Analysis
-
max time kernel
95s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 20:28
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00441.7z
Resource
win10v2004-20241007-en
General
-
Target
RNSM00441.7z
-
Size
53.5MB
-
MD5
1f07deb824d20334eca9d63413320f1f
-
SHA1
56067bd17bbe30dfde1b4105924688227931f668
-
SHA256
adc85b9fc63f672336e015658cfa59663940299f1c7e7cb3c867423606f85c5a
-
SHA512
2aa3e8aa6df2a4832c22c92b4e8f78725296e201b777ffed0ef6ffccdd53f09eb82ec6e40b0e67cf9dfff869af156e6136832ddf9948d3a090c6bba977fd7bd4
-
SSDEEP
1572864:PW+3Sr6Ioq3gdUBA1cE6K7HPLmgk3CRlTRCrwb9Zs3:PWSsoqwWAYCvnkyPlCrw9Zs3
Malware Config
Extracted
crimsonrat
107.175.1.103
Extracted
C:\Program Files\Common Files\DESIGNER\Read_Me.txt
http://24cduc2htewrcv37.onion/?ZQXPGDPQ
http://helpqvrg3cc5mvb3.onion/
Extracted
C:\Program Files (x86)\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top/
Extracted
C:\Users\Admin\3D Objects\6iMSN88k_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Contacts\6iMSN88k_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\6iMSN88k_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cc3-405.dat family_avaddon -
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb9-282.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/1992-380-0x0000000000400000-0x0000000000460000-memory.dmp family_gandcrab behavioral1/memory/1992-381-0x0000000000710000-0x0000000000727000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5392 3088 wmic.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5408 3088 wmic.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5448 3088 wmic.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6668 3088 wmic.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9684 3088 wmic.exe 91 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 16896 3088 wmic.exe 91 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (3859) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 20 IoCs
pid Process 4460 HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe 2568 HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe 1808 HEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exe 4452 HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe 3988 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe 4696 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe 4288 HEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exe 4128 HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe 4180 HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 2832 HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe 4228 HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe 2540 HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe 1732 HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exe 1620 HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe 1992 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe 3172 HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe 4512 HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe 5216 NWCcBCAt.exe 2632 HEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exe -
Loads dropped DLL 1 IoCs
pid Process 2832 HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2568-328-0x0000000006810000-0x0000000006838000-memory.dmp agile_net -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\Users\\Admin\\Desktop\\win.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "C:\\Users\\Admin\\AppData\\Roaming\\a.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows-DefenderV = "C:\\Users\\Admin\\AppData\\Roaming\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\Users\\Admin\\AppData\\Local\\Updater.exe" HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\M: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\U: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\B: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\Y: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\H: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\G: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\I: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\L: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\W: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\A: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\E: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\J: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\K: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\O: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\X: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\Q: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\T: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\Z: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened (read-only) \??\R: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\S: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe File opened (read-only) \??\P: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\V: HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe File opened (read-only) \??\N: HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe -
