064	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 2064	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 4060 wrote to memory of 2788	4060	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe	WindowsPortableDevices.exe
PID 4060 wrote to memory of 2788	4060	HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe	WindowsPortableDevices.exe
PID 2240 wrote to memory of 3092	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 3092	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 1340 wrote to memory of 1628	1340	USOPrivate.exe	schtasks.exe
PID 1340 wrote to memory of 1628	1340	USOPrivate.exe	schtasks.exe
PID 3408 wrote to memory of 4920	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 4920	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 2148	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 2148	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 2240 wrote to memory of 3452	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	WScript.exe
PID 2240 wrote to memory of 3452	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	WScript.exe
PID 2240 wrote to memory of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 2240 wrote to memory of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 2240 wrote to memory of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 2240 wrote to memory of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 2240 wrote to memory of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 2240 wrote to memory of 3864	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
PID 3452 wrote to memory of 2064	3452	WScript.exe	powershell.exe
PID 3452 wrote to memory of 2064	3452	WScript.exe	powershell.exe
PID 3408 wrote to memory of 5240	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 5240	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 5524	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 5524	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 212	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe
PID 3408 wrote to memory of 212	3408	HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00471.7z
1⤵
- Modifies registry class
PID:4500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2348

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00471.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
      4⤵
      PID:3092
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Diubxzpru.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Chrome.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
      C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
      4⤵
      Executes dropped EXE
      PID:3864
- - C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Windows Portable Devices ver4.54\WindowsPortableDevices.exe
      "C:\Users\Admin\AppData\Local\Windows Portable Devices ver4.54\WindowsPortableDevices.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2788
    - - C:\Users\Admin\AppData\Local\USOPrivate ver2.37\USOPrivate.exe
        
        "C:\Users\Admin\AppData\Local\USOPrivate ver2.37\USOPrivate.exe"
        5⤵
        Adds Run key to start application
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn " ver5.63" /tr "'C:\Users\Admin\AppData\Local\Windows Portable Devices ver4.54\WindowsPortableDevices.exe"'/f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
- - C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1516
      4⤵
      Program crash
      PID:1500
- - C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
    HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2968 -ip 2968
1⤵
PID:3060

C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe
"C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972

C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe
"C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe
"C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1472
  2⤵
  - Program crash
  PID:5248

C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe
"C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:452

C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe
"C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868

C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe
"C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
  2⤵
  PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
  2⤵
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
  2⤵
  PID:5240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
  2⤵
  PID:5524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
  2⤵
  PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2300 -ip 2300
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aab8c1f446fedf0613d471d05948045b

SHA1
e84673790479ee2547f2dba284a8f83aed575f17

SHA256
4ed11ced3eba7c77dd407276df54535feb8795451c4216678584c4d06236e4fe

SHA512
794e1fff799926a470232e9b4dc6fd7a155943d5ab261138d4fb198e4d2e5b61f19faff8011c94058ffa3e0e87d59ac380c1957b25ea87e24f6a9ee351411e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbfdf5f0ce4f2a9ebda0b0705896e8db

SHA1
ee6404931507d33341834b52dcc531188ab93313

SHA256
a342bcb2750f72312e9494ffebe532b6b3d3c08bcf761e628ac5a7ccfe3a5b89

SHA512
3aeb4cf9d1e89fccfee55a1bc65e167d2374f6ecd9d15c5fb8ce6550562c0d2285c7881e56ec3fe1f75dbc486d27ec2cc282568beb4aa1a792a24c1ade549b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02c9423d2e5d798239b750bbebfc665f

SHA1
d8043af146d0336aae3c9ea16094328b41db15f9

SHA256
1e608c39960bb593ef538411f6b4ce8eb51047c2074cfd99e54a05d93eabe39a

SHA512
743e2bb6e2823f1238882e0547b1735abc04090629e62ab932843664138e1d9f15ba993e5c76ba8cb19615142fd1b37b77228f1fe462a98a6cbbdf66d1d2b952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ac37aba16752b28312be6873e0c4410

SHA1
a0e2be08317c5ea49b92ff3f186f995665b6b486

SHA256
46c0ab2033f21658ea6f63d2ac216d9275504ab9e962b2b3bcf5f4278896f4e6

SHA512
b3ec274019565bbefe587a4aef3bb45d5bb28171c8d328c1c55d5184b4830abe46b776eece4aa94062c567531f3677cf220587c3a8734675d746ed75b8350f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9844FF13E443011D1129

