Analysis
-
max time kernel
216s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00465.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00465.7z
-
Size
22.9MB
-
MD5
d565dedc4e69f09e4c6af080b5abd80e
-
SHA1
07f520b14da34c3ff9d10fcf914b587617600831
-
SHA256
5f5b9a128c1edbcc32df898fbeb4b49740c3c3508aae3e3168a1c78d57f8b616
-
SHA512
2cfb9fa69be795841df0f2a02056a24e6f8cbbeca302c3279460044afc12e9a0f27f94d1035504bb5d4285cda65232698a5dcbece871caef23ead2be876e5d8f
-
SSDEEP
393216:si92YBqRzfashchMEfjT0f77sShjDKXZRQbZyfe3fNo8NtbqTuo6DTEmBvYSWdgH:s0qRb9hchmf77/yZRQkfevNo8NMTQQmn
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
165d6ed988ac1dbec1627a1ca9899d84
-
reg_key
165d6ed988ac1dbec1627a1ca9899d84
-
splitter
|'|'|
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\HOW-TO-DECRYPT.TXT
http://mail2tor2zyjdctd.onion/
Extracted
C:\Program Files\Common Files\DESIGNER\YOUR_FILES_ARE_ENCRYPTED.HTML
Extracted
djvu
http://astdg.top/fhsgtsspen6/get.php
-
extension
.orkf
-
offline_id
4aBXQVNZ4BhjpMjt78QLIFtBSJPbgbflYLHrBut1
-
payload_url
http://securebiz.org/dl/build2.exe
http://astdg.top/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ykQaS2tRyB Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0328gDrgo
Extracted
C:\Program Files\7-Zip\Lang\Recovery+qmsve.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/9AFA7123D1D3982
http://b4youfred5485jgsa3453f.italazudda.com/9AFA7123D1D3982
http://5rport45vcdef345adfkksawe.bematvocal.at/9AFA7123D1D3982
http://fwgrhsao3aoml7ej.onion/9AFA7123D1D3982
http://fwgrhsao3aoml7ej.ONION/9AFA7123D1D3982
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\UserControls\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office 15\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Mozilla Firefox\browser\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe -
Detected Djvu ransomware 4 IoCs
resource yara_rule behavioral1/memory/3612-5014-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3612-5015-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3612-9471-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3612-10690-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Renames multiple (974) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (997) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 6968 netsh.exe 8956 netsh.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x0007000000023cbc-176.dat net_reactor -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan.MSIL.Crypt.gen-57221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Cryptodef.aoo-43b75edc17e828b7f668d7d11a649d9896aa22b4f15c8dc3768b5435f3179065.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation gvmwmgvuvfyg.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation COM7.EXE -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF Reader Launcher.exe COM7.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d1cc64fe9a6a8e706d093702e0b1ae6.exe system.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9d1cc64fe9a6a8e706d093702e0b1ae6.exe system.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe -
Executes dropped EXE 37 IoCs
pid Process 4668 HEUR-Trojan-Ransom.MSIL.Blocker.gen-416f43694c2b70db2aa8120523be9eaa7d691d93ffa49c8a8aba362e95ed0426.exe 4528 HEUR-Trojan-Ransom.Win32.Agent.gen-13bf920e93a30ec43c846a7d48726cd522a4ada3c720b3d7db133d894e189616.exe 452 HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe 1596 HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2945b7db43804037c527eeb893cbde78d496b6053704710337699e8dbb104438.exe 5000 HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c.exe 1140 HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe 940 HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe 1668 HEUR-Trojan.MSIL.Crypt.gen-3628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c.exe 868 zbhnd.exe 4820 HEUR-Trojan.MSIL.Crypt.gen-57221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d.exe 3496 HEUR-Trojan.MSIL.Crypt.gen-61582ff86199c44030bc077b361adcc5ba3a6dcef67e59fc6ad64bb614c70da0.exe 4880 HEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exe 4352 HEUR-Trojan.MSIL.Crypt.gen-cd09d832a2a41b9ee2d888f4a7a34d29584d5d2bf86c80f8df0df0de6b2f7ebc.exe 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe 3792 Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe 4312 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 1964 Trojan-Ransom.Win32.Blocker.mgn-7c8bf1494361bd5b88f4fa65e4ec59fd6df4f5647deeeb8e832ea004d5ba615f.exe 4228 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 4424 Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe 3716 gvmwmgvuvfyg.exe 4788 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 3472 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 968 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 2156 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 1944 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 2652 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 1376 Trojan-Ransom.Win32.Cryptodef.aoo-43b75edc17e828b7f668d7d11a649d9896aa22b4f15c8dc3768b5435f3179065.exe 3796 wujek.exe 4608 ashcv.exe 1064 COM7.EXE 3612 HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe 304 ashcv.exe 8028 COM7.EXE 4952 HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe 9744 HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe 1056 system.exe -
Loads dropped DLL 18 IoCs