resource yara_rule behavioral1/files/0x0007000000023cbc-342.dat upx behavioral1/memory/2832-344-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/files/0x0007000000023cbf-349.dat upx behavioral1/memory/1732-352-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/files/0x0009000000023d33-366.dat upx behavioral1/files/0x0007000000023cc4-426.dat upx behavioral1/memory/2832-432-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/1732-442-0x0000000000400000-0x00000000005BB000-memory.dmp upx behavioral1/memory/1732-29103-0x0000000000400000-0x00000000005BB000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\Read_Me.txt HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\System\ado\msado60.tlb HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Read_Me.txt HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Read_Me.txt HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\Read_Me.txt HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2320 sc.exe 5708 sc.exe 5344 sc.exe 5308 sc.exe 7560 sc.exe 7624 sc.exe 2380 sc.exe 3888 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4620 1992 WerFault.exe 136 36820 2832 WerFault.exe 125 36660 2832 WerFault.exe 125 -
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NWCcBCAt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Kills process with taskkill 3 IoCs
pid Process 45532 taskkill.exe 4004 taskkill.exe 8580 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5292 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 36940 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2768 7zFM.exe 2532 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2768 7zFM.exe Token: 35 2768 7zFM.exe Token: SeSecurityPrivilege 2768 7zFM.exe Token: SeSecurityPrivilege 2768 7zFM.exe Token: SeDebugPrivilege 3764 taskmgr.exe Token: SeSystemProfilePrivilege 3764 taskmgr.exe Token: SeCreateGlobalPrivilege 3764 taskmgr.exe Token: SeDebugPrivilege 2532 taskmgr.exe Token: SeSystemProfilePrivilege 2532 taskmgr.exe Token: SeCreateGlobalPrivilege 2532 taskmgr.exe Token: 33 3764 taskmgr.exe Token: SeIncBasePriorityPrivilege 3764 taskmgr.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 4452 HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe Token: SeDebugPrivilege 2568 HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe Token: SeDebugPrivilege 4696 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe Token: SeBackupPrivilege 2040 dw20.exe Token: SeBackupPrivilege 2040 dw20.exe Token: SeDebugPrivilege 4460 HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeBackupPrivilege 3464 vssvc.exe Token: SeRestorePrivilege 3464 vssvc.exe Token: SeAuditPrivilege 3464 vssvc.exe Token: SeIncreaseQuotaPrivilege 5480 wmic.exe Token: SeSecurityPrivilege 5480 wmic.exe Token: SeTakeOwnershipPrivilege 5480 wmic.exe Token: SeLoadDriverPrivilege 5480 wmic.exe Token: SeSystemProfilePrivilege 5480 wmic.exe Token: SeSystemtimePrivilege 5480 wmic.exe Token: SeProfSingleProcessPrivilege 5480 wmic.exe Token: SeIncBasePriorityPrivilege 5480 wmic.exe Token: SeCreatePagefilePrivilege 5480 wmic.exe Token: SeBackupPrivilege 5480 wmic.exe Token: SeRestorePrivilege 5480 wmic.exe Token: SeShutdownPrivilege 5480 wmic.exe Token: SeDebugPrivilege 5480 wmic.exe Token: SeSystemEnvironmentPrivilege 5480 wmic.exe Token: SeRemoteShutdownPrivilege 5480 wmic.exe Token: SeUndockPrivilege 5480 wmic.exe Token: SeManageVolumePrivilege 5480 wmic.exe Token: 33 5480 wmic.exe Token: 34 5480 wmic.exe Token: 35 5480 wmic.exe Token: 36 5480 wmic.exe Token: SeIncreaseQuotaPrivilege 5408 wmic.exe Token: SeSecurityPrivilege 5408 wmic.exe Token: SeTakeOwnershipPrivilege 5408 wmic.exe Token: SeLoadDriverPrivilege 5408 wmic.exe Token: SeSystemProfilePrivilege 5408 wmic.exe Token: SeSystemtimePrivilege 5408 wmic.exe Token: SeProfSingleProcessPrivilege 5408 wmic.exe Token: SeIncBasePriorityPrivilege 5408 wmic.exe Token: SeCreatePagefilePrivilege 5408 wmic.exe Token: SeBackupPrivilege 5408 wmic.exe Token: SeRestorePrivilege 5408 wmic.exe Token: SeShutdownPrivilege 5408 wmic.exe Token: SeDebugPrivilege 5408 wmic.exe Token: SeSystemEnvironmentPrivilege 5408 wmic.exe Token: SeRemoteShutdownPrivilege 5408 wmic.exe Token: SeUndockPrivilege 5408 wmic.exe Token: SeManageVolumePrivilege 5408 wmic.exe Token: 33 5408 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2768 7zFM.exe 2768 7zFM.exe 2768 7zFM.