Filesize
312B

MD5
505bdea808c0b85e58996976cdd6889b

SHA1
b4d9239ccec31ddde3a65b17af730893825fc83b

SHA256
d98a8cba1c81729b4c0bea86f3fd8cb7eb4213dfdd1cc5011b2e024d3974e891

SHA512
993f3b208c447c27fa819274148c63777a3108456a3541d2b34d21e79b814d934fa7492e9a2ecb4ce63f861fe1d3d0bd06ebd7b762f63a8d271735fbda136a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1hanzly.kwr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e.exe

Filesize
1.2MB

MD5
a79bdeb93f9c7b91557f528cf61696ca

SHA1
b488dd0a7d5bd4f6cf5109e444b2e231d71bb3d8

SHA256
1a005abf393bda6175ca0d1133639d8798c5bef2ec53f30e09cde189ce1bb66e

SHA512
62d6c5c26642355088b3dce5a360659866fd539512beed30e54cd92371815ba1da404dabdf0ff6dad1353d93816f07529d6cf6bad7e1719000ac6fa52e025f40

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9.exe

Filesize
114KB

MD5
85b34a470b4eae64fe474db99b10746a

SHA1
1a6690c48c1896ec1ebad7841adba7174ee21aa8

SHA256
9d7c7505abead73fe9cbe8d8ef140643008aa987faab4cdf0b002f06d6c010a9

SHA512
653689ef7342f4a2aa431dc6d2e0b279c62c44152ac76281fccfd19fb4293caff681ef0834ff06ba52719a57704925f54abd95e2ba034cb470fd0cd1c7ad93bb

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc.exe

Filesize
647KB

MD5
44608b222922f1bc63eb01c446bd3860

SHA1
238055b50d6897f37b29885e4b6f9facd6384751

SHA256
aa0a69f17445502fef0ca18bd53dbc8bbab9a4ad50323f11674ec5933d0966cc

SHA512
e82752f6fdba5f3b8e1923ee1a6d5db6d974cabe9b4270d072d2607bc0dc052b394ffbc57f42df18318a22893fe3209e47128e91aa30ff0d7a94be31d52b83e8

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee.exe

Filesize
1.2MB

MD5
a9573efcd2c193a1342ecb164a216e95

SHA1
9295b569cd611f8bb2f9bc63359a8baccf1cc917

SHA256
e451e27620f4454e81d0084a5752841ad020b357b7e1d54a8601edd7885045ee

SHA512
4bb6be97aa64a374dd2737879fb5fae04130e3543ce53e5a3cde23bd89363c2aef7e4f78484274a7418b31c2113af921745a71030b73fcedd3607a8884b6a879

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.MSIL.Encoder.gen-821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875.exe

Filesize
58KB

MD5
803be9689f80b599b296d016b96d7d16

SHA1
096a2ead8417dc451d410718ee25e2cc64304cc6

SHA256
821db357b31d176ad7e844d5b0434da3acb829beb6a7f9bd8c3069337c89b875

SHA512
bbbd2e8f05c685d38eb088c85c7f2297657441b7f509eeb3597d0ecec1e29b60c836c9cebe618cbfc72168b043458951eea8cba89fa62f22487058d4312c8e23

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Agent.pef-e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0.exe

Filesize
104KB

MD5
ae4f816300e6254a061d9fd955fe79fc

SHA1
7c1b64bb7531d819252d2e3ef42f3fb33dc50719

SHA256
e168baeaf22c05e25e8419fc692c8090407653f28feb72d793fabd98715f1ec0

SHA512
4cffd6b13fc3ee8b1b7c1dbdb649a0558c56b7e8add97ef9c90cf5d3e6621f1863aea6ae4e3051290195f9d8b65edab0634434b56b959654f7fe38bd820c6b9f

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-54609563eaf0433f33c6c7bf41e3d937d524aba67171342f8c0ab848eb640226.exe

Filesize
1.8MB

MD5
08aa826cf443de0b714a80610009b961

SHA1
820fd07ce3f957083e603db761505582423f78b9

SHA256
54609563eaf0433f33c6c7bf41e3d937d524aba67171342f8c0ab848eb640226

SHA512
f5145661bca3f73bf1df11c85f59201e0e373052d4e185908802850f3e2f15d4d8ef656b519c3e4bce6672b8351209bc511e0603646dc99b8ed375126b18a001

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-6e3fe9b1e97e89787a10f37c77d71579c879d341dc9fd0ba7ba2a402ffeac807.exe

Filesize
130KB

MD5
727b2145e88a33cae627558d326a9b46

SHA1
e3e1b472dd2d319160e9057514012ff3b753180f

SHA256
6e3fe9b1e97e89787a10f37c77d71579c879d341dc9fd0ba7ba2a402ffeac807

SHA512
5d603afd6825bf7ebd2aebc6ef15e082760c6f2140cf3d2829c580cc10080241b1268381462f88934053d228d45ff21192fecbd78cfe4e776ecb75b05a56a2f2