pid Process 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 2776 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4716 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/4424-358-0x0000000000550000-0x0000000000D80000-memory.dmp themida behavioral1/memory/4424-360-0x0000000000550000-0x0000000000D80000-memory.dmp themida -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9d1cc64fe9a6a8e706d093702e0b1ae6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9d1cc64fe9a6a8e706d093702e0b1ae6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." system.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3aokbbp33e = "C:\\Users\\Admin\\Desktop\\00465\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c.exe" HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmxqdqaxnnrv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gvmwmgvuvfyg.exe\"" gvmwmgvuvfyg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iconrdb = "C:\\Users\\Admin\\AppData\\Roaming\\iconrdb.exe" Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b5d9b76f-ac85-47e7-9e74-0da0d70f218b\\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe\" --AutoStart" HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM_LOADER = "\\\\.\\F:\\Program Files\\PDF_Reader\\bin\\COM7.EXE" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Libraries\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\Documents\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\Videos\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\Music\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Users\Admin\3D Objects\desktop.ini Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe File opened for modification C:\Users\Admin\Music\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Users\Admin\Links\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe -
Enumerates connected drives 3 TTPs 45 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\L: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 api.2ip.ua 35 api.2ip.ua 46 api.2ip.ua -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened for modification C:\AUTORUN.INF HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened for modification F:\AUTORUN.INF Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\AUTORUN.INF Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification \??\M:\AUTORUN.INF HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe File created C:\Windows\SysWOW64\notepad.exe.exe HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4424 Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 940 set thread context of 3612 940 HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe 163 PID 4952 set thread context of 9744 4952 HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe 173 -
resource yara_rule behavioral1/memory/1596-119-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/files/0x0007000000023cb7-117.dat upx behavioral1/files/0x0007000000023cdc-128.dat upx behavioral1/memory/1596-361-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/1596-5854-0x0000000000400000-0x00000000005BB000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-125.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\Recovery+qmsve.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.winmd Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\Recovery+qmsve.txt gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-256.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Text.RegularExpressions.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\Recovery+qmsve.html gvmwmgvuvfyg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Recovery+qmsve.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-200.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\Recovery+qmsve.html gvmwmgvuvfyg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\Recovery+qmsve.html gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircleHover.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\InvokeOpen.xht Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-200.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX gvmwmgvuvfyg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\Recovery+qmsve.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-white.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-48.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\Recovery+qmsve.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60_altform-lightunplated.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Recovery+qmsve.html gvmwmgvuvfyg.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Recovery+qmsve.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\Recovery+qmsve.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-200.png gvmwmgvuvfyg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+qmsve.html gvmwmgvuvfyg.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-unplated_contrast-white.png Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\gvmwmgvuvfyg.exe Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe File opened for modification C:\Windows\gvmwmgvuvfyg.exe Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cc2-234.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COM7.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashcv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wujek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Crypt.gen-57221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvmwmgvuvfyg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zbhnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.mgn-7c8bf1494361bd5b88f4fa65e4ec59fd6df4f5647deeeb8e832ea004d5ba615f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashcv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Cryptodef.aoo-43b75edc17e828b7f668d7d11a649d9896aa22b4f15c8dc3768b5435f3179065.