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 3764 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3120 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3764 wrote to memory of 2532 3764 taskmgr.exe 98 PID 3764 wrote to memory of 2532 3764 taskmgr.exe 98 PID 3008 wrote to memory of 3120 3008 powershell.exe 104 PID 3008 wrote to memory of 3120 3008 powershell.exe 104 PID 3120 wrote to memory of 4460 3120 cmd.exe 106 PID 3120 wrote to memory of 4460 3120 cmd.exe 106 PID 3120 wrote to memory of 4460 3120 cmd.exe 106 PID 3120 wrote to memory of 2568 3120 cmd.exe 107 PID 3120 wrote to memory of 2568 3120 cmd.exe 107 PID 3120 wrote to memory of 2568 3120 cmd.exe 107 PID 3120 wrote to memory of 1808 3120 cmd.exe 108 PID 3120 wrote to memory of 1808 3120 cmd.exe 108 PID 3120 wrote to memory of 4452 3120 cmd.exe 110 PID 3120 wrote to memory of 4452 3120 cmd.exe 110 PID 3120 wrote to memory of 3988 3120 cmd.exe 111 PID 3120 wrote to memory of 3988 3120 cmd.exe 111 PID 3120 wrote to memory of 4696 3120 cmd.exe 113 PID 3120 wrote to memory of 4696 3120 cmd.exe 113 PID 3120 wrote to memory of 4696 3120 cmd.exe 113 PID 3120 wrote to memory of 4288 3120 cmd.exe 114 PID 3120 wrote to memory of 4288 3120 cmd.exe 114 PID 3120 wrote to memory of 4128 3120 cmd.exe 117 PID 3120 wrote to memory of 4128 3120 cmd.exe 117 PID 3120 wrote to memory of 4128 3120 cmd.exe 117 PID 3988 wrote to memory of 1256 3988 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe 120 PID 3988 wrote to memory of 1256 3988 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe 120 PID 3120 wrote to memory of 4180 3120 cmd.exe 122 PID 3120 wrote to memory of 4180 3120 cmd.exe 122 PID 3120 wrote to memory of 4180 3120 cmd.exe 122 PID 3988 wrote to memory of 2040 3988 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe 123 PID 3988 wrote to memory of 2040 3988 HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe 123 PID 3120 wrote to memory of 2452 3120 cmd.exe 124 PID 3120 wrote to memory of 2452 3120 cmd.exe 124 PID 3120 wrote to memory of 2452 3120 cmd.exe 124 PID 3120 wrote to memory of 2832 3120 cmd.exe 125 PID 3120 wrote to memory of 2832 3120 cmd.exe 125 PID 3120 wrote to memory of 2832 3120 cmd.exe 125 PID 3120 wrote to memory of 4228 3120 cmd.exe 126 PID 3120 wrote to memory of 4228 3120 cmd.exe 126 PID 3120 wrote to memory of 4228 3120 cmd.exe 126 PID 3120 wrote to memory of 2540 3120 cmd.exe 128 PID 3120 wrote to memory of 2540 3120 cmd.exe 128 PID 3120 wrote to memory of 2540 3120 cmd.exe 128 PID 3120 wrote to memory of 1732 3120 cmd.exe 129 PID 3120 wrote to memory of 1732 3120 cmd.exe 129 PID 4228 wrote to memory of 2972 4228 HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe 131 PID 4228 wrote to memory of 2972 4228 HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe 131 PID 4228 wrote to memory of 2972 4228 HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe 131 PID 2452 wrote to memory of 4004 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 133 PID 2452 wrote to memory of 4004 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 133 PID 2452 wrote to memory of 4004 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 133 PID 3120 wrote to memory of 1620 3120 cmd.exe 135 PID 3120 wrote to memory of 1620 3120 cmd.exe 135 PID 3120 wrote to memory of 1620 3120 cmd.exe 135 PID 3120 wrote to memory of 1992 3120 cmd.exe 136 PID 3120 wrote to memory of 1992 3120 cmd.exe 136 PID 3120 wrote to memory of 1992 3120 cmd.exe 136 PID 2452 wrote to memory of 2984 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 140 PID 2452 wrote to memory of 2984 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 140 PID 2452 wrote to memory of 2984 2452 HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe 140 PID 3120 wrote to memory of 3172 3120 cmd.exe 139 PID 3120 wrote to memory of 3172 3120 cmd.exe 139 PID 3120 wrote to memory of 3172 3120 cmd.exe 139 PID 4696 wrote to memory of 4484 4696 HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe 142 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00441.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00441\6iMSN88k_readme_.txt3⤵
- Opens file in notepad (likely ransom note)
PID:36940
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "a" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\a.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3560 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "a" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\a.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5888
-
-
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"4⤵PID:36636
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exe3⤵
- Executes dropped EXE
PID:1808
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $source = 'C:\Users\Public\Libraries\DATA';$archive = 'C:\Users\Public\Libraries\';$Name = [Environment]::MachineName+'DATA.zip';$destination = 'C:\Users\Public\Libraries\';$ArchiveFile = Join-Path -Path $archive -ChildPath $Name;MD $archive -EA 0 | Out-Null;If(Test-path $ArchiveFile) {Remove-item $ArchiveFile}Add-Type -assembly 'system.io.compression.filesystem';[io.compression.zipfile]::CreateFromDirectory($Source, $ArchiveFile);Copy-Item -Path $ArchiveFile -Destination $destination -Force;4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 14604⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "win" /t REG_SZ /d "C:\Users\Admin\Desktop\win.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "win" /t REG_SZ /d "C:\Users\Admin\Desktop\win.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5788
-
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exe3⤵
- Executes dropped EXE
PID:4288