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Cryptor.gen-c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe

Filesize
919KB

MD5
825d6049ba8600ee5fefd817ac5444b4

SHA1
31c4dfbf7029c5ca8334042faaf906477be1ec17

SHA256
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02

SHA512
43f30546ae519a902556412f5d0233a70c90181686e38dfe3c3751e462db91b0d189de1429f44805ba7bc188f5c5ff521eb26288f694f07f5868296f75d61bfa

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-dc0dcec68f89fb23c98a988cb196b8c439292306f033f084ff7de5e8db974cd3.exe

Filesize
11.4MB

MD5
35014f64a4f1744fbb456796b5327e84

SHA1
349855af5667f0a326c497c9b5ea85cba98a8e0c

SHA256
dc0dcec68f89fb23c98a988cb196b8c439292306f033f084ff7de5e8db974cd3

SHA512
c11002e39bc6a78cb9ebff7bc3723558a7dfc6889efae2998c18b9a28eadf8ba5104c611ac4724c68e80221ca04bb08cad6041a85ca067004725c013273e7660

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-15d3d0304b1ea8516af33d8b1ae3e48874550be1e81b8302dda3925a5c50c5cb.exe

Filesize
771KB

MD5
62c848fdc02d4d0977558fbeb475e5db

SHA1
01061963ef5aec77a36cf35bf71d51a6df7b0f64

SHA256
15d3d0304b1ea8516af33d8b1ae3e48874550be1e81b8302dda3925a5c50c5cb

SHA512
2667f37367e7fc805f3b2e62b8a48502348f832684a95636cdfb696da04772f13ad9ab59044640e39575fe072b37b217bbd04925d60820b1c602bce905b2ef40

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-4b6c78e1228ad2f2bb1e35f6b0a5c3f4bd574098b110627b553cf88e780addad.exe

Filesize
695KB

MD5
5ebbd85542bc70e9168169441653452c

SHA1
013697b4369e1a198fa6e0971bd635abd9ed66f8

SHA256
4b6c78e1228ad2f2bb1e35f6b0a5c3f4bd574098b110627b553cf88e780addad

SHA512
e16bf2b84a34252c76f54f7b4a0e04617e890b1c408f74dcf997ecf81b2cf931abae0f681f4f00ed3b9d56c93913cc25e2f28eb8d7d8e94d70cef491931064b7

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-5c0fb4c8665f2fd33d83edde4809cf0203ce3fc1f4d53d62db5db8d7b843b01b.exe

Filesize
721KB

MD5
ee29ad5d6779804dc00dbc21445f723e

SHA1
d73f05b3112785abcedad97ea52245da779a323a

SHA256
5c0fb4c8665f2fd33d83edde4809cf0203ce3fc1f4d53d62db5db8d7b843b01b

SHA512
cb698f1a525c6624c6aff7f11e611b03099cc7f5c1fc07f5d2d5f754280f42832ac733408595dbf755d1c65433865b93175de6cb30e09c42845f7e92346e4e39

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-602b02381887a5bc8683284e03c29226c55406689389c00bdab9a080028ef4f0.exe

Filesize
736KB

MD5
58e627359d493f755c46d9dbf86dda83

SHA1
0755e235472cb2da12a75d645d5a5c7cf2b173f8

SHA256
602b02381887a5bc8683284e03c29226c55406689389c00bdab9a080028ef4f0

SHA512
37d9723f6ae981abbbc06fa4ab303a667dcc9c09b9a3888f574e4873158473d17e7872ba818fc94d6f4a7d5685365bd97180cdea04eb5561383383c551c65d12

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-6d35913d505c88664a82cdebc152ff7946052d4e53a8a3e91822e6471c2dd1ae.exe

Filesize
764KB

MD5
9ac9a9bf85d6bafc6e586aaae33e2ff2

SHA1
5f5bf3bc906d7a1c73c8d1db8e8b724e80a5ebbf

SHA256
6d35913d505c88664a82cdebc152ff7946052d4e53a8a3e91822e6471c2dd1ae

SHA512
bdb4ad2f4c421b2d9cac9d7d5dd35dca13dc6f6f5e097f4418d82a9976314074ccababa6474cad9a49b90c8d1dce72022eafeea4840e975faf5c2e1e3f499c92

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-9096aea718a781fff10669ace380c3e1905030469b8eeab8597f8f8df9d93c18.exe