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COM7.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-13bf920e93a30ec43c846a7d48726cd522a4ada3c720b3d7db133d894e189616.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 9908 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5632 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5800 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1152 powershell.exe 1152 powershell.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 868 7zFM.exe 3672 taskmgr.exe 8652 OpenWith.exe 9728 OpenWith.exe 1596 OpenWith.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 868 7zFM.exe Token: 35 868 7zFM.exe Token: SeSecurityPrivilege 868 7zFM.exe Token: SeSecurityPrivilege 868 7zFM.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 4580 taskmgr.exe Token: SeSystemProfilePrivilege 4580 taskmgr.exe Token: SeCreateGlobalPrivilege 4580 taskmgr.exe Token: SeDebugPrivilege 3672 taskmgr.exe Token: SeSystemProfilePrivilege 3672 taskmgr.exe Token: SeCreateGlobalPrivilege 3672 taskmgr.exe Token: 33 4580 taskmgr.exe Token: SeIncBasePriorityPrivilege 4580 taskmgr.exe Token: SeDebugPrivilege 4668 HEUR-Trojan-Ransom.MSIL.Blocker.gen-416f43694c2b70db2aa8120523be9eaa7d691d93ffa49c8a8aba362e95ed0426.exe Token: SeDebugPrivilege 3496 HEUR-Trojan.MSIL.Crypt.gen-61582ff86199c44030bc077b361adcc5ba3a6dcef67e59fc6ad64bb614c70da0.exe Token: SeBackupPrivilege 3892 dw20.exe Token: SeBackupPrivilege 3892 dw20.exe Token: SeTakeOwnershipPrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeBackupPrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeSecurityPrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeRestorePrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeDebugPrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeImpersonatePrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeIncBasePriorityPrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeIncBasePriorityPrivilege 2192 Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe Token: SeDebugPrivilege 3792 Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe Token: SeDebugPrivilege 3716 gvmwmgvuvfyg.exe Token: SeBackupPrivilege 4776 vssvc.exe Token: SeRestorePrivilege 4776 vssvc.exe Token: SeAuditPrivilege 4776 vssvc.exe Token: SeIncreaseQuotaPrivilege 4528 WMIC.exe Token: SeSecurityPrivilege 4528 WMIC.exe Token: SeTakeOwnershipPrivilege 4528 WMIC.exe Token: SeLoadDriverPrivilege 4528 WMIC.exe Token: SeSystemProfilePrivilege 4528 WMIC.exe Token: SeSystemtimePrivilege 4528 WMIC.exe Token: SeProfSingleProcessPrivilege 4528 WMIC.exe Token: SeIncBasePriorityPrivilege 4528 WMIC.exe Token: SeCreatePagefilePrivilege 4528 WMIC.exe Token: SeBackupPrivilege 4528 WMIC.exe Token: SeRestorePrivilege 4528 WMIC.exe Token: SeShutdownPrivilege 4528 WMIC.exe Token: SeDebugPrivilege 4528 WMIC.exe Token: SeSystemEnvironmentPrivilege 4528 WMIC.exe Token: SeRemoteShutdownPrivilege 4528 WMIC.exe Token: SeUndockPrivilege 4528 WMIC.exe Token: SeManageVolumePrivilege 4528 WMIC.exe Token: 33 4528 WMIC.exe Token: 34 4528 WMIC.exe Token: 35 4528 WMIC.exe Token: 36 4528 WMIC.exe Token: SeIncreaseQuotaPrivilege 4528 WMIC.exe Token: SeSecurityPrivilege 4528 WMIC.exe Token: SeTakeOwnershipPrivilege 4528 WMIC.exe Token: SeLoadDriverPrivilege 4528 WMIC.exe Token: SeSystemProfilePrivilege 4528 WMIC.exe Token: SeSystemtimePrivilege 4528 WMIC.exe Token: SeProfSingleProcessPrivilege 4528 WMIC.exe Token: SeIncBasePriorityPrivilege 4528 WMIC.exe Token: SeCreatePagefilePrivilege 4528 WMIC.exe Token: SeBackupPrivilege 4528 WMIC.exe Token: SeRestorePrivilege 4528 WMIC.exe Token: SeShutdownPrivilege 4528 WMIC.exe Token: SeDebugPrivilege 4528 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 868 7zFM.exe 868 7zFM.exe 868 7zFM.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 4580 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe 3672 taskmgr.exe -
Suspicious use of SetWindowsHookEx 62 IoCs
pid Process 2228 OpenWith.exe 4608 ashcv.exe 10084 OpenWith.exe 4696 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 8652 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 9728 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 8564 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 1596 OpenWith.exe 9904 OpenWith.exe 9904 OpenWith.exe 9904 OpenWith.exe 9904 OpenWith.exe 9904 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 3704 1152 powershell.exe 94 PID 1152 wrote to memory of 3704 1152 powershell.exe 94 PID 4580 wrote to memory of 3672 4580 taskmgr.exe 96 PID 4580 wrote to memory of 3672 4580 taskmgr.exe 96 PID 3704 wrote to memory of 4668 3704 cmd.exe 97 PID 3704 wrote to memory of 4668 3704 cmd.exe 97 PID 3704 wrote to memory of 4528 3704 cmd.exe 99 PID 3704 wrote to memory of 4528 3704 cmd.exe 99 PID 3704 wrote to memory of 4528 3704 cmd.exe 99 PID 3704 wrote to memory of 452 3704 cmd.exe 101 PID 3704 wrote to memory of 452 3704 cmd.exe 101 PID 3704 wrote to memory of 452 3704 cmd.exe 101 PID 3704 wrote to memory of 1596 3704 cmd.exe 102 PID 3704 wrote to memory of 1596 3704 cmd.exe 102 PID 3704 wrote to memory of 5000 3704 cmd.exe 103 PID 3704 wrote to memory of 5000 3704 cmd.exe 103 PID 3704 wrote to memory of 1140 3704 cmd.exe 106 PID 3704 wrote to memory of 1140 3704 cmd.exe 106 PID 3704 wrote to memory of 1140 3704 cmd.exe 106 PID 3704 wrote to memory of 940 3704 cmd.exe 107 PID 3704 wrote to memory of 940 3704 cmd.exe 107 PID 3704 wrote to memory of 940 3704 cmd.exe 107 PID 3704 wrote to memory of 1668 3704 cmd.exe 109 PID 3704 wrote to memory of 1668 3704 cmd.exe 109 PID 452 wrote to memory of 868 452 HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe 110 PID 452 wrote to memory of 868 452 HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe 110 PID 452 wrote to memory of 868 452 HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe 110 PID 3704 wrote to memory of 4820 3704 cmd.exe 111 PID 3704 wrote to memory of 4820 3704 cmd.exe 111 PID 3704 wrote to memory of 4820 3704 cmd.exe 111 PID 3704 wrote to memory of 3496 3704 cmd.exe 114 PID 3704 wrote to memory of 3496 3704 cmd.exe 114 PID 1668 wrote to memory of 3892 1668 HEUR-Trojan.MSIL.Crypt.gen-3628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c.exe 115 PID 1668 wrote to memory of 3892 1668 HEUR-Trojan.MSIL.Crypt.gen-3628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c.exe 115 PID 3704 wrote to memory of 4880 3704 cmd.exe 116 PID 3704 wrote to memory of 4880 3704 cmd.exe 116 PID 3704 wrote to memory of 4880 3704 cmd.exe 116 PID 3704 wrote to memory of 4352 3704 cmd.exe 119 PID 3704 wrote to memory of 4352 3704 cmd.exe 119 PID 3704 wrote to memory of 2192 3704 cmd.exe 120 PID 3704 wrote to memory of 2192 3704 cmd.exe 120 PID 3704 wrote to memory of 2192 3704 cmd.exe 120 PID 3704 wrote to memory of 3792 3704 cmd.exe 121 PID 3704 wrote to memory of 3792 3704 cmd.exe 121 PID 3704 wrote to memory of 3792 3704 cmd.exe 121 PID 3704 wrote to memory of 4312 3704 cmd.exe 122 PID 3704 wrote to memory of 4312 3704 cmd.exe 122 PID 3704 wrote to memory of 4312 3704 cmd.exe 122 PID 4312 wrote to memory of 2776 4312 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 123 PID 4312 wrote to memory of 2776 4312 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 123 PID 4312 wrote to memory of 2776 4312 Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe 123 PID 3704 wrote to memory of 1964 3704 cmd.exe 124 PID 3704 wrote to memory of 1964 3704 cmd.exe 124 PID 3704 wrote to memory of 1964 3704 cmd.exe 124 PID 3704 wrote to memory of 4228 3704 cmd.exe 125 PID 3704 wrote to memory of 4228 3704 cmd.exe 125 PID 3704 wrote to memory of 4424 3704 cmd.exe 126 PID 3704 wrote to memory of 4424 3704 cmd.exe 126 PID 3704 wrote to memory of 4424 3704 cmd.exe 126 PID 3792 wrote to memory of 3716 3792 Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe 128 PID 3792 wrote to memory of 3716 3792 Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe 128 PID 3792 wrote to memory of 3716 3792 Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe 128 PID 4228 wrote to memory of 4788 4228 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 129 PID 4228 wrote to memory of 4788 4228 Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe 129 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" gvmwmgvuvfyg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gvmwmgvuvfyg.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00465.7z1⤵
- Modifies registry class
PID:4496
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5000
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00465.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:868
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.MSIL.Blocker.gen-416f43694c2b70db2aa8120523be9eaa7d691d93ffa49c8a8aba362e95ed0426.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-416f43694c2b70db2aa8120523be9eaa7d691d93ffa49c8a8aba362e95ed0426.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Agent.gen-13bf920e93a30ec43c846a7d48726cd522a4ada3c720b3d7db133d894e189616.exeHEUR-Trojan-Ransom.Win32.Agent.gen-13bf920e93a30ec43c846a7d48726cd522a4ada3c720b3d7db133d894e189616.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exeHEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868
-
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2945b7db43804037c527eeb893cbde78d496b6053704710337699e8dbb104438.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2945b7db43804037c527eeb893cbde78d496b6053704710337699e8dbb104438.exe3⤵
- Executes dropped EXE
PID:1596
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c.exeHEUR-Trojan-Ransom.Win32.Cryptoff.vho-f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5000
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exeHEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe3⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1140
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exeHEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:940 -
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exeHEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b5d9b76f-ac85-47e7-9e74-0da0d70f218b" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4716
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe"C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe"C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe" --Admin IsNotAutoStart IsNotTask6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9744
-
-
-
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-3628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c.exeHEUR-Trojan.MSIL.Crypt.gen-3628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8604⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-57221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d.exeHEUR-Trojan.MSIL.Crypt.gen-57221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:8956
-
-
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-61582ff86199c44030bc077b361adcc5ba3a6dcef67e59fc6ad64bb614c70da0.exeHEUR-Trojan.MSIL.Crypt.gen-61582ff86199c44030bc077b361adcc5ba3a6dcef67e59fc6ad64bb614c70da0.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exeHEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exe" "HEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:6968