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exeHEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exeHEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F4⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5292
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F4⤵
- System Location Discovery: System Language Discovery
PID:5752
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵
- System Location Discovery: System Language Discovery
PID:5144
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5708
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5344
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5308
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:7560
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:7624
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:8580
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F4⤵
- Kills process with taskkill
PID:45532
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exeHEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exeHEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe4⤵PID:7584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8204⤵
- Program crash
PID:36660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 8204⤵
- Program crash
PID:36820
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exeHEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe" "C:\Users\Admin\Desktop\00441\NWCcBCAt.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Users\Admin\Desktop\00441\NWCcBCAt.exe"C:\Users\Admin\Desktop\00441\NWCcBCAt.exe" -n4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5216
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nVz4NKPr.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f4⤵PID:7512
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nVz4NKPr.bmp" /f5⤵PID:27920
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f5⤵PID:13948
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f5⤵PID:14024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yUvNt6ON.vbs"4⤵PID:7540
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yUvNt6ON.vbs"5⤵PID:20464
-
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exeHEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exeHEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exe3⤵
- Executes dropped EXE
PID:1732
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exeHEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8DB2BF15-85F5-4819-86C1-35E47A0FFE8E}'" delete4⤵PID:5372
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8DB2BF15-85F5-4819-86C1-35E47A0FFE8E}'" delete5⤵PID:4396
-
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 4164⤵
- Program crash
PID:4620
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exeHEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3172
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exeHEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- System policy modification
PID:4512 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5480
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive4⤵
- System Location Discovery: System Language Discovery
PID:5788
-
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exeHEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exe3⤵
- Executes dropped EXE
PID:2632
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-2278b4445d6c307b1c489a36dc4876b390979c891588f741765d37d93af52f21.exeHEUR-Trojan-Ransom.Win32.Generic-2278b4445d6c307b1c489a36dc4876b390979c891588f741765d37d93af52f21.exe3⤵PID:28180
-
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-742ffc85a18a899481c67d95d0e2bc7efed10a09a8ee08987ac03368db172e95.exeHEUR-Trojan-Ransom.Win32.Generic-742ffc85a18a899481c67d95d0e2bc7efed10a09a8ee08987ac03368db172e95.exe3⤵PID:12088
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1992 -ip 19921⤵PID:3176
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:5392
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:5448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2832 -ip 28321⤵PID:8792
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:29776
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe1⤵PID:26136
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:29716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:12356
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:9400
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:13988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:16968
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:14360
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:16728
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:6668
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:9684
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:16896
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:32296
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:15444
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:9204
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:15848
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:29556
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:18988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:24516