Filesize
768KB

MD5
77c36556afc794900e8e90ff4a61d97e

SHA1
f0bda9fe7021e6021873a1ed2acfe8d0aec0426d

SHA256
9096aea718a781fff10669ace380c3e1905030469b8eeab8597f8f8df9d93c18

SHA512
e1446857e1cfce71b830c78d8eb928d2a91b3965e68db67647cda4e74e7d3a4fd7454b53805cb8831e715099d5df30af4a18dccf54b93998b5fa2c3f61f5656c

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-bea8903297612d6ecb4e70926ddfa5dd6e377f80cccd7095c61c1c7613497af0.exe

Filesize
275KB

MD5
785a361ce021c516c93e61da619ed886

SHA1
ce8204dec32af4764cc6c48cbce2c9acaeadaa5d

SHA256
bea8903297612d6ecb4e70926ddfa5dd6e377f80cccd7095c61c1c7613497af0

SHA512
e31e04b15f849309431e822a4745327df3bf28579be6d490035be62578dd804cba3a8cf4dff893fa64b5241292879c7c2ea874616e7d0ba8f4fe9df4b6586116

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan-Ransom.Win32.Stop.gen-d5b3a05a83dac1fde11c26bb358f513ddf0cb57853a141fecccda0446c842f81.exe

Filesize
755KB

MD5
2fc229a6b103c773ad1f8805f1a484cf

SHA1
96c021d336fdeba695ef9d9de3a22915cbee66dc

SHA256
d5b3a05a83dac1fde11c26bb358f513ddf0cb57853a141fecccda0446c842f81

SHA512
66b291694056d8ce82e499c7d3ef9cc7f829aa3348ff0d37e0402dcce55730927b5cbffc4a5901d7a5ddb4f970f45da0e0926fc98b64a63f79a23680097b8833

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-3b59af838761ee4ff8385a7faae31ae8b85dab162166b4717aa596312f05edeb.exe

Filesize
200KB

MD5
595f0e59e6e12a35e4930f5ea55b9213

SHA1
cc2a9901a770e502109a3be00109910bb230371b

SHA256
3b59af838761ee4ff8385a7faae31ae8b85dab162166b4717aa596312f05edeb

SHA512
7e335a22c789144fd864f265e3554b771fe80efa638f72f8ddf24ced6f3decb79e7886b90f8d0459e907b1fbd90641aef6306ec23c31768393f87413541db33a

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-405cb57f5332832c00f609c257f9f3fd3b9a7a0d4de0b4b25a0f565ac0e41a38.exe

Filesize
149KB

MD5
0324770b47cd12c8607972a1d6f89504

SHA1
a72498708d676da58c0a4aa6a32b8ddd7ea725ba

SHA256
405cb57f5332832c00f609c257f9f3fd3b9a7a0d4de0b4b25a0f565ac0e41a38

SHA512
71776dc3a991a1e5e1f3fd1b4afd3b856b67116eb9ec03402fff00b79d4082a23459edc4428d5aff8c6dc2a52c3c6c76f461e7e6bdbd3670c27c74dd373a3d68

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-5b80865d5297d1cbd80c13c54618224be1f4158444d3b23ef87da8d4d54abca2.exe

Filesize
178KB

MD5
bb1df2d013121b54f827ecdc0a04ecaf

SHA1
9b502ff022f66723d7bc575f2875eceb6f5551d2

SHA256
5b80865d5297d1cbd80c13c54618224be1f4158444d3b23ef87da8d4d54abca2

SHA512
cd951a4035d0ffe6d9f6808c0563337f3c95694ac04a2167064fffc037005f3f53906eda68f285312132e3b245091b8db519d8e6c112533b79e3a25f431149a2

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-5f219570beb65e284807547f6be3ce0f77b8bd627258ad9fb89f9adc7fc83544.exe

Filesize
163KB

MD5
9aa904e001c65c77e14cb93d844c3806

SHA1
5c333f56b52f3223db29f630db4a81bc914cf981

SHA256
5f219570beb65e284807547f6be3ce0f77b8bd627258ad9fb89f9adc7fc83544

SHA512
6a6fde59347199cec87f554f482adeef0f9314ce3a5c719c2120cc909b9a9b0c5976c6472081eac951595db613f05e52fd3a554f2cb6cf6aa9c200ea49720c0c

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-6349caa2ec7b9a49cb896e8fb3c911d23662bc1c74c301e398fb96b3caf1937e.exe

Filesize
161KB

MD5
05a19bc19537142a286e0be9330a4d91

SHA1
6bef8a4c6aa1655fdd88804ed8433ac0b0bf213c

SHA256
6349caa2ec7b9a49cb896e8fb3c911d23662bc1c74c301e398fb96b3caf1937e

SHA512
552a4d2d5819a04c15a5ac2d00d9f0e782dc2f4da8e5b6d2ea8fe6952bca582f2fff3cd59ce7f4dcda6d4bf3636824afe020e88035e29fffabf7208cb14e1400