-
-
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-cd09d832a2a41b9ee2d888f4a7a34d29584d5d2bf86c80f8df0df0de6b2f7ebc.exeHEUR-Trojan.MSIL.Crypt.gen-cd09d832a2a41b9ee2d888f4a7a34d29584d5d2bf86c80f8df0df0de6b2f7ebc.exe3⤵
- Executes dropped EXE
PID:4352
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exeTrojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe3⤵
- Chimera
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 127.0.0.1 -n 10 > nul & del /f /q "C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe" > nul4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:9908
-
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exeTrojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\gvmwmgvuvfyg.exeC:\Windows\gvmwmgvuvfyg.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3716 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\Desktop\00465\TROJAN~2.EXE4⤵
- System Location Discovery: System Language Discovery
PID:3728
-
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exeTrojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exeTrojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2776
-
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Blocker.mgn-7c8bf1494361bd5b88f4fa65e4ec59fd6df4f5647deeeb8e832ea004d5ba615f.exeTrojan-Ransom.Win32.Blocker.mgn-7c8bf1494361bd5b88f4fa65e4ec59fd6df4f5647deeeb8e832ea004d5ba615f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8028
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5632
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:304
-
-
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exeTrojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe.4⤵
- Executes dropped EXE
PID:4788
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exeC:\Users\Admin4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:3472
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exeC:\ProgramData4⤵
- Executes dropped EXE
PID:968
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exeC:\Program Files4⤵
- Executes dropped EXE
PID:2156
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exeC:\Users\Admin\AppData\Roaming4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:1944
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypmodng.jp-84f8464c7d0d56a14b4a53532a64031a333f235103dd637042bf03db2d26b2df.exe\\DADDYSERVER4⤵
- Executes dropped EXE
PID:2652
-
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exeTrojan-Ransom.Win32.Crypren.aiep-369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4424
-
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Cryptodef.aoo-43b75edc17e828b7f668d7d11a649d9896aa22b4f15c8dc3768b5435f3179065.exeTrojan-Ransom.Win32.Cryptodef.aoo-43b75edc17e828b7f668d7d11a649d9896aa22b4f15c8dc3768b5435f3179065.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\wujek.exe"C:\Users\Admin\AppData\Local\Temp\wujek.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3672
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3560
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10084
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4696
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:8652
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:9728
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8564
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1596 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00465\YOUR_FILES_ARE_ENCRYPTED.HTML2⤵
- Opens file in notepad (likely ransom note)
PID:5800
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
4Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD51ddf44b7899f6b6babcfcbe197751d7e
SHA16313ca49def7c361bf8263895b7280159ab04fee
SHA2569f8cbe94e7ab704818e9ba13fa6f879fa6b9b2c68f93de3ef53b8a6ee72909da
SHA5126abfe7f7d6757dfecf4d251dc4cea0fa73ea961269e79c692e6d3365362a9844811beb66ccb5751dd198bdc05384ddcddaa0f791e2e10a05da73046e3cc39744
-
Filesize
1.8MB
MD5988f71e201c9458e8eb50461f98c2b87
SHA17d3197ae673f5ff4528bfc6f19840cd5f6193ecd
SHA2567d8ad6f80fd7e1e58234d4ba33c8c5543d65becb0108e24242086387483ec028
SHA5127107237e4d58bfd64246aec022da930aa562bab4cf4b58304f949ba879a534231f8fd104014702eeb37ed2727271e20778f058130eb9da388dc14f93f651d2cd
-
Filesize
9KB
MD593f9b6c3d124387d192febf80bb36a97
SHA1530c9c53cc1a6a8a91129d5e570e11f9f59463d3
SHA2568fa7bec3c5abbbcfb3874e5235279afdc3a79c033a742389b69119d1006fa5c0
SHA512556cc0892819423a51d8c7db75aff3d571f717ed47157b37c4ce28c4dbe3e1c0a9942b3963097f1d30de76e4159d5a6ba9c1ee9fca2beee0c77fecb4184e3657
-
Filesize
68KB
MD5c7e6fbe7d74099a559ea820b15a0d791
SHA144ec6691dcb98069df907a5b5717ff4e22b2f609
SHA256a356b758410e6263c7621926ce257ce4add9f29d648a87fe9d4eb6ee0facbf45
SHA512f79e92564f55e9952f592fea5eace10091671f6126151ce237fcb3dc5ae7e2c2479fb86778ac02fbd88b3cddd4728f86b01bee6abfd897076fc97dc048de0ec1
-
Filesize
2KB
MD5362b2e3f4ab49dc36617e7cee1d74d22
SHA1cf73c40c75b34c9749b024e1dbf2d5fe76edc660
SHA256a968150355591839f6a9cfe7d9d3b1410d336e84930a4607cfcc8017ab722b34
SHA512f5dbc6bac4266a476570dde9a3f09705d974694929ee77b6691bc61aea9657b69f00abdcd492ec68fe408578842a1e3183ef8e4206f6f66e1f6430fdb92d2e65
-
Filesize
15KB
MD55f808df2370846a26365e93358b35fab
SHA1c951340d19dec6c41d42f76d82fb8634243324ec
SHA2564f124fae74c06af8ce076ca6fb17dd9ef913e633986fe11c80c280dcb941301b
SHA5124a7f42cba535008a2e8746fabff361e62c6db5d7abf8a116aec27721807b2a3fe2696af507100fa2a8c0c5fa4e8981df64ef2241b01bbdf9785151778d0b965d
-
Filesize
560B
MD5081686ec4a774bca44bf3ca11f450f6e
SHA17ff1f212076bfb2b0697c5291c528cec2b96f3ff
SHA25676c01db4290a1952eb320a45e44a9ee7cbb2aa34e3251350c627b266e534edc4