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:10624
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:23888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:11864
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:10216
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6336
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:8392
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5180
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:19244
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:22028
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:21268
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:27104
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:31632
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:13228
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:32188
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:14444
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:15908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:16276
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:25980
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:28588
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:25708
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:37836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:38032
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:38148
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:39100
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:39280
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:39420
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:40460
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:40752
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:40884
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:41516
Network
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
209KB
MD5b982d99e3ca0b987a77189c01ac57d54
SHA1dbdcd2b7ddc8e764fda7a28fa145e983f42ca66e
SHA2560e6c18e2f32d6c50a04a0c3b1675d968e83a7250f49629f1307ff8cd83938c30
SHA5120b0cb7450a294d57a00442047ede7beb3ade14a14b9e347d93c4587aa7b83d54932862d304793c534503ea356a46eb8cf0f6ff3d4afd4408b68c1d7b6a51db25
-
Filesize
866B
MD578a15c814df271551d3e0d882a7caae6
SHA165a43e6eac21105afaf62f534bc066c8f460122d
SHA256c5543d9ed561efd53666d18ce7e6fcc8bc500c8e90ee873aae1ea8615ca0405b
SHA5129cca3a336d30b324eeab100d87f812e5ff2459de1177f9b4fab7513b8f1de2d0d01521f01c539b497ee498a095a807c47ff816b775b3d8095f7d7fc673dba269
-
Filesize
1.7MB
MD51690518fa34e9db95dd083f72590dbae
SHA1955fabc673478aec7db1e5de8145a1eafe94a9bc
SHA256314db20b5b5a1692bcff789e8c1785fdb65b7cffc7912b53b17cc1c215076336
SHA512071eb1a9404854cf076f673880548ad952549111836e2f0ed3650b6e7807e282b75bd2ca9c74ce3fff7958f4cf64cccb7424a108d9ce47d4f6050f6786cfaea5
-
Filesize
1.7MB
MD51e4d134ae88f60d0d0e4252e159ecca1
SHA146fecfadee49e5c7416bbe602a3bc92b774d81c1
SHA256b0a962d2d989e47d7513ff68b2ec544b114626c62edcfbbe2e30e4f848f31b1b
SHA512047a65710d91d562442b8a94034439e0b3b60bbb8cd4d8debf5f09385d128566d7b069e17f76163a393b2a10b42927054b07420312ea5da36ac3e77cc5a331c1
-
Filesize
1.7MB
MD5e46a69aeacf106f03f7f4fb6b2d0270a
SHA1d41a7ab6436ca07a0b7ba1b5c237a60413900745
SHA2569b37aa3552cc0190d67613396c38beb14397a88a69b6d66c2d0b73d8b13aec17
SHA512454565c2ebc1c9c8548f91529f77824b504171ec9af441ffbf990d7fad2950c59d5169cd3c78d77ff04ecfc8d82ee24bde276e39c35c48c56796ab3be85d5fcd
-
Filesize
1.7MB
MD5050df8332d669a244a2aaa65283001b0
SHA1136685645a919d9ec4a99fc92fdd41880d35afe5
SHA256acd35536058ba1044a6c83453ade422c456e2d4ffe1b043a3d29bb8fcb35e360
SHA5122a02d3db7ae2e63be60e2bb594a96567e0e46022dbde48535353aa7d9076b7067ca42cf38bcbf1ce51636387ac68e3ef86e95f24d466cd6d0007bb2fb9e9f789
-
Filesize
1.7MB
MD5e4a6f75ab2e7e832297b3badf9188b5a
SHA10b01388fa39c0d74c708f31e221f14befe87c91a
SHA2560c2ae8f94feafd341ae93012e61651a7af7441fdf97ec9cd7b5fd5706110ee13
SHA512081bb2f7b3fe72480296ea5f9d47ace0a4c7d25a6a8019f4d92b75c578fdb1b84b640884705ae7d0a8de078b10f14afb8fa908c807a6c97c50993fbad5ac7b13
-
Filesize
1.7MB
MD5b72e54c7d0daf30ae432ab586b3355ba
SHA19039f97a512fcbf995e96429da6e85d6b7d35d43
SHA2566b2eadd934f24fc5be0649b09cbdaf24ec0d3ebd0d58e38ef948d1c5e4bca608
SHA5120dee13da7ce81f727aa4e2c90c2de861800a9efe597ed910e6ba658589b8a1553a0172233bfeb0fdf8c7e8dd3e182dc4830b48752000695ff4b6ffe43f13d5ec
-
Filesize
1.7MB
MD52d6885cf032ba8e71b74df07820a9cbf
SHA1b418440c37b67ebee4acd414253404adf3b8934b
SHA2568f67aa74cfe5a2b613a0a964d895a2587d34f399ae16691d42b1c97b04a64dfa
SHA512dfa709c4b41f183074b9aa80b9a988c51e47dee50f27962e3b6bf2a417a382ba187f8ac1990d65cd8171d96c43370bc7673eec78ef09e859de4defb5206f6d16
-
Filesize
1.7MB
MD56553da596cecfca0deeab733aa61b3d2
SHA1ce285c56d988befc7042199d720a6915e02061bf
SHA2562fda5fb97d2cc51852b905a5ab089d4035fa1505e8dddbcc3f86e2d0c0d469ef
SHA512b0a0561a103a0a649c2becc11168248a83e60ac02141b7f30097737ea16ce8b8db3cfdd591fbcfab4c647b06335b41fcb6aa7c389a533682c958cbe55148dfe8
-
Filesize
1.7MB
MD52d7617a9b4f471ea3d6f3f33b0f908ac
SHA1efea81c20f02109d2fdb16e65e3be0df5b2488de
SHA256d03f0f2fcdc26e0e4cdccfefc83d4118c754f4b4cac1bf55eca40b822846e8e7