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-73452652c09133e42a4b28ab8c4ee35bada34adf7add595355b2d61e614b07d8.exe

Filesize
118KB

MD5
d6fcde6449824652aa9ce6f8c2ef4ef4

SHA1
3d4a2af13cfcb4c275c8746a8cfa6cdb69861e38

SHA256
73452652c09133e42a4b28ab8c4ee35bada34adf7add595355b2d61e614b07d8

SHA512
8e98946ad9d33441c514b7bd0ea37a4d860db206599b9a3e42ee8c45e8f594f4c86f2395d9c4f2e0eb0b16655bfa58cbb74608eeb631e6d98dcbba0ae0bb14f5

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-86c75c301e17a4566e0204e3df7824cf5d77f70276a37385ee20893bd64f1842.exe

Filesize
107KB

MD5
33eacca2569b9266078e7fc24d6a4624

SHA1
2b2eca8695e67d1a55368bb3de58bb83bdb2adc3

SHA256
86c75c301e17a4566e0204e3df7824cf5d77f70276a37385ee20893bd64f1842

SHA512
29d84a57064527a60cc7f80673b3f91703741f8b28c6e8aa21312817eda46d737ae290801e3d5261e3f36e0182dd5c5b6c8f1d3b5b7b7bdfae3722d6e94e4888

Download Submit
C:\Users\Admin\Desktop\00471\HEUR-Trojan.MSIL.Crypt.gen-ee97ae0a4ba3c816692ba9813137afd58b8e8012eb2d64757124801901046a5d.exe

Filesize
267KB

MD5
bcc28b45d57f65aeb88a241e5b1cacf9

SHA1
7c2f1a345c84618771cafcbca8bb7ee3f2bf9adb

SHA256
ee97ae0a4ba3c816692ba9813137afd58b8e8012eb2d64757124801901046a5d

SHA512
23cd8454aeaecfa311395feba71ae2648e2a17b48e69aae185ab2718a8f159f3fbcccf0c9fca547f41b61398ab91d048c3c852d53bb728482a8904b8590744ce

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Babuk.a-eec8782eacf1c447a8ddbfe795842958ff68511ddbb5025255151f2b98fe8f78.exe

Filesize
79KB

MD5
fac0e87946775469b89c32afab0cc8a1

SHA1
33986e520212415a7fc802affb9a1cf05a5a155e

SHA256
eec8782eacf1c447a8ddbfe795842958ff68511ddbb5025255151f2b98fe8f78

SHA512
a5ec0197223c9f10182cf6f381bbcc3ab5de8a3dab9da0b5d3245e383257c85d5082aa2c5c0ba985fdf3cd64641a38b93d67dabc446961be4fb6a7883bdddd37

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.bvxm-3fe213b51439d34b374ed5d7ab3cf0cfc60737fd11a9c3a54e7a0a9a1236b07f.exe

Filesize
2.1MB

MD5
99989a0ec2ff234bb237e9071c1ab74c

SHA1
aab943fbed79515e154b7ce8b17f9b1545a2ecfd

SHA256
3fe213b51439d34b374ed5d7ab3cf0cfc60737fd11a9c3a54e7a0a9a1236b07f

SHA512
1206ad47b88c9746e3e132ff38669c5d0fc511eb6197f2c8f8b52fe8fe14059437caef0a8d3f6580d94a0cca6008c11581702122262950f4098df26c2df8021f

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.mgn-047a6c98edceb9053d9fc7897324dc5f05bc3cb2db4d19c73075375f692cb385.exe

Filesize
388KB

MD5
e95216480a5070f7510589834e73d745

SHA1
39514ba40d84d1471921977a312a27543cc03112

SHA256
047a6c98edceb9053d9fc7897324dc5f05bc3cb2db4d19c73075375f692cb385

SHA512
f1f18c10356dd302f2054ee65625f50db8a624a9c15bcb957ac1a9fc7c60ef6dfd32aee832da9338a704cc7276f608b245f8113ff1b6b95f9eb9530c78a5a358

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.nbxf-d94311fc599649d6b3f7113a7c1e23764f3dded3c9a7f6c2e9e838e7a805245b.exe

Filesize
4.6MB

MD5
22e71ae7e2511d11668ed2a704b23408

SHA1
7d76d5a056568022964004026b1f880633faac9a

SHA256
d94311fc599649d6b3f7113a7c1e23764f3dded3c9a7f6c2e9e838e7a805245b

SHA512
0151442e7d129d7511cb5f46eb22ed7eb321c9ab82750d5a8e01fcef4429bbae2ef0e64302dec104297c5a4124e48e18110b3419e3879d92e035a110f6a92f67