SHA512dc75981cd5244e50f5cda010bd61bed1ddbbf06cbd2564c8cfc7445556397890f46e01d43356f25c7bc0bfb9656d29c9fac8a32a498682e6f8cf2a59093dcfa6
-
Filesize
560B
MD5f28df89670682508fa484769e50df8e7
SHA1a5bf9c4755ab9a8b4e8c5ec35403458be7431005
SHA256bdc324cf3e2b700fdddb27c6d3052a0f14227ef799d29bb509ee9de4243e24a3
SHA51234f5de1218a392d2b8dc986a8c884446e5d6b5ec30327431621ea6ed2ac3a2f926aba482a182256efbe8869a197522aca60ac192093415afa3391144c22ab4f3
-
Filesize
416B
MD59ab2c688be4d579a2439c84be7e9b6c2
SHA18139c79203bdb862de06dbf66db9da7b3878fc87
SHA256c3982883e4b76e80ade6bd7bc990cf6c5dbb881ee3f8ebf898cd420477c0c8c5
SHA512c57a39c6191556bfae143184cd888b495049c0b7bd2917535cb442f9b12ff0f0af2f1df068be461c8eb9e44eaa7bf9588e0ec680390a2cfe7bb21b134bd527ad
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\Logo.png
Filesize32KB
MD5a616fbc37f8a8dfa161a947839b7b551
SHA17d6e348d4dfe9db203858399262f9da6f5b40cb6
SHA2567c9077d180bee8c6dfb5d050592905d581d356137d0012dc2745a502fdc3d334
SHA51290d217972f3964201040554ad2050415f615d6dd97d1d43035760ec44313b7644d2b868629e80fe7b5bb091fee178b8384a5e9d4459650c6aaa30577f5429f75
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\SmallLogo.png
Filesize15KB
MD58c06a6fe9ff80f11a2790d5dea122092
SHA18ba9579440f047d995fe68b1eee02b25113bba51
SHA2562d7e468f12c909c5b32d40482f9afb210202daa06af62ad660aadcea72e5d360
SHA512a1eca614c498108e9c4735a253d2a0f4fba6c1e6ab213bdf695f5d85a9157fbb90440784dcac6ffc5ce205d9bac2f690356d31d93692c147d43827a1236493a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD58545f43b2e27dea33ddb05850803b766
SHA1d655346a3766b9d17893d61057098847d523740a
SHA2563d1f697ff35069f558eb41489110d5ec7ac4f453ffab2ae2bf787b9a239e14a3
SHA512fc3ff5047e04d1a5c5ce2e7eaa771eaadb12cf8cb461d7cc39acf82dea5729c6b4eaa867f6889b6b9331002bdb3aabf561a9b723f68af647650ad42e70e5b059
-
Filesize
503B
MD5339f910ea873a2b96e54337122f8a77b
SHA14e9d6bbf55904b37f4dead8f64bdf84e425fc1fc
SHA256de62f4507db6608d5e047a15dbb793e6d6b663a6f6e511859e5e85b626184b82
SHA512781a639aba601fdf2a74eeb4d6874ff03bae3fd271a628ece951054bf9616d295ab7e2abde4d403a9223cec7b5d1470686f2c4acbda6a38c2d92bfcc846750de
-
Filesize
500B
MD5c04c8cb2ec13072e54dd27d4ddccee84
SHA1de33c9950e33fbb7ab6b76f6e06c1d6479f05a51
SHA256b9ab64f76ee44a16ea92a88b45c9cfb19019d475ae2b1ba1dbca21890f9107d8
SHA512697b7dfcfc2fad1475cb7f6b39b28e2782c27994d91b9e688dc45a22a124491c5991c8c4ec1bbb09d352b87bdf30965e9df69373b3abb8067ba5687ab7b8c7f6
-
Filesize
507B
MD5d0852e13f197ca7e2dd381fd15ea03c6
SHA1138bbac6e955d859bcad2d56a5bf746f446ff328
SHA25695f6d463f169a2d46dd663f015059b5f19e5fbb94201cdcaacf7017e4b45243d
SHA51232865d4e0c6fdfd11b0c0cf2573714b1928d1d71aee8a0acb9936b2efa879fd8438dcb2512910a0f10dd5493e11e1a7e154125d8a544fb3b5dabfc543ad86543
-
Filesize
290B
MD582efd00abbfce60017452a9ef1669bcc
SHA1a388420129835332f5fc1be31d9b4cfd589b3eee
SHA25694cef88cdcc216e629cbc953ad2383594039e1c4fec70b9878974ee67afe031b
SHA5123dade10e3c47847f9ac8a172ca6a8a2ee683c9d095fe18820fd917c4c23982584b8b47841f46219e4845e83936eec4722a8d9ab0ffde4759e83b5577f15cb372
-
Filesize
494B
MD54ff9e08c8c88dbbd3c234801e5034ac1
SHA1090dd6aaba7a393636ec08af26cfbef2f3ab39c1
SHA256d3c055841a892a090d2df008f68e19447a52c759a0d417693a7a23af4a26745d
SHA51227e22df593fb3b43f9fe6456882f584f1a9ded72cb99b9e6d0f337d1b918eb00fdcae89037b23c4916f2db53fb1bb41920156264002fffcc09106e945fcdfb7e
-
Filesize
495B
MD5fff511dd27c8d6c5efbf5385a3f3ba10
SHA1afcb0c6aa197e9270603ad8a0a8235dd0f006219
SHA256a01ba904b5548e68cc9ae5c0eeff510909c8443e135476e644d5c7f64154accf
SHA5120d112dfe12eaa42ebf0c6264a817646b70207a73aabecc88afcda8b30b34e3e5e8199972036a8867f52e68e7e3039fccef037279449abedf8fb8ba0ab20f271a
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD5f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\ru\HOW-TO-DECRYPT.TXT
Filesize1KB
MD5fc1014711fa40c00879ed06f3d5dc55d
SHA1b2dfc1eaa9e011647bbb989a039c3e4e712bd488
SHA256739b137a251df82c851f27e67b61bd3bd475d64e0e76b9a128d24719ce17ce33
SHA5120cb9d81b31d85ed11d2e85c4da360d027d4e421a616c985cbc08e17ab8ace7f80c56c5eff02614490ad8e908ec2994a8041b8e72e3b69dee31b76434107d5e5b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\si\YOUR_FILES_ARE_ENCRYPTED.HTML
Filesize15KB
MD5f4263b4483839d7f700bcfacab9d5d7d
SHA16ea7fe7b860b90c3e9bd9c5b547215813e2ff838
SHA25606b900fe2c957f744e1056030636984cbf1a3f74636a9bfc9da50ab0f20d818f
SHA5123c8cb30904b0b23f35d6f06acb86e3cda4da78ab03305bbc371bb5f1eff3855ac9cf97c72d05c2cfe858bba9a984453815aab5559cfd9d4ce797ebc11b0dd448
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
Filesize16B
MD52caa6f3c95f6ec6bba5b54344938efa0
SHA12d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA25616ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA5124141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\Recovery+qmsve.html
Filesize9KB
MD544a57a3ed44c5c3280f822ecbfb86d4b
SHA1fcac11e69d2de1b592c678bbecf8d2eb3735658d
SHA25690b02dfc03e1816a914fb0b62f81da740a9986784c2973a6cf2fb54384184f93
SHA5123105304bdb78223c7b86cbe9a2e3e2817d3fe4f251ee0f1db129405fc33db4221e60a309119a50ccd9c5baa0e91908135d2260c422865fe82beffc1f8330ec00
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\Recovery+qmsve.png
Filesize68KB
MD526520b7fb8be973340ab44ae7272d7bc
SHA1808f96968ab2c926685d7f872004388ff6f6702a
SHA2560f55d60af12aeb32f97746a915cef9633b32f842f017b28a0b2b4f34fa85db4a
SHA51298ea261d167816403174a10cd2c35ba32baf338b566a43167abdfce89f1088d2b8316497b3c150245abd271d1acf23959c35bd0e49f8fdcb18a07a46a70c4625
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\Recovery+qmsve.txt
Filesize2KB
MD5095775f71bdf89ab34051184f5fd997c
SHA14b55ff019c9b6ee6c6b77224337ec0714f7cf5c0
SHA256655b9e7b51cb2124db227e6d3fafa689b3c7cbdca8fd2c242b24acb8c18be08b