SHA51290a350cc0791db67e3a672344c32c024d3078f7b02c33a431bc30319d533cf3b0fbc9c0529626410b0db8b991389442a91d2ba6f4befdb7c0da0cc3241e185f2
-
Filesize
1.7MB
MD5f642259e36ad0f4ae382fb0fb0921258
SHA1a78dc7f00ae27c1437200b9fb76be1a291303d68
SHA256b7fbc0b11920b0091948ed1e77ef3a284dfc4ab8b0ea51b5b4eb37f25f1c7279
SHA512dec44b43c4587d15eaa268732cb55ec790ed0f191cd969f3c867fce0c61ba456de7d5830c3314c328945912906a425ef23722e87f597a50aed16107b71786122
-
Filesize
816B
MD531722d5c1bb830a5fc281b72ec1887d6
SHA1f595305fbc8832f7cda09045b508f0687d7b3752
SHA256dc0ab4e1ac4ec0fa85702c90cf34c80627dada52f553b7294626992f2054c1dd
SHA51237fa6597e45c77d7b92ce536d93203b823ec63f0d1cdc57f9e9529983c6d9b14ee1f1aea59817372334fd4f8b003a2a737be2d92dd6dcbb3715a8c0f5aa0244b
-
Filesize
3KB
MD5c5e6a78c061e63ea695e12d4d4137ed0
SHA15e027bcb329639aae46a089848a3281e925c797f
SHA256db4a4d957350f18e5eb0bea136b485e082a67ec18335b49012510ff6c508ef01
SHA512832740bf3ec3e85acf8310c2508f22444343022be5fb94f9d748f74fae0fa8f6e84014f6d48437cb5c2c85df7eaf3ba437a11e3dd3ce3efae6f74905ba6162d0
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P124P4F8\microsoft.windows[1].xml
Filesize97B
MD5b01077afcc7309996bdc74624ad0b668
SHA139a646c7252af9904880deb549a4b796ad018625
SHA2565cc33f0d7c169665e3cbe1e871be2adadb3a11f56a7852f2d3e9ae0b074c0d76
SHA512b9c686fa01a921dcb418430e0e552ada9c830c71491e81225b06bac2a1488284b06710475dc8f41773860a3c20dd1e761a119b1e9351e4a797f71bf1ed6485fd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize9KB
MD54863907481fbee4da66e163e51ba8a06
SHA17db2d5abd0f1a33c354db3d06d82ddc53de2312e
SHA256ead1f57948a2eb4d8e752620edadb3f99aa7fd025a2df37ee570d6ae220ba845
SHA5120262e50badac0b5b9b2c556b37c36f29c9f56644855022b1ea07be7523fe6ff95d8fdd851caa8500f926cac0aeab208a0d677a1dd33888460aa768f41149b646
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5a5477e2c35780fa02259f147b85197af
SHA18adb077471d1bf812fc923f36b6f4b8335cd235d
SHA2568f6bf5aa906f7e7fbfdb4fda63f1a8e96b7dc6974448cfcee274926c0f39d8a0
SHA5121f44fadff19a6d5e356e7a0e3fbd351854523b567204cb78bd76de8f75527e67b8b65334cf828caf3dc29ae1008acdf9a37d00c95d3ecf4a4d937f37d7908d72
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
Filesize
3KB
MD599ee3f5b5461a108b708c38c2c1085e5
SHA167cb7b75661de8667652b20a9a8a1d99e765d3be
SHA256c677879f232cf49161d0db4a1e9448dbf337fe1fc379148b40870808297d3ce5
SHA512a2d12e958f9f17067c9549a058cfe28d1e9d7e4dbe245868893f2a99258fbf54ade31f0ab877222cae046df03f6fdb565c86676c311836761c3c430c5fb52f15
-
Filesize
3KB
MD54600bcce644a99a68eef5fb61a592471
SHA1a705de7066825a4d074ac8d9afdd54c63b263112
SHA2560a398f1291a2c4d1f188bf0f024f06bbaeabe82831abda5add1dd9a6b07443d5
SHA51211af86cea752c57823b67769c71c01ffae20cd62d2007a28a1d09941b6eab4cbff03ae5b21ac530a86f0cb3dae7482982dfb701397a5fb441c4a0e6d35d1d007
-
Filesize
3KB
MD514fcbaed4d74479effe6d6a9daf4c8e7
SHA11a0aade5eb089a0d7a4ef096f1b0b79bd9ec3c65
SHA256dea3bd1e13d8d851158964c1e27acd90414fb2bd2720b065e3622df90ca51d89
SHA5123decf9e268bff1e1c72cabaa4f5164363288986cf4a0bb380da22170bae877b2fcf72bb7b3edb28ec8711c0118fe8a08a2833f33dd0bab4939d416cf661bf066
-
Filesize
3KB
MD5a4f16b4688cb1d4636fafe203d309c18
SHA1bb74f3305cb0cf2c9644602b89af1b5b0d520eab
SHA256d16dc13412a378490aaa9788b65a5e261b44a7f286b07aac115624cc4d4737e3
SHA51233760d4486814c8611be641b22efe8458ba7d43971f30a8a507609c4a3979f5637d5c5dcc90dfc653f2cfc8f20aaa1375211c50ff90eef6b9ca461a72b65fac2
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9.exe
Filesize4.6MB
MD5c92fc0008625d3ae4fa141676a603ea8
SHA1744c2ea42461d865ca022c458f21db65fec0e8ab
SHA2565dc3085c70289a9a4a0699d883af744e8777d3b9bbe07de15e4087bcce71d3d9
SHA5122280d7058c2272d1942ce8d7406327460a8fcc2e7dc2819c94f0caa6d85767d1b0d3e5d502abe957391877fa142d24387d27023277cfb088b37f1c58047cd1ab
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda.exe
Filesize2.6MB
MD5e5f20155b45d9b23b2a50de3a11a2f22
SHA133bb37d7a2649c2ae0cf9e5140f35e31b0792baa
SHA256aad75ec59572777b392ba7077214ebe44ef466daf9da40aaf31fe41c01da1cda
SHA512cd19cb501fb44471b84937f8783cf3dca20087bdf16bfc41aa375808ba14fcb5e2a9690daa273e775d7c40dc7a27e1839294b1942bf4b9518405adedcd5c9b79
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf.exe
Filesize219KB
MD531b04ddc50c5dd682537520ab71eb0ca
SHA1ceb088dc7c9c4f79e1074a87cec34a010318af9e
SHA256ea498e3356225b2ab45e3603b51ade4bc69d343491e877fb0ffb1caa792f33cf
SHA5129e16ba91730764d3ee0c6d9aa74a4812c2d442e4673339122fb90ea235bffcad8fcb0e59d1720728b86a125511720ec73ada986a26d1690328045d8292eaa8af
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Blocker.gen-faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c.exe
Filesize2.0MB
MD51dd4d466023c4066e76e8633926091da
SHA139f7e01e1dcd8bab130ef279a57b86b2ff990bda
SHA256faef39f4139717896e34c46cf28fd526f051b5b1186a25bb95e5f7b50fbd625c
SHA512d212c02be8e395029278b0c65a8e72ca34e410b727b1fe3cd05ce38953fcabdc81242946dbf43cb988f6b9946d4773ed0221611d31af7c75eb7424892fe915f9
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-84a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d.exe
Filesize89KB
MD59ef43dd22fb681fe42507ac0c5a742e3
SHA1248ffeda9c1ca94d744f17a448c5fd602b7dc97d