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Blocker.nbxl-ab0de3d2c520091f33f2d85d5122c8324b8ce55a148296a8985694e2ead3f5c6.exe

Filesize
5.3MB

MD5
8eff931281e4b8430b9b0b868778936a

SHA1
b9f3854e38d974abfcd42e760cbb04162d5dce54

SHA256
ab0de3d2c520091f33f2d85d5122c8324b8ce55a148296a8985694e2ead3f5c6

SHA512
ff267962b7595d00bba1b19bbc11fc034c297bbac273c9cf90e493345771e0e133d25ad845c2c2a7f3aa97aac7f4d2f8e597c6d05392bef51423ef6c2541da5f

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Crypmodng.km-b64322209e72abda1b71e10d5e73933d45bbd7337d1b866a3d073605afdfee34.exe

Filesize
1.6MB

MD5
f2cd5ed8118492dada47e27bc4abab50

SHA1
09ee5899609c93a5a4f5f2200a3dadcce3eef86c

SHA256
b64322209e72abda1b71e10d5e73933d45bbd7337d1b866a3d073605afdfee34

SHA512
b719adc5cff06dfb1e47f6a3ee1121ff47985951984eb11ff00d6608f075acb3fb9dc93a3ad44d6fafa324128d2b0c4af29c77b4bc76e683937eea18f12adc58

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Encoder.nuu-275c5c1b3ab039f833b1ef1f59d5a814ace056e4281a73b19fc6744ae81abea0.exe

Filesize
1.4MB

MD5
1499b6571321ddb6c51206499e7e3b9a

SHA1
3a3f70393668e1128cd3ce00495926d6a8daf47e

SHA256
275c5c1b3ab039f833b1ef1f59d5a814ace056e4281a73b19fc6744ae81abea0

SHA512
53eaba88bfa5c22adb5ac5908919dc33e4afe61bd696dc3a1db7ead763ae0c244beb9904cbe75ab362097a828cd2ec8720a40bba596d93e4ea74f48b3fc62207

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Encoder.nuv-ae989824f3a7dc8bfc00d840ced60e1685cc0b76d46b36d884c3c4e69841284f.exe

Filesize
10.4MB

MD5
03e2b3bc796c13174c8789abd48b0be9

SHA1
b8b741e3d83252f212c918a51ba800d9b70260d8

SHA256
ae989824f3a7dc8bfc00d840ced60e1685cc0b76d46b36d884c3c4e69841284f

SHA512
15957ef99ea29c072821e6ffae9e12bb6f52b632bbb1c9f0aa4658d5d3954450e94c2e89a4f36183fe0482b51e90d6767d06600c1d214bbe71a7a0a3f4be598d

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.GenericCryptor.cys-9a099577d01da03b07cdbe8ae1fd6e5943a335a38be8ad637d84e08ee14ff957.exe

Filesize
542KB

MD5
d37f0a38077d658129993522c196e66b

SHA1
ad6e86e8f18b84ffb9d4f52f56883821a69f627a

SHA256
9a099577d01da03b07cdbe8ae1fd6e5943a335a38be8ad637d84e08ee14ff957

SHA512
580b14905d8dc4099274ce5d5e8b716f1285e66cbbabe0f77389bd9e4a661dfbd98779210c75ac0c737f349847726dbbb2b6ad55963f31cf952284f7d646fd9e

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.GenericCryptor.czo-a16c3bb4dddbc736c68b9f4f8715e988b294edcd316d38ea8114a65891bdbcad.exe

Filesize
188KB

MD5
8f177b06a86b2ccafd887b3f5a100973

SHA1
caba7b14f58c21cfd920aed26e3b53e6e746d574

SHA256
a16c3bb4dddbc736c68b9f4f8715e988b294edcd316d38ea8114a65891bdbcad

SHA512
64b5c609c2b6c54044aad53d13702984aec76bc5f73c0f17f93c62fdb42a7b8414f1faedae17466ace6af7839003d431c017c838ab5ba138219befafcdd910a2

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.GenericCryptor.czx-df1b3dfcb3ff78a161473b14bbe02eda6c35c4a168e38034f122fbf6b6d78104.exe

Filesize
509KB

MD5
d4a66f034f69152477a11c86c21bb7e8

SHA1
f57c93cef8dcb45c1aa6378c87d0d447db51e5cc

SHA256
df1b3dfcb3ff78a161473b14bbe02eda6c35c4a168e38034f122fbf6b6d78104

SHA512
678d7c0e68de4e644cb206e57a3755c174f617d25cd7d85ce151ead6357960d4afe7c27462d9b2fd771e47cd618cf7bc09ef71429a4a11d2c34d4a0b5b0d87cc