SHA512ce479adf8e7e0c231ef3871a4744b717dda4ad7aec0db6d406e9075362dc614f7b19a5f7ed90f64ebf2296ba7e6b0c138e4be8ec4c21ede3783f7e4d66025945
-
Filesize
704KB
MD527a7a40b2b83578e0c3bffb5a167d67a
SHA1d20a7d3308990ce04839569b66f8639d6ed55848
SHA256ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
SHA5127b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef
-
Filesize
638KB
MD531d858c6f1c453af516343758a4b2c69
SHA1ec9fafdb7333df42e3a8fb25f6f0f30ffe36b795
SHA25612abcf99dd28bf35b3c224accfe2587ba5f4199d163224b344cdc770eed36130
SHA51292923ca2f4be8fab82a5104cbc39ce84ce60000d4e825b5ccc0b44ba7f7090f7967b491350adf2f0c4ef9ce63ba93241030245e730f1a77c055b0257e64cbc45
-
Filesize
2.2MB
MD59834bce4d5f50fdc342c6a3171aa6356
SHA16f82e558696b49d2a7b3dae5066bc36ff87bea7f
SHA25625f031334d2262c966a7792afb52369c2b294660ab845a1ec4dac6651b314883
SHA51266562d17bfa1576c0ca4aa119beb9bfb6800787323a3498003a61bae25e93eb790acaedfde8301cb5f4c2b5f98db2971a0610f56d0b9fd3e515f663478ee86c2
-
Filesize
109KB
MD5b4ebbae10fc58372050f7d46f9948497
SHA130832f6d9ce431e660b3283499145d00ca9f4922
SHA2562da85bedb46c2a6d024a8dc69099e3e8ad1b312a229a51b870bf0211bceb79ef
SHA51230f956c5ffe5348678e0fca7795a781e16e484385301387e28e961c5d5e0a0d8ab767813339cf68667f2260190a60027f553669b2e412b9c33f1ab6f95f0290f
-
Filesize
11KB
MD5dcee0dbcf84cc9f1620f168d8f8f9fd1
SHA19f570fa253c24a8fe56948f4c6e79982d9644a3b
SHA256385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0
SHA5125b89fe78e841bd05a7c4a626d9b06aa200f8c7d0ebf3b9124aa4440159636fc20ced725d2fe61de7bb4dc210060fddd36f785309a536293455cb863ebff00e77
-
Filesize
1KB
MD5d6a02fc90f628cba550f597d73238f81
SHA144c029287f3580a20caac7b3c56776102af10e22
SHA2563af7dc454bc1397ba65f22a9fd82f8c65aaf661d10c63da5afeb5dffa353b423
SHA512f01ffd61aa934636c97e9fd25d90e219eb7f8adc5b3d175dca7da7dc82a157f6e04d5000ce4cdb6267a3e9c787153e74081ccf8bd1c53fa62233c946679bde76
-
Filesize
98KB
MD5904347cc428ecc1fb6dec20ad6350519
SHA11547b616784c39abdaa4699994b2f9ad539180ce
SHA256ff781837e47a42d7dee3d42854b6d66d73cfbc032c47c9620821b737a82800af
SHA512cd2612c9fb2b9aa92e504fe1a830b752962b06819356aeeebaaaf53853ebb676d7bc4497fd88ec0be2b32895f6957682c1571914ff657b49261d275bbd2f0204
-
Filesize
18KB
MD597cd44dfbf75710efb8225d059262dd0
SHA1ecc2dfb02b0f3badcaba27da9d9ab606ef1b83a2
SHA2564f9a394a194d05047a6b4e02e64278637e3c9ac3337c9818a23c9eae75295f74
SHA5124594df18ce61f5c0e72b912722865b3596137d2ccd3a94df3e25f86074dbc1d67302b1f52f24ce2180cdf808ec649b7b68bd9a758d5245e4bb03848ce2ba5259
-
Filesize
117KB
MD5d4f8743311fff7dacb9d5ae68b49bfe3
SHA1430b023c3d17a0b63276584cbbb322918239a7cd
SHA2569aa650a9117918b9c57f89b573bb597c91c18e77e4eae0145829a3e283c74b82
SHA51259ac6903a89fd2d4446a78bf885659686b32ff3ebbfae7165c0f8a53279f9c5e5c1e78519751cc8702445bb59adce4fda236f7a9042f24973539f7327a31fe7c
-
Filesize
71KB
MD598638a1bfdecdcecf4d7d47b521ac903
SHA1320dd42ee55cfd4016922d5927e1ca4967191315
SHA25611c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327
SHA512d1b8eef337219f35769d7061bd760a066522fbb34bde6f1d130897f6522aada2b9bfb15f49559a48534d6c656ef3edcd8689d7d76d72c5f022db3906306022d7
-
Filesize
280KB
MD522071845daf8c1f6e87f006673eed4fd
SHA1b3bc158d041aecc313900cf9a7205e13c47dd9a3
SHA25651c47389782bc2de8e401d231233e2e7f1a4b3afce7df4ddf4ad533184dad407
SHA5126a11c1620e60b35d321c340687e03a5d9c9eb07912d95c7ba8b9d25867f246b6f46e23d5ee5ec6999c38a92460e85efd8704100e81492c26e38ba3da0f0e5972
-
Filesize
40KB
MD5b7c3e334648a6cbb03b550b842818409
SHA1767be295f1e4adedf0e10532f9c1b7908d17383a
SHA256f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
SHA51243ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1
-
Filesize
1.7MB
MD588de950af4d05d6b8a59f79047083455
SHA1f7be37fc1b68ab79c6b4a352c4db65f8891941a8
SHA25638595b781acdd5ddf34dbcf2f7331f32c907a0d4a445e02d5ffeb336d3eea7e6
SHA512f7d8f359d2567dec87c44bdb9e3c2411bba6ad7e96203e86af127cbde58e761dc7e8e97ded0f40244ef5a2256c17f21652c35a02560460fefe960fa2579dd8a7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
72KB
MD574fe65cd3e81a99913784a05932ce1ac
SHA119ee95e7295a3752231f7dc3f07e58cfaa5dbde2
SHA256f3e517e0aa6002c8a9f81b91e09e9de398c337436c098a21084179e83b19b3bd
SHA512bfb2a8aeec7051136ba942f6cba83ae7237ebe1374cc724461c1c420326e6e993aa93a02baca1e871e522deae1f1b999fd907b08a2e329fc033f6fac7d46d6be
-
Filesize
50KB
MD5a6cfc62ba262352b95eb4e56194a0177
SHA1a1e0b92cc60252d5339e69f3d015de2d4774a422
SHA256a8ee01484c854486fd7ab957d06467b14561d152f959ea19878060778f83623a
SHA5123b08d9ba32dcecd7a6047cdd5987241eb342509653090ca1ec693f45062e48ece78b7fdb2296ed90e564c40eecae91d8ccdc4929982831173a6759dffb1019ea
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.MSIL.Blocker.gen-416f43694c2b70db2aa8120523be9eaa7d691d93ffa49c8a8aba362e95ed0426.exe
Filesize128KB
MD59e8d7b17c66d546b677d70b15db153ae
SHA1e7e92804c494db313d1c4dceea1bb0bf56fb815f
SHA256416f43694c2b70db2aa8120523be9eaa7d691d93ffa49c8a8aba362e95ed0426
SHA512c1f98de5cbe31065465222e01757ac3cce3eb20e6df965dfdb49af6df016e3c135236e3e8273010767407a77a0755b40c0fcff40ff5293a34ee330f6845ebc97
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Agent.gen-13bf920e93a30ec43c846a7d48726cd522a4ada3c720b3d7db133d894e189616.exe
Filesize2.0MB
MD54ff478ebd30744e7efa1492cd9095769
SHA1baad6c177c6d75f25b13a3e7b72aa396aa9b6e57
SHA25613bf920e93a30ec43c846a7d48726cd522a4ada3c720b3d7db133d894e189616
SHA512a8895bd01cc51137e6af6a8bf32bdf2dac6f482a53b8b86b91f195001448033f337fd4aebf8357456d3b5544803be9ad2c5e40309af07e23988e982dba1a3e60
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Blocker.pef-c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627.exe
Filesize50KB