SHA25684a236e359ee08b7bb04d02e39b7dc694952467db99c4a62d88b2d07ae51f46d
SHA512670adbcf0f8e69cc775cc777d9a9b2002e61f9bef11e5de05c2241fda9409e83e6102e700169f14a1da198ea298347033f2f2c2e06b735517e9008a577a3b258
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7.exe
Filesize1.1MB
MD5137b99d5d4617d3b7d95e3ca7253f0ca
SHA1bcd46c016d0a439aa40d24196ac9c31fb3e882c4
SHA256a6d06d59029ae1e3d5ad1a0ba88ce085d12ccc3c9606ce3e893410e5d613ead7
SHA5121432db38caebb53c2e2a3b2602b3d6d409c7a38153eff8579671483eaa91914bae3bb9a49e0e63c54c3fa67358b49b5628e3dbc7e5528906ea2f6fe156c17f84
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Encoder.gen-f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9.exe
Filesize186KB
MD5077dc2448eaff618f08269f80e5a98f3
SHA1cc3d143f9509f4c0d36f56bc3a4a98f1e17c1853
SHA256f08cae71c4b597696cbc429069d295dda01963a82a8727e4f65e585048cf1fa9
SHA512c35376a37cb3f82c78f9a7350e3a81ae6fea0260f214af92f86ed247973734a72b6003e3cbda243539b78cf424f99a71aceff4fbcdbdd3c1db91fa55aeaca9e3
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Foreign.gen-ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077.exe
Filesize9.2MB
MD5eae4474c646b0f3feecd690cfad0a46c
SHA13e8f4e99808e0761cc8f31c535492dc7c82661c2
SHA256ee0bdedcc1c0395fb52a3de9d7173ea0a662dd41bf8e41daf049d588041f8077
SHA51257ad0c86100e21d404f77d75ecb5d3454f478aaa3bc486779c338f95fb89e89abb3f94f6ed01d588a90f1177cdc593dab653b8a029166d69dca81a90ed674d97
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Gen.gen-6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f.exe
Filesize171KB
MD5d3d0035a769e6ef98b1433160b2c8333
SHA1be1d0aed32308166721d4756e2216dc44c2d0baa
SHA2566b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f
SHA512b86b1ab9ad2c4c851c8712d0e49321cd3f9671815592bd4228664d236093cbb904f091dc7ad60815a56da5f9face2ce11fbd84790afca4d480ae17fa76dcb229
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.MSIL.Thanos.gen-5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19.exe
Filesize124KB
MD5ef8f64e484ef31030ffbf2f03a71ddeb
SHA1b3a7ebf8df8cd174c711bc57de25dfa8e096246d
SHA2565c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19
SHA512ccf7d1c6f93d9d139ed4d419fcfe55cdc931fc7236d0a6920c15d638afd095e8a65b7cf720430d81a07a04a0b61e51d9f78b589b28597215656ada1d61b031a3
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-0cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193.exe
Filesize896KB
MD5d68bab79bd15f2bab8cb4b0dc754078e
SHA10f9c22610f734cd2e1f6d697339e992fe2515cbf
SHA2560cbd9125a37a68103a23be71c0e38c596ee82e57466aef945688ab5b8bcfa193
SHA512dfbe98700c951a255261384c099dc2417d7f171544ae0fa72a6e35c21d65e00b31eb9f530e1a2f1fa46dbb2b50a5ee70c8d516fce5f6ce875129b9a1f8bebb71
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Agent.gen-5f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f.exe
Filesize1.3MB
MD57bedd0c5e4d5c7a6f5ad69898598b526
SHA1c0263f12b942d370260cf23eddcbd34abaf8b08e
SHA2565f156e7a8c86f7760b4448e314394c8e6e98cad8e385ec32a047c5b86ead953f
SHA51268e4e99155bc17e72b04ce5af4a6b86eab66ef6efae138dcdea420e93b2ccd3a01e5c1dfea278d37a0e6426c656fe5cacd008b983b24740595c647260808fc29
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.CryFile.gen-8f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac.exe
Filesize400KB
MD5724709fe112bfd162e0faece458a393a
SHA1b04ef2a413ef4558c1a65e2148b0c5bff97a9052
SHA2568f12f1493f2d3a5eafbe712c8983e68bfa464f74c93c7e49f9cdd54f5d38cdac
SHA5126e2d821ff7f46bb87b1e64fbcf87067f1436aeb63814de9245231b183a0678a37392062a2db1e1bab8c6f0802edb01f3a499e5babf57c7788e6cc60cd42a12e8
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c.exe
Filesize1.7MB
MD51e2822fc3ab38f1823be6f44cc4d32ef
SHA19514cbe4c8859e906fa7c700117f21b19c09cc2f
SHA256c33768e6f45b4cd85028c17c46ba3d32d368960eb9faf46cb14296e604b9657c
SHA512d8b1b22a3463ea5dcbc0126f71a1c845a30be248f804b199df67989ba42001590698f339074cb3f2f444e07713185e04c2c43ed4da5478df56c880b561ab5d98
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Cryptor.gen-8e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230.exe
Filesize191KB
MD57b729dd2b94eea3331db75581e40f9a8
SHA133b2c1cee2d77323a6689a2ce353ce31b03fe4b9
SHA2568e898a713e2459a51b25a71e0c286ccd8920a9a73bbecc3813ddd68e9a49a230
SHA512d48aa58844767f469ffa56af7b2b8e956956cbe21b5b5c939d462bd27c08900466f083d2c76a1e3c370473f8c43d0b37f42c95c2786abc484444e0393eff41c1
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-63fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0.exe
Filesize328KB
MD5d85643300b7b9e82a4eaec9b27b1d444
SHA1263bff7e0f9279314e974f4a0e82ebf0f6fcddbd
SHA25663fe9928f5d9db10a251c4381f790eaca70ccd820a1bea7d14dd2f52272873d0
SHA5127c221e4bc3926f994129a86466cf3ed11ffd0a6e048e4f2bcb155a10d27e3ce6173e0a7fa070e62603643cc232e0e510bc7287472f68acb71b570edb17efa236
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Gen.gen-da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb.exe
Filesize105KB
MD51ac059a4890e421a3953484b4694bfb3
SHA1a1d7833fe32b5bc55b5296292543a3506f015731
SHA256da679f425bb682ca18e28590a879620c48f993aee1955ebfb0acfd350b2278eb