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Knowbe.g-09316fd0393c78c9b8cba93e88c3ebfd344a79fda7a9ee10e090d4031b9f5945.exe

Filesize
5.1MB

MD5
494f2e9228e030b2cf725c18abf6c7dd

SHA1
97a173ae8733b451e5da5bb698b7b43606cbb79e

SHA256
09316fd0393c78c9b8cba93e88c3ebfd344a79fda7a9ee10e090d4031b9f5945

SHA512
612aebe89a9a6912f21c407fd47e53e4f012db4f57db5c98535df27ceb353e001b88682568e9192ab7c33c44d04e71240335ac72d343ff07f62371b67b3f1837

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.PornoAsset.cwjb-319124a056d375f60b24cfaf104f298cb1b049a60fb7a074a7ab7d5421a43def.exe

Filesize
50KB

MD5
0b6b02d1c1ee952f9de9eaccaf4c7016

SHA1
ec13cabefd81c443dfbd3e79bdb91440ad633908

SHA256
319124a056d375f60b24cfaf104f298cb1b049a60fb7a074a7ab7d5421a43def

SHA512
9e52899f588b29eb863733648f957f77ffcca0b9c7dae2323d44f3ebc7153cb8bce1c8268f532a9590880438a9b03f5720dfcb85f0babb28bbd5e53bb7dab5bf

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.PornoBlocker.ajrm-4b8ee68707e91a017f37a031fbd0da75cd223e1ffa192171a4c41b7848758d03.exe

Filesize
198KB

MD5
f0fd8777c1fc9dac949d175641e20855

SHA1
165235b61b8c4c50382a0fd3392cbc6f73bff3a4

SHA256
4b8ee68707e91a017f37a031fbd0da75cd223e1ffa192171a4c41b7848758d03

SHA512
86ad701d1030b98d95879d3547d9f9480d839bed5a60b81a464f0f8fa6b069b8206fe12baa14a907565311cd4466d48d646a8d27c62022c5b01fc1057d258791

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win32.Wanna.arcs-74b65410d93927d6831a61e8f2343fb1caa20b1f97980cd4c413f63315d0199a.exe

Filesize
4.1MB

MD5
894a998525381892d0b20af86a0917ce

SHA1
f858f51ca1bbb600264bb2d31a12c36887f5fc67

SHA256
74b65410d93927d6831a61e8f2343fb1caa20b1f97980cd4c413f63315d0199a

SHA512
f3bf8865ec10f1c17cd8f6c2dc94383ef0dc230ec067e4bdcc9b2c18be00d6407381559a2b2463c5ed5b269d71941dd1605dcaeaafc03a1b1faeded7e83fb5cf

Download Submit
C:\Users\Admin\Desktop\00471\Trojan-Ransom.Win64.LockFile.h-62629512c435acc24b083de1e1d128e66118301cb7be92651d85a8af5fe5b834.exe

Filesize
868KB

MD5
129e3b1628d0caf100a8ec9a4ab64530

SHA1
dd4d5c07e264934d422d34717436d798236e8425

SHA256
62629512c435acc24b083de1e1d128e66118301cb7be92651d85a8af5fe5b834

SHA512
5b1bd86ac1f27b7e706d87744f8483d779a13984414e3e675e5f762c76668b1a4623ec12995b42914c3a39a6acecb8a7e7a628152cbb5101699ec35975aa1e98

Download Submit
C:\Users\Admin\Desktop\00471\Trojan.MSIL.Crypt.dkcx-590abbe59291ed05b3c50deaa61d71fd93eb29df502166e9122f8f498e69c2f9.exe

Filesize
74KB

MD5
bc7f8252ebabe3894171619720e150ae

SHA1
21f3c4228e7ebdc15ff16f097559fca7a0460e49

SHA256
590abbe59291ed05b3c50deaa61d71fd93eb29df502166e9122f8f498e69c2f9

SHA512
ad96ae0a089aab6c83b7cfa43821fc31877324a2f505667e54db9fd8e64f5296bc819e240e35deb305f4c8fdea4f79c11e5c06c782a9a29f62aa8a9f4c525115

Download Submit
C:\Users\Admin\Desktop\00471\Trojan.MSIL.Crypt.hupy-714298d609de6a54c7d9257c3a39e41eccae7d35df37950fc97bc994278b7dd8.exe

Filesize
9.2MB

MD5
2a0c9ab26067d4f4c97faef6dd4a248f

SHA1
eb0165c13c64cbb73ca66d7073422edaacd9268b

SHA256
714298d609de6a54c7d9257c3a39e41eccae7d35df37950fc97bc994278b7dd8

SHA512
392016be0933c7534d91e21d96ec1fccfd6498e85644514632d3d3d7b8469879f788917998973167732f2a51943d7bb9b9a568f406fbd34cd620e4e881a4e37b