MD523ad5632150211d994eebfa904a8a783
SHA1712aa57d38c94ed65253685886f1657fd9883937
SHA256c4b12309c4fe382b03e3d6eedb5b60ec44fedeaf3e939df347f7ec5a2dab9627
SHA51231a7cd991d2069b8b4f59a97621b42a8419560faf5a487d75ac28c78a9a8c427de30900ec817cacc446db2b809906f9745fd78c91446a4485b0f4e546df5936d
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2945b7db43804037c527eeb893cbde78d496b6053704710337699e8dbb104438.exe
Filesize1.8MB
MD551ee4712b091b268ddb1097b31c2afa6
SHA1b58124eb7fa59ce7e700d9a1e55e4b23ecf1b1aa
SHA2562945b7db43804037c527eeb893cbde78d496b6053704710337699e8dbb104438
SHA512ed75eb72ac554663231ff34095b217f4e58edbeae972d01958ed5edc7df9d8db109a7c559f21c6b548cff23fe5090c52f62a90a3c5bc091776bb34cbcf2bfddd
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c.exe
Filesize130KB
MD557a51864ab227f34bde3d9562a00a7e6
SHA190cd0fda61bf7b30b529f5a229947613553d08c6
SHA256f17f9e363bad27c36efda5419008af0148a5a533b4491affbe74f37ad86da52c
SHA5128f5e5b625328310bf7d142bbeb8159745a9781524c1fe76ea881573312f2ea596bfdd8505a2ceaeea5ddcd5dbeeb8d7957887a3cdb05136f0e56ff46a62d457c
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-7e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027.exe
Filesize6.4MB
MD57b477417dcbeec87403b1fdb51ad9723
SHA17d6c289c7a9d09dde3b46a1e05bd81b1478f5a91
SHA2567e9984df7e40bccb37f8da69a41c354f762c856878fa0cc85e76d4228235d027
SHA5126becb3ad88348caf65d96d5514a46ae79759ae1917d3e1c78359d7e92024c4a7e68b92f914b5f88da0f805afd735ec6f3fc79c751418cdb161317be93b0101ab
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan-Ransom.Win32.Stop.gen-53bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa.exe
Filesize688KB
MD54833eb23482ca80ddb8b34495d9f339d
SHA16aa67203806fb369e9fe79d3f1ee4bd949531a4d
SHA25653bd537c9de9f3b620e08be32a905805bc1cc4a59ba98b8506e6ce4dd979fefa
SHA51200ad8dceb54a950bb928c186f41c0931cd01b49595a3c97df93b6e860ce5b29f846f869fb819904e076540430280572b0e6b59cb66c00389b2a75b9c8e2afd36
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-3628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c.exe
Filesize142KB
MD5ceb9d7fe4e055eabd2919cb6e040fb35
SHA118b3a3d9ff64b7dd9ddc19f921f9ad3537b7aa3d
SHA2563628769697549b788743f590f8a7115b691d67516efc9d7fcefba125b4f06a2c
SHA512b7001cece36e5d391e208c9c32041ab2c6027cc615ce31fdfc4fdf9dab92ea2d406c8eee56c8f3c8c6f2a5057b3353cb900d0962f46009d3bb7aa8ef1d3c57f3
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-61582ff86199c44030bc077b361adcc5ba3a6dcef67e59fc6ad64bb614c70da0.exe
Filesize59KB
MD5447396ba6c00a9d62ac90b58fa15e937
SHA11428f17a67bd79611c1ecfccd1e1eb22cf05c64d
SHA25661582ff86199c44030bc077b361adcc5ba3a6dcef67e59fc6ad64bb614c70da0
SHA512cabd91889ce9218fb9477c91f63b9f74e3441dcaccc6abab786e452a7d7bbff461dc66ccb23ae93a904a3bbf37a0b683bd5de37bd7e7fc495e4d94e7a230c04a
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622.exe
Filesize68KB
MD5c4733b99f005b3ab23132ab3bc0944af
SHA162d49c5fbec8f4b93f75da053d2dd292f6ece062
SHA256a926ff2716bee38e336a5fa943d14553ca150f844a24bba5de92fd0ccd5e3622
SHA512821d48444ea3bef3ea1894c976495adb86b2da4aae570d1ea1bbc61b204a6fe47dff96aa9aa75a24f13e5aee4878f44f38a6c16de82d3c441832e110f4aad39d
-
C:\Users\Admin\Desktop\00465\HEUR-Trojan.MSIL.Crypt.gen-cd09d832a2a41b9ee2d888f4a7a34d29584d5d2bf86c80f8df0df0de6b2f7ebc.exe
Filesize1.5MB
MD51dc475c7085bb4fee14f3d4aff411491
SHA12bdb54931b2a17fdbf42b8deacf5e28beea79b74
SHA256cd09d832a2a41b9ee2d888f4a7a34d29584d5d2bf86c80f8df0df0de6b2f7ebc
SHA512db93ccc45276a171b355352d2cfdc72fc19814c0004960adb55d7dca1190f0de9b570b408d7b15f8c32d98c3a9e0fdd5d3a25969410a9cf05713c793e3af4853
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Agent.bajz-ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e.exe
Filesize592KB
MD51119611e37d23e140afed09382d531c7
SHA142d4c6d02c0a9fe1a177591f45f61d2a57cadcdf
SHA256ad9356574a64d2113d8ec433482791efd3adaaf096fb76fe3ceddf1e5d0ec75e
SHA51202b19bfcc8793dff91b994aec617bf7dc19405fb5818c730070845e8e6c327c9dc542e3c029bf9d70917da2140a04ad38457ff2cfff3d5f42f50e6c213ef3841
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Bitman.jiv-4055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4.exe
Filesize252KB
MD54fcc3450eb59ae260688ef3a442ababa
SHA199ba0adb91fefb6a97818c2ea98e57ae5f622bde
SHA2564055b39928a8d30d5a12dea31cdd6181eb0255576a5de454861d4130fe6513b4
SHA5129a12e2968f4a6a8f6f597d73c44a650f8ba8b91e4f0030494ea3317e45a042aa6cb92f31e2eba90cf6c0417b85e7dc5bdc7163ab79636c5994e2cbd39d1af3cc
-
C:\Users\Admin\Desktop\00465\Trojan-Ransom.Win32.Blocker.liwy-cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff.exe
Filesize5.4MB
MD509919afafe2084513f8e70dbd74b0757
SHA1a59a338df7b26ea7fb8167f96a51b8a85681eff7
SHA256cca8b684c4b2ba0c4bff9418216f52f2d69c3c4dfc292b6f55b1b6fa09ded8ff
SHA512cc2c5e8dc739fdc8e4f937b4ff08061ef9e7feb0eda037e8a7adf9fc81b88aae4ba5a20f6efd387b717a1f7b067285efde526e7e761552ac78b327e4c7f270e4
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
\??\c:\users\admin\desktop\00465\heur-trojan.msil.crypt.gen-57221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d.exe
Filesize3.6MB
MD5c07e66e4cc164f062240866fde230002
SHA1fbe38f60370b84a15d1394f990cc158e31bb1add
SHA25657221ac04e04d59c42bdc9ab1a4473332fa677d6e78d61f4d960873e1be7e41d
SHA512c991a906e6df62daba5aeb7ef09e5a0fe6480ccccdcd52f94dc9d1d7f4cae3c30869e0e9ef0bf7c5147bb236c6c65d63f199e7d8d82e2299a320ff0e476d6991
-
Filesize
141B
MD59005588d5c36246914d00b7756197191
SHA115d77c43ed7196619dddc2d7351d21e7a675316c
SHA256ef0bdb4c9f3c20949240953a3219cede291581248964bc2d71c4618b75dc4989
SHA5127587b1f8b48c24ab16b7b2b193e48ce265a72bcad6afa7b4f7914645207ee3bc7e899519a00b185a8c9546d40549305a552a2a2fe324e94f7bcb29f76e1c0a55