SHA51231eb86b4f49dc025cf4074aefd3426f4d29ab1347ded42cb0bd8eaf08c0d80fc9070ca23bba390b5a93d305174bbd81794be910ee0398dd34a285acb8a97df3e
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Filesize775KB
MD50b486fe0503524cfe4726a4022fa6a68
SHA1297dea71d489768ce45d23b0f8a45424b469ab00
SHA2561228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-192755b8ee32be12341e15433c980e62f83a6af8c0c7003afc0e81a378e7ae97.exe
Filesize379KB
MD55cdbfe533a3dec1c10a7df26bbe3526e
SHA19688611c83c5e8d3d80380e144d456fd9cd3b35d
SHA256192755b8ee32be12341e15433c980e62f83a6af8c0c7003afc0e81a378e7ae97
SHA5122fb24c94545904959ffe953caf0edb6e9301978225c511928452dff9054759f300ef5a8dc911d95c766331680f1ac9a1484c430e2015229159e1b2ba1b19cca3
-
C:\Users\Admin\Desktop\00441\HEUR-Trojan-Ransom.Win32.Generic-1d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0.exe
Filesize1.1MB
MD54574e6057b1a245c5c0efd98447e06ad
SHA1d348160819be98d0f931216dfd1481ec4d1b4814
SHA2561d457781b4fa198714bb0c9c52b1d67605410ae9faf03aa9360970c34a8e07a0
SHA5128eb81da534a90afba9ac4a36a5e55f80b25b6e793555bbff14e4f71ee1f5f15e421becde6f7fbf34154800eef2e6b17f5e2cb40e83e03812c1eef509b3cf2b3c
-
Filesize
675KB
MD5ae4f7175954afe71c8ff5cd986a3ae99
SHA17cf5799d185ce5e41e9ee7aec80b985128be2870
SHA256c3f8706ea22734a622bb1a2d048231e589c18818234038fd4011f5d9028e8b22
SHA5129e2750eb37a940e5f22283ae8cbea974092af4131f296355f11499691b8f60998340e1d6bc078ffba5580c2152e5c097b3260602d6724ce76696987be7e042fc
-
Filesize
1.7MB
MD53be9094c4cd53a399ba45b421a0a5176
SHA15d7c265c043d56de16756d65adf427f8a544f463
SHA25657d2b9230eaa6f3f5ba61fce9b10031508d8283f70ace389df13959c2f955191
SHA51260316e73cf8aae2fb5e93d9c921c1806963fb6af8b2e6ffbf72aaf15ff134aa8cd7abe7501573c2df8ade0b29d3758bf1d4fcb7e01dcb321541430b036e465df
-
Filesize
3KB
MD55e4f95337446ea40c9fa47d2e4d4fc59
SHA1313d3a583b9c6ba4ac637e5cf2a5d74e17366330
SHA256b6aa92b921cb8189deea3f784d4b687abf414ea56ca805db41490d833783f00c
SHA512732f1fd08409757eef140b342e8d8dbf7f880ac447b4f12a3d1b2c5f0e4d69bb57d0fbbb25ef6093dcad0cf2fc9de867ec9c46841644f606d4770c93aecf5540
-
Filesize
3KB
MD56f147c8d652075ce1ed1d2c8c2c8209e
SHA141150340358d56608e1a3c115168f5d617595cde
SHA2567ffcbf2ad55e3819b08b693fb717ab05df0f667b01921c8e8d99b0c908db3b1c
SHA512a67f9435f94206ddfb47e04fd17543aaac816b4d226586d13e61f36c4f38fb249f8c105eb04ac6f2e85cbe37f70f98cef995d5f9b24693a474f8fdf0a640d7a1
-
Filesize
3KB
MD5a0e6f4d32911df133341a3e073eb5bf0
SHA10a887717defaabd855e0f5ca3a7533de367dab40
SHA2567d5219d5808b9a3f3f245e210a2a6be0c4c43c6a425b499b0256f2fc5efc1c11
SHA5125a7deb5b1628ce1b5f355afd44be4ebc198c269868bfe2799c3ef994041dd3a8e37f3133d55a7c6d810172d8885698c9a691af9e3a7ab33576f38b1571e76116
-
Filesize
3KB
MD5b65fda5bc6504178513b9d9fff6340b5
SHA12f33f5245d2eec14248295c698de424fe3d6d463
SHA256a4bc79f36fd5c16b5539cb7fad64cf104e26b02e0bed03364279954dbed77969
SHA5127092c6b25ba1f62a750b23e6cc67ac22cf5732b5d96a55b7595705428eb9197c12ab5704f481039c8172624e5b57e5cec406104180a09094c83ac3137fb53b0e
-
Filesize
3KB
MD5caa137dc5bed1051b2f808e9778f1437
SHA1b12c5954be01bab3152404d457c7576147d90441
SHA2564c0afcbc58b3bd8cd98b01cc9542c99f9e4d7a48ed3736582b4cf1bbae4be05b
SHA512ce49d96572efb42c90d57897bec09ffa16a57eb5a4a6ebb5b642b50f0dbb04fd47dbff2480f9bc8b9b009d205c1ecddf75ed472d11ad9d8d6f1c6ee22acc479c
-
Filesize
945KB
MD51823ce7b09540b78965be2d95e5daa3f
SHA19dd4a69e5e33d42173c28d9c54cb2bdb4fcc057a
SHA256dcd514e4f0f9b2f3180af6b64e23773d1bd10ace2f44b48a47955a3c776ebf8c
SHA5129ac859a069d8c566013ce9b1fe21b85211c8ff50e5916fbafcaaddfe71a8b32d26145cb985e2e43a97ce079ffa8791c75f6a87fd9c50785468f859fa2c32a042
-
Filesize
10KB
MD51b12eb93551e76e5a7b5462fd4ab864c
SHA172b48483621c28235827bd2db33470b5d2e84eb4
SHA256dc41ac82532281ee64cb203124625b8bec2cf91656cec977d1b06ca4b1c19232
SHA512886e8649584f2774e6019f04015f183d97abaf49e663f59eb34df761fe19d1c136301b8f7153e1c007c1c0aa9a150451207562e71ee5044ae22e48a334bfeb49
-
Filesize
15KB
MD585089bffd58868eca802c7bd2a206702
SHA1a5d5adf076ae6d2d3ed5f35b870fac49a2102650
SHA2565fd57471ca1d27a487491d8b1ba1c7fc9595b3376bc73240d4cb511887bf1045
SHA5129fce6259eafc55cf77bfecf60ac100cd72cc29657cdb5bc80fe5286b57081bb8c28a48a4f95fb8bcd7b52be2776c8908d2222e0b61db7d4ac7c97f6fce3be6a0
-
Filesize
1.0MB
MD58434cfac04cf2847f375c4311584c2b8
SHA178bd3f551e56bc217057038c636bae049b27f50f
SHA256cd41d26d5242976decd58fd811ee406443a2cbf8a411799e95a215ddbeeea66d
SHA512df15702180a1dd18094307b4361744eede77edcf20ee46cb13753e9f7a6720783188f35792d3df78389e24a244bffba5bad52d8a8a1ba20a2dbb05712aa7016b
-
Filesize
15KB
MD524b108b252cf4dd71a7574b64ac6802f
SHA1adfce4f8601c4317aff455d8e366d7fa3b52e23c
SHA256cca9e8d66265506e01510b9173badf65c848d9056c0da0fb5f7cbaa2dba0450c
SHA512b7e35cbf450c60ba3208c2ee29c479e667e9123a77bc2ece724561dc2fbb37d9cd72bf89b2909d2304cb08f318be422020fc270479a3d8b4a2e779bbe5ed0615
-
Filesize
14KB
MD54566eddb399dfeab1b4f6872121fea22
SHA11bdcbce942a068dc330f8efedcc98369c1b4977a
SHA25603b036c419f969c6f6547e355332f9b677812f98f6cd87fcd2a148734b5093b1
SHA512f54a2fd38211e23cd791534525fd1adc599df8d6fb7c754ac32ca2a041f0e178f2551163bab50c106816bf2413f52c0109120ad2d28f4f0368d3951e545800d0