Download Submit
C:\Users\Admin\Desktop\00471\Trojan.MSIL.Crypt.hvqr-052144d37cfa44298ffca96a59b058597d937a4a021167a5bb0f8d6336a1bc22.exe

Filesize
27.4MB

MD5
0846856e86b829ec826c94a403c1022c

SHA1
b6e5599b2f9e5165bb9207509d84d845b596fff7

SHA256
052144d37cfa44298ffca96a59b058597d937a4a021167a5bb0f8d6336a1bc22

SHA512
53f134d67647e70e6cdd00d4c801ed0108e8f6a9f9949f9ead6a699362f93e02af4669fcf48f62bb3a0d0760e505acaf7db6b7392e71d3d065d95580f572c407

Download Submit
C:\Users\Admin\Desktop\00471\Trojan.MSIL.Crypt.pfa-7344c76a34fcb59ebd977bcd45f37c16f6a9e0e3b19b84bc79a6b53cba033d95.exe

Filesize
756KB

MD5
50e5791c62df0d375e481491095a74c3

SHA1
b0ad30f4391a3f50977d87d8d410fa573525dac6

SHA256
7344c76a34fcb59ebd977bcd45f37c16f6a9e0e3b19b84bc79a6b53cba033d95

SHA512
31f18ceb3b90001726abec7c1bd75ccf25755cd5138a0193c94edc42aaa8560a959d56d325e96ec5d394ede834f4464f5915e9e671fb84d538970d9a3a0f77f1

Download Submit
memory/1072-100-0x0000025E16A40000-0x0000025E16A62000-memory.dmp

Filesize
136KB

Download
memory/1072-105-0x0000025E2FB00000-0x0000025E2FB76000-memory.dmp

Filesize
472KB

Download
memory/1072-104-0x0000025E2FA30000-0x0000025E2FA74000-memory.dmp

Filesize
272KB

Download
memory/1408-252-0x0000000000F20000-0x0000000000F38000-memory.dmp

Filesize
96KB

Download
memory/1408-256-0x0000000005720000-0x0000000005726000-memory.dmp

Filesize
24KB

Download
memory/1836-106-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-107-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-108-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-118-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-117-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-116-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-115-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-114-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-113-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/1836-112-0x000001187D470000-0x000001187D471000-memory.dmp

Filesize
4KB

Download
memory/2240-180-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-155-0x000000001C4C0000-0x000000001C566000-memory.dmp

Filesize
664KB

Download
memory/2240-174-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-182-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-186-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-188-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-191-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-192-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-194-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-196-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-198-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-200-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-374-0x000000001F2D0000-0x000000001F2EE000-memory.dmp

Filesize
120KB

Download
memory/2240-373-0x000000001D0D0000-0x000000001D0FC000-memory.dmp

Filesize
176KB

Download
memory/2240-202-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-372-0x000000001D370000-0x000000001D416000-memory.dmp

Filesize
664KB

Download
memory/2240-204-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-178-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-184-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-176-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-172-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-161-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-143-0x0000000000610000-0x0000000000744000-memory.dmp

Filesize
1.2MB

Download
memory/2240-170-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-168-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-166-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-164-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2240-162-0x000000001C4C0000-0x000000001C55F000-memory.dmp

Filesize
636KB

Download
memory/2968-211-0x0000000005710000-0x0000000005716000-memory.dmp

Filesize
24KB

Download
memory/2968-156-0x0000000000160000-0x0000000000292000-memory.dmp

Filesize
1.2MB

Download
memory/2968-249-0x0000000005230000-0x0000000005236000-memory.dmp

Filesize
24KB

Download
memory/3408-973-0x000000001DA40000-0x000000001DAE6000-memory.dmp

Filesize
664KB

Download
memory/3864-493-0x0000000002340000-0x00000000023C8000-memory.dmp

Filesize
544KB

Download
memory/3864-492-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/3864-935-0x0000000003B60000-0x0000000003BB2000-memory.dmp

Filesize
328KB

Download
memory/3864-936-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/3864-937-0x0000000003BB0000-0x0000000003C04000-memory.dmp

Filesize
336KB

Download
memory/3864-938-0x000000001CC00000-0x000000001CC4C000-memory.dmp

Filesize
304KB

Download
memory/4060-148-0x0000000000D50000-0x0000000000DF6000-memory.dmp

Filesize
664KB

Download
memory/5068-248-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/5068-157-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/5068-158-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/5068-154-0x00000000007F0000-0x0000000000812000-memory.dmp

Filesize
136KB

Download